[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy/F-7 policy-20070501.patch, 1.15, 1.16 selinux-policy.spec, 1.460, 1.461



Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17975

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Wed May 30 2007 Dan Walsh <dwalsh redhat com> 2.6.4-11
- Add spufs


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- policy-20070501.patch	29 May 2007 18:08:26 -0000	1.15
+++ policy-20070501.patch	31 May 2007 14:06:16 -0000	1.16
@@ -700,7 +700,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.6.4/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/su.if	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/su.if	2007-05-30 13:50:04.000000000 -0400
 @@ -41,12 +41,11 @@
  
  	allow $2 $1_su_t:process signal;
@@ -731,11 +731,12 @@
  	logging_send_syslog_msg($1_su_t)
  
  	miscfiles_read_localization($1_su_t)
-@@ -174,11 +175,9 @@
+@@ -174,11 +175,10 @@
  
  	allow $2 $1_su_t:process signal;
  
 -	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
++	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
  	dontaudit $1_su_t self:capability sys_tty_config;
  	allow $1_su_t self:process { setexec setsched setrlimit };
  	allow $1_su_t self:fifo_file rw_fifo_file_perms;
@@ -743,7 +744,7 @@
  	allow $1_su_t self:key { search write };
  
  	# Transition from the user domain to this domain.
-@@ -204,9 +203,11 @@
+@@ -204,9 +204,11 @@
  	selinux_compute_access_vector($1_su_t)
  
  	auth_domtrans_user_chk_passwd($1,$1_su_t)
@@ -756,7 +757,7 @@
  
  	corecmd_search_bin($1_su_t)
  
-@@ -227,6 +228,7 @@
+@@ -227,6 +229,7 @@
  	libs_use_shared_libs($1_su_t)
  
  	logging_send_syslog_msg($1_su_t)
@@ -764,7 +765,7 @@
  
  	miscfiles_read_localization($1_su_t)
  
-@@ -310,6 +312,8 @@
+@@ -310,6 +313,8 @@
  		xserver_domtrans_user_xauth($1, $1_su_t)
  	')
  
@@ -1843,7 +1844,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te	2007-05-29 23:12:59.000000000 -0400
 @@ -54,17 +54,29 @@
  
  type capifs_t;
@@ -1886,10 +1887,15 @@
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
  genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-@@ -105,6 +122,11 @@
+@@ -105,6 +122,16 @@
  genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
  files_mountpoint(rpc_pipefs_t)
  
++type spufs_t;
++fs_type(spufs_t)
++genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
++files_mountpoint(spufs_t)
++
 +type vxfs_t;
 +fs_noxattr_type(vxfs_t)
 +files_mountpoint(vxfs_t)
@@ -2429,7 +2435,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-05-23 14:17:52.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-05-30 07:20:12.000000000 -0400
 @@ -47,6 +47,13 @@
  ## Allow http daemon to tcp connect
  ## </p>
@@ -2472,6 +2478,15 @@
  attribute httpdcontent;
  
  # domains that can exec all users scripts
+@@ -215,7 +243,7 @@
+ # Apache server local policy
+ #
+ 
+-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+ dontaudit httpd_t self:capability { net_admin sys_tty_config };
+ allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow httpd_t self:fd use;
 @@ -257,6 +285,7 @@
  allow httpd_t httpd_modules_t:dir list_dir_perms;
  mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -2990,7 +3005,7 @@
  		# fcron wants an instant update of a crontab change for the administrator
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.4/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cron.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cron.te	2007-05-30 13:14:37.000000000 -0400
 @@ -42,6 +42,9 @@
  type cron_log_t;
  logging_log_file(cron_log_t)
@@ -6385,7 +6400,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.4/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.te	2007-05-29 14:46:48.000000000 -0400
 @@ -9,6 +9,13 @@
  attribute can_read_shadow_passwords;
  attribute can_write_shadow_passwords;
@@ -6400,7 +6415,7 @@
  
  type chkpwd_exec_t;
  corecmd_executable_file(chkpwd_exec_t)
-@@ -244,7 +251,6 @@
+@@ -244,7 +249,6 @@
  
  optional_policy(`
  	xserver_read_xdm_pid(pam_console_t)
@@ -6408,7 +6423,7 @@
  ')
  
  ########################################
-@@ -252,6 +258,8 @@
+@@ -252,15 +256,14 @@
  # System check password local policy
  #
  
