rpms/selinux-policy/F-8 modules-targeted.conf, 1.71, 1.72 policy-20070703.patch, 1.128, 1.129 selinux-policy.spec, 1.573, 1.574
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Sat Nov 10 13:19:11 UTC 2007
- Previous message (by thread): rpms/nedit/F-8 nedit-5.5-nocsh.patch, NONE, 1.1 nedit-5.5-scroll.patch, NONE, 1.1 nedit.spec, 1.12, 1.13
- Next message (by thread): rpms/selinux-policy/devel booleans-targeted.conf, 1.34, 1.35 modules-targeted.conf, 1.70, 1.71 policy-20071023.patch, 1.5, 1.6 selinux-policy.spec, 1.554, 1.555
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9113
Modified Files:
modules-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Sat Nov 10 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-51
- Allow login programs to run mount
- Dontaudit writes to user_home_t for semanage
- Allow sendmail to write to cyrus_stream
- Define /dev/dmmidi1 as a sound_device_t
- Allow saslauthd to use nis_authentication
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/modules-targeted.conf,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -r1.71 -r1.72
--- modules-targeted.conf 8 Nov 2007 22:07:40 -0000 1.71
+++ modules-targeted.conf 10 Nov 2007 13:18:35 -0000 1.72
@@ -888,6 +888,13 @@
postfix = base
# Layer: services
+# Module: postgrey
+#
+# email scanner
+#
+postgrey = base
+
+# Layer: services
# Module: ppp
#
# Point to Point Protocol daemon creates links in ppp networks
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.128
retrieving revision 1.129
diff -u -r1.128 -r1.129
--- policy-20070703.patch 9 Nov 2007 19:42:58 -0000 1.128
+++ policy-20070703.patch 10 Nov 2007 13:18:35 -0000 1.129
@@ -3944,7 +3944,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-31 09:43:13.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-10 07:47:13.000000000 -0500
@@ -20,6 +20,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -3961,7 +3961,15 @@
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-@@ -98,6 +100,7 @@
+@@ -49,6 +51,7 @@
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+ /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
+ /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -98,6 +101,7 @@
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -8615,7 +8623,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2007-11-10 08:15:11.000000000 -0500
@@ -8,14 +8,18 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -8634,7 +8642,8 @@
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
- /var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
+-/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-30 19:54:25.000000000 -0400
@@ -9874,7 +9883,7 @@
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-11-10 07:53:02.000000000 -0500
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
@@ -12068,7 +12077,7 @@
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.8/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sasl.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/sasl.te 2007-11-10 07:53:45.000000000 -0500
@@ -64,6 +64,7 @@
selinux_compute_access_vector(saslauthd_t)
@@ -12077,6 +12086,17 @@
auth_use_nsswitch(saslauthd_t)
domain_use_interactive_fds(saslauthd_t)
+@@ -98,6 +99,10 @@
+ ')
+
+ optional_policy(`
++ nis_authenticate(saslauthd_t)
++')
++
++optional_policy(`
+ kerberos_read_keytab(saslauthd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.0.8/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/sendmail.if 2007-10-29 23:59:29.000000000 -0400
@@ -12168,7 +12188,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-11-10 07:37:22.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -12203,7 +12223,7 @@
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -94,30 +99,28 @@
+@@ -94,30 +99,32 @@
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
@@ -12222,15 +12242,18 @@
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
++
++optional_policy(`
++ cron_read_pipes(sendmail_t)
++')
optional_policy(`
-- clamav_search_lib(sendmail_t)
-+ cron_read_pipes(sendmail_t)
+ clamav_search_lib(sendmail_t)
')
optional_policy(`
- nis_use_ypbind(sendmail_t)
-+ clamav_search_lib(sendmail_t)
++ cyrus_stream_connect(sendmail_t)
')
optional_policy(`
@@ -12239,7 +12262,7 @@
