rpms/selinux-policy/F-7 policy-20070501.patch, 1.28, 1.29 selinux-policy.spec, 1.473, 1.474

Mon Jul 2 01:43:31 UTC 2007

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24492

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Wed Jun 27 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-24
- Allow udev to transition to fstools domain.


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29

--- policy-20070501.patch	26 Jun 2007 10:17:42 -0000	1.28
+++ policy-20070501.patch	2 Jul 2007 01:43:25 -0000	1.29
@@ -649,7 +649,7 @@
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if	2007-06-21 09:36:31.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if	2007-07-01 20:44:17.000000000 -0400
 @@ -211,6 +211,24 @@
  
  ########################################
@@ -706,7 +706,7 @@
  ')
  
  ########################################
-@@ -290,3 +329,65 @@
+@@ -290,3 +329,85 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -772,6 +772,26 @@
 +
 +	dontaudit $1 rpm_tmp_t:file rw_file_perms;
 +')
++
++########################################
++## <summary>
++##	Do not audit attempts to read, 
++##	write RPM shm
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`rpm_dontaudit_rw_shm',`
++	gen_require(`
++		type rpm_t;
++	')
++
++	dontaudit $1 rpm_t:shm rw_shm_perms;
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.6.4/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-05-07 14:51:05.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/admin/rpm.te	2007-06-18 10:18:55.000000000 -0400
@@ -2036,7 +2056,7 @@
  # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.6.4/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if	2007-07-01 21:12:58.000000000 -0400
 @@ -1096,6 +1096,24 @@
  
  ########################################
@@ -3003,7 +3023,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-2.6.4/policy/modules/services/apcupsd.te
 --- nsaserefpolicy/policy/modules/services/apcupsd.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te	2007-06-25 06:31:10.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te	2007-06-27 08:41:08.000000000 -0400
 @@ -16,6 +16,9 @@
  type apcupsd_log_t;
  logging_log_file(apcupsd_log_t)
@@ -3014,15 +3034,16 @@
  type apcupsd_var_run_t;
  files_pid_file(apcupsd_var_run_t)
  
-@@ -24,6 +27,7 @@
+@@ -24,6 +27,8 @@
  # apcupsd local policy
  #
  
++allow apcupsd_t self:capability sys_tty_config;
 +allow apcupsd_t self:process signal;
  allow apcupsd_t self:fifo_file rw_file_perms;
  allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
  allow apcupsd_t self:tcp_socket create_stream_socket_perms;
-@@ -35,16 +39,23 @@
+@@ -35,16 +40,23 @@
  manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
  logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
  
@@ -3048,7 +3069,7 @@
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
-@@ -54,6 +65,12 @@
+@@ -54,6 +66,12 @@
  files_read_etc_files(apcupsd_t)
  files_search_locks(apcupsd_t)
  
@@ -3061,7 +3082,7 @@
  libs_use_ld_so(apcupsd_t)
  libs_use_shared_libs(apcupsd_t)
  
-@@ -61,7 +78,39 @@
+@@ -61,7 +79,39 @@
  
  miscfiles_read_localization(apcupsd_t)
  
@@ -4192,8 +4213,16 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.4/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ftp.te	2007-06-19 09:01:13.000000000 -0400
-@@ -156,6 +156,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/ftp.te	2007-06-26 07:23:48.000000000 -0400
+@@ -88,6 +88,7 @@
+ allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+ allow ftpd_t self:tcp_socket create_stream_socket_perms;
+ allow ftpd_t self:udp_socket create_socket_perms;
++allow ftpd_t self:key { search write link };
+ 
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
+ 
+@@ -156,6 +157,7 @@
  
  auth_use_nsswitch(ftpd_t)
  auth_domtrans_chk_passwd(ftpd_t)
@@ -4201,15 +4230,16 @@
  # Append to /var/log/wtmp.
  auth_append_login_records(ftpd_t)
  #kerberized ftp requires the following
-@@ -168,6 +169,7 @@
+@@ -167,6 +169,8 @@
+ libs_use_ld_so(ftpd_t)
  libs_use_shared_libs(ftpd_t)
  