@@ -6417,7 +6432,16 @@
  allow system_chkpwd_t shadow_t:file { getattr read };
  
  corecmd_search_bin(system_chkpwd_t)
-@@ -305,3 +313,30 @@
+ 
+ domain_dontaudit_use_interactive_fds(system_chkpwd_t)
+ 
+-term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
+-term_dontaudit_use_generic_ptys(system_chkpwd_t)
+-
+ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+ userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
+ userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
+@@ -305,3 +308,30 @@
  	xserver_use_xdm_fds(utempter_t)
  	xserver_rw_xdm_pipes(utempter_t)
  ')
@@ -6450,7 +6474,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.6.4/policy/modules/system/clock.te
 --- nsaserefpolicy/policy/modules/system/clock.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/clock.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/clock.te	2007-05-29 14:47:46.000000000 -0400
 @@ -26,8 +26,6 @@
  allow hwclock_t self:process signal_perms;
  allow hwclock_t self:fifo_file { getattr read write };
@@ -6460,7 +6484,7 @@
  # Allow hwclock to store & retrieve correction factors.
  allow hwclock_t adjtime_t:file { rw_file_perms setattr };
  
-@@ -61,6 +59,7 @@
+@@ -61,12 +59,11 @@
  libs_use_shared_libs(hwclock_t)
  
  logging_send_syslog_msg(hwclock_t)
@@ -6468,6 +6492,12 @@
  
  miscfiles_read_localization(hwclock_t)
  
+ ifdef(`targeted_policy',`
+-	term_dontaudit_use_unallocated_ttys(hwclock_t)
+-	term_dontaudit_use_generic_ptys(hwclock_t)
+ 	files_dontaudit_read_root_files(hwclock_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.6.4/policy/modules/system/fstools.fc
 --- nsaserefpolicy/policy/modules/system/fstools.fc	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/fstools.fc	2007-05-21 10:46:53.000000000 -0400
@@ -6741,7 +6771,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.6.4/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/init.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/init.te	2007-05-29 14:45:49.000000000 -0400
 @@ -10,13 +10,20 @@
  # Declarations
  #
@@ -6805,7 +6835,7 @@
  ifdef(`targeted_policy',`
  	domain_subj_id_change_exemption(initrc_t)
  	unconfined_domain(initrc_t)
-@@ -520,11 +532,21 @@
+@@ -520,11 +532,22 @@
  	tunable_policy(`allow_daemons_use_tty',`
  		term_use_unallocated_ttys(daemon)
  		term_use_generic_ptys(daemon)
@@ -6814,9 +6844,10 @@
 + 		unconfined_rw_pipes(daemon)
 + 	', `
 + 		# system-config-services causes avc messages that should be dontaudited
++		term_dontaudit_use_unallocated_ttys(daemon)
++		term_dontaudit_use_generic_ptys(daemon)
 + 		unconfined_dontaudit_rw_pipes(daemon)
-+ 
-+ 	')
++  	')
 + 
  	optional_policy(`
  		mono_domtrans(initrc_t)
@@ -6829,7 +6860,7 @@
  ',`
  	# cjp: require doesnt work in the else of optionals :\
  	# this also would result in a type transition
-@@ -735,6 +757,9 @@
+@@ -735,6 +758,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -6871,8 +6902,8 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-2.6.4/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/ipsec.te	2007-05-21 10:46:53.000000000 -0400
-@@ -289,6 +289,7 @@
++++ serefpolicy-2.6.4/policy/modules/system/ipsec.te	2007-05-29 14:50:06.000000000 -0400
+@@ -289,6 +287,7 @@
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
  allow racoon_t self:key_socket { create read setopt write };
@@ -6932,7 +6963,7 @@
  /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te	2007-05-29 14:50:26.000000000 -0400
 @@ -62,7 +62,8 @@
  
  manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -6943,10 +6974,12 @@
  
  manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
  
-@@ -101,6 +102,7 @@
+@@ -99,8 +100,7 @@
+ ifdef(`targeted_policy',`
+ 	allow ldconfig_t lib_t:file read_file_perms;
  	files_read_generic_tmp_symlinks(ldconfig_t)
- 	term_dontaudit_use_generic_ptys(ldconfig_t)
- 	term_dontaudit_use_unallocated_ttys(ldconfig_t)
+-	term_dontaudit_use_generic_ptys(ldconfig_t)
+-	term_dontaudit_use_unallocated_ttys(ldconfig_t)
 +	files_read_generic_tmp_files(ldconfig_t)
  ')
  
@@ -7191,7 +7224,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.4/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/logging.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/logging.te	2007-05-29 14:51:01.000000000 -0400
 @@ -7,10 +7,15 @@
  #
  
