rpms/selinux-policy/F-7 policy-20070501.patch, 1.84, 1.85 selinux-policy.spec, 1.513, 1.514
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Dec 27 01:16:43 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11931
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Tue Dec 25 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-66
- Allow mail delivery to append to apache logs.
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- policy-20070501.patch 21 Dec 2007 07:58:15 -0000 1.84
+++ policy-20070501.patch 27 Dec 2007 01:16:34 -0000 1.85
@@ -2512,7 +2512,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-10-18 17:13:23.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-12-21 11:13:05.000000000 -0500
@@ -45,7 +45,6 @@
/etc -d gen_context(system_u:object_r:etc_t,s0)
/etc/.* gen_context(system_u:object_r:etc_t,s0)
@@ -2539,7 +2539,15 @@
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -249,3 +250,7 @@
+@@ -239,7 +240,6 @@
+
+ /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+ /var/run/.* gen_context(system_u:object_r:var_run_t,s0)
+-/var/run/.*\.*pid <<none>>
+
+ /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+ /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+@@ -249,3 +249,7 @@
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
@@ -3331,8 +3339,16 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.6.4/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/storage.fc 2007-10-18 17:12:50.000000000 -0400
-@@ -23,6 +23,7 @@
++++ serefpolicy-2.6.4/policy/modules/kernel/storage.fc 2007-12-21 10:02:54.000000000 -0500
+@@ -12,6 +12,7 @@
+ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -23,6 +24,7 @@
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -3340,7 +3356,7 @@
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
-@@ -38,6 +39,7 @@
+@@ -38,6 +40,7 @@
')
/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -3348,7 +3364,7 @@
/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
-@@ -49,9 +51,9 @@
+@@ -49,9 +52,9 @@
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -3896,7 +3912,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-27 09:57:52.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-12-26 19:16:45.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(apache,1.6.0)
@@ -4082,7 +4098,16 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -463,6 +526,18 @@
+@@ -459,10 +522,27 @@
+ ')
+
+ optional_policy(`
++ application_exec(httpd_t)
++ application_exec(httpd_sys_script_t)
++')
++
++optional_policy(`
+ calamaris_read_www_files(httpd_t)
')
optional_policy(`
@@ -4101,7 +4126,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
-@@ -486,7 +561,6 @@
+@@ -486,7 +566,6 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -4109,7 +4134,7 @@
')
optional_policy(`
-@@ -506,6 +580,7 @@
+@@ -506,6 +585,7 @@
')
optional_policy(`
@@ -4117,7 +4142,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -606,6 +681,10 @@
+@@ -606,6 +686,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4128,7 +4153,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -668,6 +747,12 @@
+@@ -668,6 +752,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -4141,7 +4166,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -685,18 +770,6 @@
+@@ -685,18 +775,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4160,7 +4185,7 @@
########################################
#
# Apache system script local policy
-@@ -706,7 +779,8 @@
+@@ -706,7 +784,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -4170,7 +4195,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,21 +794,64 @@
+@@ -720,21 +799,64 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -4240,7 +4265,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -754,14 +871,8 @@
+@@ -754,14 +876,8 @@
# Apache unconfined script local policy
#
@@ -4256,7 +4281,7 @@
')
########################################
-@@ -784,7 +895,19 @@
+@@ -784,7 +900,19 @@
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -7493,7 +7518,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.6.4/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-10-05 09:47:20.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-12-21 10:08:53.000000000 -0500
@@ -61,8 +61,6 @@
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;
@@ -7503,7 +7528,15 @@
manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
# log files for hald
-@@ -115,6 +113,9 @@
+@@ -88,6 +86,7 @@
+ kernel_rw_irq_sysctls(hald_t)
+ kernel_rw_vm_sysctls(hald_t)
+ kernel_write_proc_files(hald_t)
++kernel_setsched(hald_t)
+
+ auth_read_pam_console_data(hald_t)
+
+@@ -115,6 +114,9 @@
dev_rw_power_management(hald_t)
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
@@ -7513,7 +7546,7 @@
domain_use_interactive_fds(hald_t)
domain_read_all_domains_state(hald_t)
-@@ -132,6 +133,7 @@
+@@ -132,6 +134,7 @@
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
files_read_kernel_img(hald_t)
@@ -7521,7 +7554,7 @@
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
-@@ -170,6 +172,7 @@
+@@ -170,6 +173,7 @@
libs_exec_ld_so(hald_t)
libs_exec_lib_files(hald_t)
@@ -7529,7 +7562,7 @@
logging_send_syslog_msg(hald_t)
logging_search_logs(hald_t)
-@@ -180,6 +183,7 @@
+@@ -180,6 +184,7 @@
seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
@@ -7537,7 +7570,7 @@
sysnet_read_config(hald_t)
-@@ -192,6 +196,7 @@
+@@ -192,6 +197,7 @@
')
optional_policy(`
@@ -7545,7 +7578,7 @@
alsa_read_rw_config(hald_t)
')
-@@ -301,7 +306,10 @@
+@@ -301,7 +307,10 @@
corecmd_exec_bin(hald_acl_t)
dev_getattr_all_chr_files(hald_acl_t)
@@ -7556,7 +7589,7 @@
dev_setattr_sound_dev(hald_acl_t)
dev_setattr_generic_usb_dev(hald_acl_t)
dev_setattr_usbfs_files(hald_acl_t)
-@@ -341,6 +349,8 @@
+@@ -341,6 +350,8 @@
files_read_usr_files(hald_mac_t)
@@ -8013,7 +8046,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.6.4/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-12-02 21:56:29.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-12-25 07:45:39.000000000 -0500
@@ -87,6 +87,8 @@
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
@@ -8108,7 +8141,15 @@
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-@@ -449,11 +486,13 @@
+@@ -433,6 +470,7 @@
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets($1)
+ apache_dontaudit_rw_sys_script_stream_sockets($1)
++ apache_append_log($1)
+ ')
+ ')
+
+@@ -449,11 +487,13 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
@@ -8125,7 +8166,7 @@
allow $1 system_mail_t:fd use;
allow system_mail_t $1:fd use;
-@@ -847,6 +886,25 @@
+@@ -847,6 +887,25 @@
manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.513
retrieving revision 1.514
diff -u -r1.513 -r1.514
--- selinux-policy.spec 21 Dec 2007 07:58:15 -0000 1.513
+++ selinux-policy.spec 27 Dec 2007 01:16:34 -0000 1.514
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 64%{?dist}
+Release: 66%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -363,6 +363,12 @@
%endif
%changelog
+* Tue Dec 25 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-66
+- Allow mail delivery to append to apache logs.
+
+* Fri Dec 21 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-65
+- Allow hald to setsched
+
* Thu Dec 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-64
- Allow fsadm_t to read file_t
More information about the fedora-extras-commits
mailing list