rpms/selinux-policy/F-7 policy-20070501.patch, 1.15, 1.16 selinux-policy.spec, 1.460, 1.461
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu May 31 14:07:00 UTC 2007
- Previous message (by thread): rpms/remind Makefile,NONE,1.1 import.log,NONE,1.1 pkg.acl,NONE,1.1
- Next message (by thread): rpms/remind/devel .cvsignore, NONE, 1.1 Makefile, NONE, 1.1 sources, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17975
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Wed May 30 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-11
- Add spufs
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- policy-20070501.patch 29 May 2007 18:08:26 -0000 1.15
+++ policy-20070501.patch 31 May 2007 14:06:16 -0000 1.16
@@ -700,7 +700,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.6.4/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/su.if 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/su.if 2007-05-30 13:50:04.000000000 -0400
@@ -41,12 +41,11 @@
allow $2 $1_su_t:process signal;
@@ -731,11 +731,12 @@
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
-@@ -174,11 +175,9 @@
+@@ -174,11 +175,10 @@
allow $2 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
++ allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
@@ -743,7 +744,7 @@
allow $1_su_t self:key { search write };
# Transition from the user domain to this domain.
-@@ -204,9 +203,11 @@
+@@ -204,9 +204,11 @@
selinux_compute_access_vector($1_su_t)
auth_domtrans_user_chk_passwd($1,$1_su_t)
@@ -756,7 +757,7 @@
corecmd_search_bin($1_su_t)
-@@ -227,6 +228,7 @@
+@@ -227,6 +229,7 @@
libs_use_shared_libs($1_su_t)
logging_send_syslog_msg($1_su_t)
@@ -764,7 +765,7 @@
miscfiles_read_localization($1_su_t)
-@@ -310,6 +312,8 @@
+@@ -310,6 +313,8 @@
xserver_domtrans_user_xauth($1, $1_su_t)
')
@@ -1843,7 +1844,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-05-29 23:12:59.000000000 -0400
@@ -54,17 +54,29 @@
type capifs_t;
@@ -1886,10 +1887,15 @@
type nfsd_fs_t;
fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-@@ -105,6 +122,11 @@
+@@ -105,6 +122,16 @@
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
files_mountpoint(rpc_pipefs_t)
++type spufs_t;
++fs_type(spufs_t)
++genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
++files_mountpoint(spufs_t)
++
+type vxfs_t;
+fs_noxattr_type(vxfs_t)
+files_mountpoint(vxfs_t)
@@ -2429,7 +2435,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-05-23 14:17:52.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-05-30 07:20:12.000000000 -0400
@@ -47,6 +47,13 @@
## Allow http daemon to tcp connect
## </p>
@@ -2472,6 +2478,15 @@
attribute httpdcontent;
# domains that can exec all users scripts
+@@ -215,7 +243,7 @@
+ # Apache server local policy
+ #
+
+-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+ dontaudit httpd_t self:capability { net_admin sys_tty_config };
+ allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow httpd_t self:fd use;
@@ -257,6 +285,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -2990,7 +3005,7 @@
# fcron wants an instant update of a crontab change for the administrator
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.4/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-05-30 13:14:37.000000000 -0400
@@ -42,6 +42,9 @@
type cron_log_t;
logging_log_file(cron_log_t)
@@ -6385,7 +6400,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.4/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-05-29 14:46:48.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -6400,7 +6415,7 @@
type chkpwd_exec_t;
corecmd_executable_file(chkpwd_exec_t)
-@@ -244,7 +251,6 @@
+@@ -244,7 +249,6 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
@@ -6408,7 +6423,7 @@
')
########################################
-@@ -252,6 +258,8 @@
+@@ -252,15 +256,14 @@
# System check password local policy
#
@@ -6417,7 +6432,16 @@
allow system_chkpwd_t shadow_t:file { getattr read };
corecmd_search_bin(system_chkpwd_t)
-@@ -305,3 +313,30 @@
+
+ domain_dontaudit_use_interactive_fds(system_chkpwd_t)
+
+-term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
+-term_dontaudit_use_generic_ptys(system_chkpwd_t)
+-
+ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+ userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
+ userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
+@@ -305,3 +308,30 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -6450,7 +6474,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.6.4/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/clock.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/clock.te 2007-05-29 14:47:46.000000000 -0400
@@ -26,8 +26,6 @@
allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file { getattr read write };
@@ -6460,7 +6484,7 @@
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