')
optional_policy(`
-@@ -131,6 +134,10 @@
+@@ -131,6 +138,10 @@
')
optional_policy(`
@@ -12250,7 +12273,7 @@
seutil_sigchld_newrole(sendmail_t)
')
-@@ -156,3 +163,15 @@
+@@ -156,3 +167,15 @@
dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
') dnl end TODO
@@ -13783,7 +13806,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-09 14:35:36.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-10 07:11:24.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -13847,7 +13870,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +218,41 @@
+@@ -196,20 +218,41 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -13877,20 +13900,20 @@
+ userdom_unlink_unpriv_users_tmp_files($1)
+
+ optional_policy(`
-+ nis_authenticate($1)
++ mount_domtrans($1)
+ ')
+
+ optional_policy(`
++ nis_authenticate($1)
++
++ optional_policy(`
+ unconfined_set_rlimitnh($1)
+ ')
+
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
-+ mount_domtrans($1)
')
- ')
-
-@@ -309,9 +350,6 @@
+@@ -309,9 +352,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -13900,7 +13923,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +367,8 @@
+@@ -329,6 +369,8 @@
optional_policy(`
kerberos_use($1)
@@ -13909,7 +13932,7 @@
')
optional_policy(`
-@@ -347,6 +387,37 @@
+@@ -347,6 +389,37 @@
########################################
## <summary>
@@ -13947,7 +13970,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +766,24 @@
+@@ -695,6 +768,24 @@
########################################
## <summary>
@@ -13972,7 +13995,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,16 +1407,14 @@
+@@ -1318,16 +1409,14 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -13992,7 +14015,7 @@
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
-@@ -1347,6 +1434,8 @@
+@@ -1347,6 +1436,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -14001,7 +14024,7 @@
')
')
-@@ -1381,3 +1470,181 @@
+@@ -1381,3 +1472,181 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -16380,7 +16403,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-11-07 11:59:45.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-11-10 07:25:22.000000000 -0500
@@ -585,7 +585,7 @@
type selinux_config_t;
')
@@ -16512,7 +16535,7 @@
## Full management of the semanage
## module store.
## </summary>
-@@ -1058,3 +1134,138 @@
+@@ -1058,3 +1134,141 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
@@ -16590,6 +16613,7 @@
+ type policy_config_t;
+ ')
+ allow $1 self:capability { dac_override audit_write };
++ allow $1 self:process signal;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ logging_send_audit_msgs($1)
@@ -16646,6 +16670,8 @@
+ seutil_get_semanage_trans_lock($1)
+ seutil_get_semanage_read_lock($1)
+
++ userdom_dontaudit_write_unpriv_user_home_content_files($1)
++
+ optional_policy(`
+ rpm_dontaudit_rw_tmp_files($1)
+ rpm_dontaudit_rw_pipes($1)
@@ -17759,7 +17785,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-09 14:38:42.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-10 07:24:23.000000000 -0500
@@ -29,8 +29,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.573
retrieving revision 1.574
diff -u -r1.573 -r1.574
--- selinux-policy.spec 9 Nov 2007 19:42:59 -0000 1.573
+++ selinux-policy.spec 10 Nov 2007 13:18:35 -0000 1.574
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 50%{?dist}
+Release: 51%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -380,6 +380,14 @@
%endif
%changelog
+* Sat Nov 10 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-51
+- Allow login programs to run mount
+- Dontaudit writes to user_home_t for semanage
+- Allow sendmail to write to cyrus_stream
+- Define /dev/dmmidi1 as a sound_device_t
+- Allow saslauthd to use nis_authentication
+
+
* Fri Nov 9 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-50
- Allow login programs to delete user temp files
- Previous message (by thread): rpms/nedit/F-8 nedit-5.5-nocsh.patch, NONE, 1.1 nedit-5.5-scroll.patch, NONE, 1.1 nedit.spec, 1.12, 1.13
- Next message (by thread): rpms/selinux-policy/devel booleans-targeted.conf, 1.34, 1.35 modules-targeted.conf, 1.70, 1.71 policy-20071023.patch, 1.5, 1.6 selinux-policy.spec, 1.554, 1.555
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list