@@ -7259,7 +7292,7 @@
  logging_send_syslog_msg(auditd_t)
  
  libs_use_ld_so(auditd_t)
-@@ -267,6 +276,9 @@
+@@ -267,6 +269,9 @@
  
  # create/append log files.
  manage_files_pattern(syslogd_t,var_log_t,var_log_t)
@@ -7269,7 +7302,7 @@
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
  
-@@ -331,6 +343,7 @@
+@@ -331,6 +336,7 @@
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
@@ -7290,7 +7323,7 @@
  /etc/lvm/lock(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.6.4/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/lvm.te	2007-05-23 13:28:28.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/lvm.te	2007-05-29 14:51:07.000000000 -0400
 @@ -16,6 +16,7 @@
  type lvm_t;
  type lvm_exec_t;
@@ -7299,7 +7332,7 @@
  # needs privowner because it assigns the identity system_u to device nodes
  # but runs as the identity of the sysadmin
  domain_obj_id_change_exemption(lvm_t)
-@@ -155,7 +156,9 @@
+@@ -155,7 +154,9 @@
  
  # DAC overrides and mknod for modifying /dev entries (vgmknodes)
  # rawio needed for dmraid
@@ -7310,7 +7343,7 @@
  dontaudit lvm_t self:capability sys_tty_config;
  allow lvm_t self:process { sigchld sigkill sigstop signull signal };
  # LVM will complain a lot if it cannot set its priority.
-@@ -233,6 +236,8 @@
+@@ -233,6 +234,8 @@
  dev_dontaudit_getattr_generic_blk_files(lvm_t)
  dev_dontaudit_getattr_generic_pipes(lvm_t)
  dev_create_generic_dirs(lvm_t)
@@ -7319,7 +7352,7 @@
  
  fs_getattr_xattr_fs(lvm_t)
  fs_search_auto_mountpoints(lvm_t)
-@@ -251,6 +256,7 @@
+@@ -251,6 +254,7 @@
  storage_dev_filetrans_fixed_disk(lvm_t)
  # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
  storage_manage_fixed_disk(lvm_t)
@@ -7327,7 +7360,7 @@
  
  term_getattr_all_user_ttys(lvm_t)
  term_list_ptys(lvm_t)
-@@ -305,5 +311,14 @@
+@@ -305,5 +309,14 @@
  ')
  
  optional_policy(`
@@ -7568,7 +7601,7 @@
  libs_use_ld_so(netlabel_mgmt_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.6.4/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/raid.te	2007-05-21 13:29:06.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/raid.te	2007-05-29 14:51:30.000000000 -0400
 @@ -19,7 +19,7 @@
  # Local policy
  #
@@ -7636,7 +7669,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te	2007-05-23 10:41:40.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te	2007-05-29 14:51:48.000000000 -0400
 @@ -1,10 +1,8 @@
  
  policy_module(selinuxutil,1.5.0)
@@ -7778,7 +7811,7 @@
  ########################################
  #
  # Restorecond local policy
-@@ -490,7 +497,7 @@
+@@ -490,7 +492,7 @@
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -7787,7 +7820,7 @@
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -504,6 +511,7 @@
+@@ -504,6 +506,7 @@
  term_dontaudit_list_ptys(run_init_t)
  
  auth_domtrans_chk_passwd(run_init_t)
@@ -7795,7 +7828,7 @@
  auth_dontaudit_read_shadow(run_init_t)
  
  corecmd_exec_bin(run_init_t)
-@@ -560,7 +568,7 @@
+@@ -560,7 +563,7 @@
  allow semanage_t self:capability { dac_override audit_write };
  allow semanage_t self:unix_stream_socket create_stream_socket_perms;
  allow semanage_t self:unix_dgram_socket create_socket_perms;
@@ -7804,7 +7837,7 @@
  
  allow semanage_t policy_config_t:file { read write };
  
-@@ -571,7 +579,10 @@
+@@ -571,7 +574,10 @@
  kernel_read_system_state(semanage_t)
  kernel_read_kernel_sysctls(semanage_t)
  
@@ -7815,7 +7848,7 @@
  
  dev_read_urand(semanage_t)
  
-@@ -595,6 +606,8 @@
+@@ -595,6 +601,8 @@
  
  # Running genhomedircon requires this for finding all users
  auth_use_nsswitch(semanage_t)
@@ -7824,7 +7857,7 @@
  
  libs_use_ld_so(semanage_t)
  libs_use_shared_libs(semanage_t)
-@@ -621,6 +634,15 @@
+@@ -621,6 +629,15 @@
  
  userdom_search_sysadm_home_dirs(semanage_t)
  