-@@ -61,6 +59,7 @@
+@@ -61,12 +59,11 @@
libs_use_shared_libs(hwclock_t)
logging_send_syslog_msg(hwclock_t)
@@ -6468,6 +6492,12 @@
miscfiles_read_localization(hwclock_t)
+ ifdef(`targeted_policy',`
+- term_dontaudit_use_unallocated_ttys(hwclock_t)
+- term_dontaudit_use_generic_ptys(hwclock_t)
+ files_dontaudit_read_root_files(hwclock_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.6.4/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/fstools.fc 2007-05-21 10:46:53.000000000 -0400
@@ -6741,7 +6771,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.6.4/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-05-29 14:45:49.000000000 -0400
@@ -10,13 +10,20 @@
# Declarations
#
@@ -6805,7 +6835,7 @@
ifdef(`targeted_policy',`
domain_subj_id_change_exemption(initrc_t)
unconfined_domain(initrc_t)
-@@ -520,11 +532,21 @@
+@@ -520,11 +532,22 @@
tunable_policy(`allow_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
@@ -6814,9 +6844,10 @@
+ unconfined_rw_pipes(daemon)
+ ', `
+ # system-config-services causes avc messages that should be dontaudited
++ term_dontaudit_use_unallocated_ttys(daemon)
++ term_dontaudit_use_generic_ptys(daemon)
+ unconfined_dontaudit_rw_pipes(daemon)
-+
-+ ')
++ ')
+
optional_policy(`
mono_domtrans(initrc_t)
@@ -6829,7 +6860,7 @@
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
-@@ -735,6 +757,9 @@
+@@ -735,6 +758,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -6871,8 +6902,8 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-2.6.4/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/ipsec.te 2007-05-21 10:46:53.000000000 -0400
-@@ -289,6 +289,7 @@
++++ serefpolicy-2.6.4/policy/modules/system/ipsec.te 2007-05-29 14:50:06.000000000 -0400
+@@ -289,6 +287,7 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket { create read setopt write };
@@ -6932,7 +6963,7 @@
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-05-29 14:50:26.000000000 -0400
@@ -62,7 +62,8 @@
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -6943,10 +6974,12 @@
manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
-@@ -101,6 +102,7 @@
+@@ -99,8 +100,7 @@
+ ifdef(`targeted_policy',`
+ allow ldconfig_t lib_t:file read_file_perms;
files_read_generic_tmp_symlinks(ldconfig_t)
- term_dontaudit_use_generic_ptys(ldconfig_t)
- term_dontaudit_use_unallocated_ttys(ldconfig_t)
+- term_dontaudit_use_generic_ptys(ldconfig_t)
+- term_dontaudit_use_unallocated_ttys(ldconfig_t)
+ files_read_generic_tmp_files(ldconfig_t)
')
@@ -7191,7 +7224,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.4/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-05-29 14:51:01.000000000 -0400
@@ -7,10 +7,15 @@
#
@@ -7259,7 +7292,7 @@
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -267,6 +276,9 @@
+@@ -267,6 +269,9 @@
# create/append log files.
manage_files_pattern(syslogd_t,var_log_t,var_log_t)
@@ -7269,7 +7302,7 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -331,6 +343,7 @@
+@@ -331,6 +336,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -7290,7 +7323,7 @@
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.6.4/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/lvm.te 2007-05-23 13:28:28.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/lvm.te 2007-05-29 14:51:07.000000000 -0400
@@ -16,6 +16,7 @@
type lvm_t;
type lvm_exec_t;
@@ -7299,7 +7332,7 @@
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin
domain_obj_id_change_exemption(lvm_t)
-@@ -155,7 +156,9 @@
+@@ -155,7 +154,9 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -7310,7 +7343,7 @@
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -233,6 +236,8 @@
+@@ -233,6 +234,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -7319,7 +7352,7 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -251,6 +256,7 @@
+@@ -251,6 +254,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -7327,7 +7360,7 @@
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
-@@ -305,5 +311,14 @@
+@@ -305,5 +309,14 @@
')
optional_policy(`
@@ -7568,7 +7601,7 @@
libs_use_ld_so(netlabel_mgmt_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.6.4/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/raid.te 2007-05-21 13:29:06.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/raid.te 2007-05-29 14:51:30.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@@ -7636,7 +7669,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-05-23 10:41:40.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-05-29 14:51:48.000000000 -0400
@@ -1,10 +1,8 @@
policy_module(selinuxutil,1.5.0)
@@ -7778,7 +7811,7 @@
########################################
#
# Restorecond local policy
-@@ -490,7 +497,7 @@
+@@ -490,7 +492,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -7787,7 +7820,7 @@
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -504,6 +511,7 @@
