rpms/selinux-policy/F-7 policy-20070501.patch, 1.26, 1.27 selinux-policy.spec, 1.471, 1.472
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Jun 22 19:15:58 UTC 2007
- Previous message (by thread): rpms/yafc/devel yafc.spec,1.3,1.4
- Next message (by thread): rpms/selinux-policy/devel booleans-targeted.conf, 1.27, 1.28 modules-targeted.conf, 1.61, 1.62 policy-20070525.patch, 1.1, 1.2 securetty_types-targeted, 1.1, 1.2 selinux-policy.spec, 1.459, 1.460
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19199
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Thu Jun 21 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-22
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- policy-20070501.patch 20 Jun 2007 11:52:49 -0000 1.26
+++ policy-20070501.patch 22 Jun 2007 19:15:52 -0000 1.27
@@ -12,7 +12,7 @@
.TP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.6.4/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/flask/access_vectors 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/flask/access_vectors 2007-06-22 14:29:33.000000000 -0400
@@ -598,6 +598,8 @@
shmempwd
shmemgrp
@@ -31,6 +31,26 @@
}
class key
+@@ -648,3 +652,9 @@
+ node_bind
+ name_connect
+ }
++
++class memprotect
++{
++ mmap_zero
++}
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classes serefpolicy-2.6.4/policy/flask/security_classes
+--- nsaserefpolicy/policy/flask/security_classes 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/flask/security_classes 2007-06-22 14:34:57.000000000 -0400
+@@ -97,4 +97,6 @@
+
+ class dccp_socket
+
++class memprotect
++
+ # FLASK
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.6.4/policy/global_booleans
--- nsaserefpolicy/policy/global_booleans 2007-05-07 14:51:05.000000000 -0400
+++ serefpolicy-2.6.4/policy/global_booleans 2007-06-18 10:18:55.000000000 -0400
@@ -629,7 +649,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-06-18 11:07:56.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-06-21 09:36:31.000000000 -0400
@@ -211,6 +211,24 @@
########################################
@@ -686,7 +706,7 @@
')
########################################
-@@ -290,3 +329,46 @@
+@@ -290,3 +329,65 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -717,6 +737,25 @@
+
+########################################
+## <summary>
++## allow domain to read,
++## write RPM tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`rpm_rw_tmp_files',`
++ gen_require(`
++ type rpm_tmp_t;
++ ')
++
++ allow $1 rpm_tmp_t:file rw_file_perms;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read,
+## write RPM tmp files
+## </summary>
@@ -1611,7 +1650,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.6.4/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/domain.if 2007-06-20 07:41:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/domain.if 2007-06-22 14:12:55.000000000 -0400
@@ -64,6 +64,7 @@
')
@@ -1620,7 +1659,7 @@
selinux_dontaudit_read_fs($1)
')
-@@ -1254,3 +1255,21 @@
+@@ -1254,3 +1255,44 @@
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
')
@@ -1642,9 +1681,32 @@
+
+ allow $1 domain:association { sendto recvfrom };
+')
++
++########################################
++## <summary>
++## Ability to mmap a low area of the address space,
++## as configured by /proc/sys/kernel/mmap_min_addr.
++## Preventing such mappings helps protect against
++## exploiting null deref bugs in the kernel.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to mmap low memory.
++## </summary>
++## </param>
++#
++interface(`domain_mmap_low',`
++ gen_require(`
++ attribute mmap_low_domain_type;
++ ')
++
++ allow $1 self:memprotect mmap_zero;
++
++ typeattribute $1 mmap_low_domain_type;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.6.4/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-06-22 14:13:13.000000000 -0400
@@ -6,6 +6,29 @@
# Declarations
#
@@ -1675,7 +1737,18 @@
# Mark process types as domains
attribute domain;
-@@ -144,3 +167,26 @@
+@@ -15,6 +38,10 @@
+ # Domains that are unconfined
+ attribute unconfined_domain_type;
+
++# Domains that can mmap low memory.