- logging_send_syslog_msg(ftpd_t)
 +logging_send_audit_msg(ftpd_t)
++logging_set_loginuid(ftpd_t)
+ logging_send_syslog_msg(ftpd_t)
  
  miscfiles_read_localization(ftpd_t)
- miscfiles_read_public_files(ftpd_t)
-@@ -223,10 +225,15 @@
+@@ -223,10 +227,15 @@
  	userdom_manage_all_users_home_content_dirs(ftpd_t)
  	userdom_manage_all_users_home_content_files(ftpd_t)
  	userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -5002,7 +5032,7 @@
  	corenet_tcp_connect_portmap_port($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.6.4/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/nis.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/nis.te	2007-06-28 07:22:22.000000000 -0400
 @@ -120,6 +120,13 @@
  ')
  
@@ -5017,7 +5047,15 @@
  	seutil_sigchld_newrole(ypbind_t)
  ')
  
-@@ -161,8 +168,8 @@
+@@ -132,6 +139,7 @@
+ # yppasswdd local policy
+ #
+ 
++allow yppasswdd_t self:capability dac_override;
+ dontaudit yppasswdd_t self:capability sys_tty_config;
+ allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+ allow yppasswdd_t self:process { setfscreate signal_perms };
+@@ -161,8 +169,8 @@
  corenet_udp_sendrecv_all_ports(yppasswdd_t)
  corenet_tcp_bind_all_nodes(yppasswdd_t)
  corenet_udp_bind_all_nodes(yppasswdd_t)
@@ -5028,7 +5066,7 @@
  corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
  corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
  corenet_sendrecv_generic_server_packets(yppasswdd_t)
-@@ -258,6 +265,8 @@
+@@ -258,6 +266,8 @@
  corenet_udp_bind_all_nodes(ypserv_t)
  corenet_tcp_bind_reserved_port(ypserv_t)
  corenet_udp_bind_reserved_port(ypserv_t)
@@ -5037,7 +5075,7 @@
  corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
  corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
  corenet_sendrecv_generic_server_packets(ypserv_t)
-@@ -332,6 +341,8 @@
+@@ -332,6 +342,8 @@
  corenet_udp_bind_all_nodes(ypxfr_t)
  corenet_tcp_bind_reserved_port(ypxfr_t)
  corenet_udp_bind_reserved_port(ypxfr_t)
@@ -6993,12 +7031,24 @@
 +/usr/lib64/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.6.4/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/squid.te	2007-06-18 10:18:55.000000000 -0400
-@@ -185,3 +185,12 @@
- #squid requires the following when run in diskd mode, the recommended setting
- allow squid_t tmpfs_t:file { read write };
- ') dnl end TODO
-+
++++ serefpolicy-2.6.4/policy/modules/services/squid.te	2007-07-01 21:13:51.000000000 -0400
+@@ -108,6 +108,8 @@
+ 
+ fs_getattr_all_fs(squid_t)
+ fs_search_auto_mountpoints(squid_t)
++#squid requires the following when run in diskd mode, the recommended setting
++fs_rw_tmpfs_files(squid_t)
+ 
+ selinux_dontaudit_getattr_dir(squid_t)
+ 
+@@ -181,7 +183,11 @@
+ 	udev_read_db(squid_t)
+ ')
+ 
+-ifdef(`TODO',`
+-#squid requires the following when run in diskd mode, the recommended setting
+-allow squid_t tmpfs_t:file { read write };
+-') dnl end TODO
 +optional_policy(`
 +	apache_content_template(squid)
 +	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -7147,7 +7197,7 @@
 +miscfiles_read_certs(httpd_w3c_validator_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/xserver.if	2007-06-22 14:12:37.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/xserver.if	2007-07-01 20:41:45.000000000 -0400
 @@ -83,6 +83,8 @@
  	manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t)
  	logging_log_filetrans($1_xserver_t,xserver_log_t,file)
@@ -7176,6 +7226,25 @@
  ')
  