+@@ -504,6 +506,7 @@
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -7795,7 +7828,7 @@
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
-@@ -560,7 +568,7 @@
+@@ -560,7 +563,7 @@
allow semanage_t self:capability { dac_override audit_write };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
@@ -7804,7 +7837,7 @@
allow semanage_t policy_config_t:file { read write };
-@@ -571,7 +579,10 @@
+@@ -571,7 +574,10 @@
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
@@ -7815,7 +7848,7 @@
dev_read_urand(semanage_t)
-@@ -595,6 +606,8 @@
+@@ -595,6 +601,8 @@
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
@@ -7824,7 +7857,7 @@
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
-@@ -621,6 +634,15 @@
+@@ -621,6 +629,15 @@
userdom_search_sysadm_home_dirs(semanage_t)
@@ -7840,7 +7873,7 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -700,6 +722,8 @@
+@@ -700,6 +717,8 @@
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
optional_policy(`
@@ -7852,8 +7885,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.6.4/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te 2007-05-21 10:46:53.000000000 -0400
-@@ -164,6 +164,10 @@
++++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te 2007-05-29 14:53:09.000000000 -0400
+@@ -164,6 +160,10 @@
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus(dhcpc_t)
@@ -7864,7 +7897,7 @@
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
-@@ -221,6 +225,7 @@
+@@ -221,6 +221,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -7874,7 +7907,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-05-29 14:53:15.000000000 -0400
@@ -83,12 +83,19 @@
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
@@ -7895,7 +7928,7 @@
domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
-@@ -194,5 +201,24 @@
+@@ -194,5 +196,24 @@
')
optional_policy(`
@@ -7922,11 +7955,23 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.6.4/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.fc 2007-05-21 10:46:53.000000000 -0400
-@@ -10,4 +10,5 @@
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.fc 2007-05-30 07:22:13.000000000 -0400
+@@ -2,12 +2,12 @@
+ # e.g.:
+ # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+ # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+-
+-ifdef(`targeted_policy',`
+-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+ /usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
- /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++ifdef(`targeted_policy',`
+/usr/bin/vmware.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.6.4/policy/modules/system/unconfined.if
@@ -8877,7 +8922,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.6.4/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/xen.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/xen.te 2007-05-29 14:53:28.000000000 -0400
@@ -25,6 +25,10 @@
domain_type(xend_t)
init_daemon_domain(xend_t, xend_exec_t)
@@ -8933,7 +8978,7 @@
storage_raw_read_removable_device(xend_t)
term_getattr_all_user_ptys(xend_t)
-@@ -195,6 +210,10 @@
+@@ -195,21 +210,16 @@
xen_stream_connect_xenstore(xend_t)
@@ -8944,7 +8989,22 @@
netutils_domtrans(xend_t)
optional_policy(`
-@@ -284,6 +303,12 @@
+ consoletype_exec(xend_t)
+ ')
+
+-ifdef(`targeted_policy',`
+- term_dontaudit_use_unallocated_ttys(xend_t)
+- term_dontaudit_use_generic_ptys(xend_t)
+-
+- optional_policy(`
+- unconfined_rw_pipes(xend_t)
+- ')
+-')
+-
+ ########################################
+ #
+ # Xen console local policy
+@@ -284,6 +294,12 @@
files_read_usr_files(xenstored_t)
@@ -8957,7 +9017,7 @@
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
-@@ -317,6 +342,11 @@
+@@ -317,6 +333,11 @@
allow xm_t xen_image_t:dir rw_dir_perms;
allow xm_t xen_image_t:file read_file_perms;
@@ -8969,7 +9029,7 @@
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
-@@ -352,3 +382,11 @@
+@@ -352,3 +373,11 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.460
retrieving revision 1.461
diff -u -r1.460 -r1.461
--- selinux-policy.spec 29 May 2007 17:18:01 -0000 1.460
+++ selinux-policy.spec 31 May 2007 14:06:16 -0000 1.461
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -359,7 +359,10 @@
%endif
%changelog
-* Tue May 22 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-10
+* Wed May 30 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-11
+- Add spufs
+
+* Tue May 29 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-10
- Fixes for avahi, procmail, postfix
* Tue May 22 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-9
- Previous message (by thread): rpms/remind Makefile,NONE,1.1 import.log,NONE,1.1 pkg.acl,NONE,1.1
- Next message (by thread): rpms/remind/devel .cvsignore, NONE, 1.1 Makefile, NONE, 1.1 sources, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list