@@ -7840,7 +7873,7 @@
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -700,6 +722,8 @@
+@@ -700,6 +717,8 @@
  ifdef(`hide_broken_symptoms',`
  	# cjp: cover up stray file descriptors.
  	optional_policy(`
@@ -7852,8 +7885,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.6.4/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te	2007-05-21 10:46:53.000000000 -0400
-@@ -164,6 +164,10 @@
++++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te	2007-05-29 14:53:09.000000000 -0400
+@@ -164,6 +160,10 @@
  	dbus_connect_system_bus(dhcpc_t)
  	dbus_send_system_bus(dhcpc_t)
  
@@ -7864,7 +7897,7 @@
  	optional_policy(`
  		networkmanager_dbus_chat(dhcpc_t)
  	')
-@@ -221,6 +225,7 @@
+@@ -221,6 +221,7 @@
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
  	seutil_dontaudit_search_config(dhcpc_t)
@@ -7874,7 +7907,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/udev.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/udev.te	2007-05-29 14:53:15.000000000 -0400
 @@ -83,12 +83,19 @@
  kernel_dgram_send(udev_t)
  kernel_signal(udev_t)
@@ -7895,7 +7928,7 @@
  
  domain_read_all_domains_state(udev_t)
  domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
-@@ -194,5 +201,24 @@
+@@ -194,5 +196,24 @@
  ')
  
  optional_policy(`
@@ -7922,11 +7955,23 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.6.4/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.fc	2007-05-21 10:46:53.000000000 -0400
-@@ -10,4 +10,5 @@
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.fc	2007-05-30 07:22:13.000000000 -0400
+@@ -2,12 +2,12 @@
+ # e.g.:
+ # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+ # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+-/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+-
+-ifdef(`targeted_policy',`
+-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+ /usr/bin/qemu.*			--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
  /usr/bin/valgrind 		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
- /usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
  /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++ifdef(`targeted_policy',`
 +/usr/bin/vmware.*		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.6.4/policy/modules/system/unconfined.if
@@ -8877,7 +8922,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.6.4/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/xen.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/xen.te	2007-05-29 14:53:28.000000000 -0400
 @@ -25,6 +25,10 @@
  domain_type(xend_t)
  init_daemon_domain(xend_t, xend_exec_t)
@@ -8933,7 +8978,7 @@
  storage_raw_read_removable_device(xend_t)
  
  term_getattr_all_user_ptys(xend_t)
-@@ -195,6 +210,10 @@
+@@ -195,21 +210,16 @@
  
  xen_stream_connect_xenstore(xend_t)
  
@@ -8944,7 +8989,22 @@
  netutils_domtrans(xend_t)
  
  optional_policy(`
-@@ -284,6 +303,12 @@
+ 	consoletype_exec(xend_t)
+ ')
+ 
+-ifdef(`targeted_policy',`
+-	term_dontaudit_use_unallocated_ttys(xend_t)
+-	term_dontaudit_use_generic_ptys(xend_t)
+-
+-	optional_policy(`
+-		unconfined_rw_pipes(xend_t)
+-	')
+-')
+-
+ ########################################
+ #
+ # Xen console local policy
+@@ -284,6 +294,12 @@
  
  files_read_usr_files(xenstored_t)
  
@@ -8957,7 +9017,7 @@
  term_use_generic_ptys(xenstored_t)
  term_use_console(xenconsoled_t)
  
-@@ -317,6 +342,11 @@
+@@ -317,6 +333,11 @@
  
  allow xm_t xen_image_t:dir rw_dir_perms;
  allow xm_t xen_image_t:file read_file_perms;
@@ -8969,7 +9029,7 @@
  
  kernel_read_system_state(xm_t)
  kernel_read_kernel_sysctls(xm_t)
-@@ -352,3 +382,11 @@
+@@ -352,3 +373,11 @@
  xen_append_log(xm_t)
  xen_stream_connect(xm_t)
  xen_stream_connect_xenstore(xm_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.460
retrieving revision 1.461
diff -u -r1.460 -r1.461
--- selinux-policy.spec	29 May 2007 17:18:01 -0000	1.460
+++ selinux-policy.spec	31 May 2007 14:06:16 -0000	1.461
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -359,7 +359,10 @@
 %endif
 
 %changelog
-* Tue May 22 2007 Dan Walsh <dwalsh redhat com> 2.6.4-10
+* Wed May 30 2007 Dan Walsh <dwalsh redhat com> 2.6.4-11
+- Add spufs
+
+* Tue May 29 2007 Dan Walsh <dwalsh redhat com> 2.6.4-10
 - Fixes for avahi, procmail, postfix
 
 * Tue May 22 2007 Dan Walsh <dwalsh redhat com> 2.6.4-9


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]