  ########################################
+@@ -1325,3 +1330,4 @@
+ 	files_search_tmp($1)
+ 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
+ ')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.6.4/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te	2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/xserver.te	2007-07-01 20:45:41.000000000 -0400
+@@ -448,6 +448,10 @@
+ 	rhgb_rw_tmpfs_files(xdm_xserver_t)
+ ')
+ 
++optional_policy(`
++	rpm_dontaudit_rw_shm(xdm_xserver_t)
++')
++
+ ifdef(`TODO',`
+ # Need to further investigate these permissions and
+ # perhaps define derived types.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.fc serefpolicy-2.6.4/policy/modules/system/application.fc
 --- nsaserefpolicy/policy/modules/system/application.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.6.4/policy/modules/system/application.fc	2007-06-18 10:18:55.000000000 -0400
@@ -8782,7 +8851,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-06-19 09:43:34.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-07-01 20:53:22.000000000 -0400
 @@ -9,6 +9,13 @@
  ifdef(`targeted_policy',`
  ## <desc>
@@ -8820,7 +8889,25 @@
  
  allow mount_t mount_loopback_t:file read_file_perms;
  allow mount_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -130,10 +142,15 @@
+@@ -53,6 +65,8 @@
+ kernel_read_system_state(mount_t)
+ kernel_read_kernel_sysctls(mount_t)
+ kernel_dontaudit_getattr_core_if(mount_t)
++kernel_search_debugfs(mount_t)
++kernel_read_unlabeled_state(mount_t)
+ 
+ dev_getattr_all_blk_files(mount_t)
+ dev_list_all_dev_nodes(mount_t)
+@@ -103,6 +117,8 @@
+ init_use_fds(mount_t)
+ init_use_script_ptys(mount_t)
+ init_dontaudit_getattr_initctl(mount_t)
++init_stream_connect_script(mount_t)
++init_rw_script_stream_sockets(mount_t)
+ 
+ libs_use_ld_so(mount_t)
+ libs_use_shared_libs(mount_t)
+@@ -130,10 +146,15 @@
  ')
  
  ifdef(`targeted_policy',`
@@ -8837,7 +8924,7 @@
  	')
  ')
  
-@@ -204,4 +221,58 @@
+@@ -204,4 +225,58 @@
  ifdef(`targeted_policy',`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -9257,7 +9344,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/udev.te	2007-06-22 11:40:29.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/udev.te	2007-06-28 07:20:40.000000000 -0400
 @@ -18,11 +18,6 @@
  type udev_etc_t alias etc_udev_t;
  files_config_file(udev_etc_t)
@@ -9281,7 +9368,7 @@
  
  kernel_read_system_state(udev_t)
  kernel_getattr_core_if(udev_t)
-@@ -83,16 +79,22 @@
+@@ -83,16 +79,23 @@
  kernel_dgram_send(udev_t)
  kernel_signal(udev_t)
  
@@ -9296,6 +9383,7 @@
  dev_rw_generic_files(udev_t)
  dev_delete_generic_files(udev_t)
 +dev_search_usbfs_dirs(udev_t)
++dev_relabel_all_dev_nodes(udev_t)
  
  domain_read_all_domains_state(udev_t)
  domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
@@ -9304,7 +9392,7 @@
  files_read_etc_runtime_files(udev_t)
  files_read_etc_files(udev_t)
  files_exec_etc_files(udev_t)
-@@ -142,8 +144,14 @@
+@@ -142,8 +145,14 @@
  seutil_read_file_contexts(udev_t)
  seutil_domtrans_restorecon(udev_t)
  
@@ -9319,7 +9407,18 @@
  
  userdom_use_sysadm_ttys(udev_t)
  userdom_dontaudit_search_all_users_home_content(udev_t)
-@@ -194,5 +202,24 @@
+@@ -184,6 +193,10 @@
+ ')
+ 
+ optional_policy(`
++	fstools_domtrans(udev_t)
++')
++
++optional_policy(`
+ 	hal_dgram_send(udev_t)
+ ')
+ 
+@@ -194,5 +207,24 @@
  ')
  
  optional_policy(`
@@ -9526,7 +9625,7 @@
  		init_dbus_chat_script(unconfined_execmem_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.4/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/userdomain.if	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/userdomain.if	2007-06-26 07:46:11.000000000 -0400
 @@ -114,6 +114,22 @@
  		# Allow making the stack executable via mprotect.
  		allow $1_t self:process execstack;


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.473
retrieving revision 1.474
diff -u -r1.473 -r1.474
--- selinux-policy.spec	26 Jun 2007 10:17:42 -0000	1.473
+++ selinux-policy.spec	2 Jul 2007 01:43:26 -0000	1.474
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 23%{?dist}
+Release: 24%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@
 %endif
 
 %changelog
+* Wed Jun 27 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-24
+- Allow udev to transition to fstools domain.
+
 * Tue Jun 26 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-23
 - Fix libXComp location
 