++attribute mmap_low_domain_type;
++neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
++
+ # Domains that can set their current context
+ # (perform dynamic transitions)
+ attribute set_curr_context;
+@@ -144,3 +171,26 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -3262,8 +3335,17 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-2.6.4/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cron.fc 2007-06-18 10:18:55.000000000 -0400
-@@ -45,3 +45,4 @@
++++ serefpolicy-2.6.4/policy/modules/services/cron.fc 2007-06-20 09:54:43.000000000 -0400
+@@ -17,6 +17,8 @@
+ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
++/var/spool/anacron(/.*) gen_context(system_u:object_r:cron_spool_t,s0)
++
+ /var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/at/[^/]* -- <<none>>
+@@ -45,3 +47,4 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -4500,7 +4582,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.6.4/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-06-22 14:06:28.000000000 -0400
@@ -5,6 +5,7 @@
#
# Declarations
@@ -4509,7 +4591,25 @@
## <desc>
## <p>
-@@ -126,6 +127,7 @@
+@@ -91,6 +92,7 @@
+ kernel_read_kernel_sysctls(kadmind_t)
+ kernel_list_proc(kadmind_t)
+ kernel_read_proc_symlinks(kadmind_t)
++kernel_read_system_state(kadmind_t)
+
+ corenet_non_ipsec_sendrecv(kadmind_t)
+ corenet_tcp_sendrecv_all_if(kadmind_t)
+@@ -117,6 +119,9 @@
+ domain_use_interactive_fds(kadmind_t)
+
+ files_read_etc_files(kadmind_t)
++files_read_usr_symlinks(kadmind_t)
++files_read_usr_files(kadmind_t)
++files_read_var_files(kadmind_t)
+
+ libs_use_ld_so(kadmind_t)
+ libs_use_shared_libs(kadmind_t)
+@@ -126,6 +131,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -4517,7 +4617,7 @@
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -227,6 +229,7 @@
+@@ -227,6 +233,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -4525,7 +4625,7 @@
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -248,3 +251,36 @@
+@@ -248,3 +255,36 @@
optional_policy(`
udev_read_db(krb5kdc_t)
')
@@ -5473,7 +5573,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-06-18 10:19:49.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-06-22 09:40:25.000000000 -0400
@@ -84,6 +84,12 @@
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -5557,7 +5657,16 @@
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -552,9 +574,45 @@
+@@ -528,6 +550,8 @@
+
+ allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
++files_dontaudit_getattr_home_dir(postfix_smtp_t)
++
+ optional_policy(`
+ cyrus_stream_connect(postfix_smtp_t)
+ ')
+@@ -552,9 +576,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -7013,8 +7122,27 @@
+miscfiles_read_certs(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-06-18 10:18:55.000000000 -0400
-@@ -1136,7 +1136,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-06-22 14:12:37.000000000 -0400
+@@ -83,6 +83,8 @@
+ manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t)
+ logging_log_filetrans($1_xserver_t,xserver_log_t,file)
+
++ domain_mmap_low($1_xserver_t)
++
+ kernel_read_system_state($1_xserver_t)
+ kernel_read_device_sysctls($1_xserver_t)
+ kernel_read_modprobe_sysctls($1_xserver_t)
+@@ -540,6 +542,9 @@
+ allow $2 self:unix_dgram_socket create_socket_perms;
+ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+
++ # this should cause the .xsession-errors file to be written to /tmp
++ dontaudit xdm_t $1_home_t:file rw_file_perms;
++
+ # Read .Xauthority file
+ allow $2 $1_xauth_home_t:file { getattr read };
+ allow $2 $1_iceauth_home_t:file { getattr read };
+@@ -1136,7 +1141,7 @@
type xdm_xserver_tmp_t;
')
@@ -8004,7 +8132,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-06-19 08:52:19.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-06-22 09:06:18.000000000 -0400
@@ -81,8 +81,8 @@
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -8033,7 +8161,16 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -254,6 +257,8 @@
+@@ -157,6 +160,8 @@
+ /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/NX/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/NX/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -254,6 +259,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -8044,7 +8181,7 @@
# vmware
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-06-21 09:35:57.000000000 -0400
@@ -62,7 +62,8 @@
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -8065,6 +8202,13 @@
')
optional_policy(`
+@@ -113,4 +113,6 @@
+ # and executes ldconfig on it. If you dont allow this kernel installs
+ # blow up.
+ rpm_manage_script_tmp_files(ldconfig_t)
++ # smart package manager needs the following for the same reason
++ rpm_rw_tmp_files(ldconfig_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.6.4/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/locallogin.te 2007-06-18 10:18:55.000000000 -0400
@@ -9082,7 +9226,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-06-18 11:26:44.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-06-22 11:40:29.000000000 -0400
@@ -18,11 +18,6 @@
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -9129,20 +9273,22 @@
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
-@@ -142,8 +144,12 @@
+@@ -142,8 +144,14 @@
seutil_read_file_contexts(udev_t)
seutil_domtrans_restorecon(udev_t)
+sysnet_read_dhcpc_pid(udev_t)
-+sysnet_read_dhcp_config(udev_t)
++sysnet_rw_dhcp_config(udev_t)
+sysnet_delete_dhcpc_pid(udev_t)
sysnet_domtrans_ifconfig(udev_t)
sysnet_domtrans_dhcpc(udev_t)
+sysnet_signal_dhcpc(udev_t)
++sysnet_etc_filetrans_config(udev_t)
++sysnet_manage_config(udev_t)
userdom_use_sysadm_ttys(udev_t)
userdom_dontaudit_search_all_users_home_content(udev_t)
-@@ -194,5 +200,24 @@
+@@ -194,5 +202,24 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.471
retrieving revision 1.472
diff -u -r1.471 -r1.472
--- selinux-policy.spec 20 Jun 2007 11:52:49 -0000 1.471
+++ selinux-policy.spec 22 Jun 2007 19:15:52 -0000 1.472
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,8 @@
%endif
%changelog
+* Thu Jun 21 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-22
+
* Wed Jun 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-21
- Still fixing cron
- Previous message (by thread): rpms/yafc/devel yafc.spec,1.3,1.4
- Next message (by thread): rpms/selinux-policy/devel booleans-targeted.conf, 1.27, 1.28 modules-targeted.conf, 1.61, 1.62 policy-20070525.patch, 1.1, 1.2 securetty_types-targeted, 1.1, 1.2 selinux-policy.spec, 1.459, 1.460
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list