rpms/selinux-policy/F-8 policy-20070703.patch, 1.131, 1.132 selinux-policy.spec, 1.575, 1.576
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Nov 12 21:51:08 UTC 2007
- Previous message (by thread): rpms/perl-Net-Packet-Target/devel .cvsignore, NONE, 1.1 Makefile, NONE, 1.1 sources, NONE, 1.1
- Next message (by thread): rpms/schroedinger/devel .cvsignore, 1.2, 1.3 schroedinger.spec, 1.2, 1.3 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30125
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Nov 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-53
- Allow bugzilla policy to connect to postgresql and mysql on other machines
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.131
retrieving revision 1.132
diff -u -r1.131 -r1.132
--- policy-20070703.patch 12 Nov 2007 18:42:15 -0000 1.131
+++ policy-20070703.patch 12 Nov 2007 21:51:05 -0000 1.132
@@ -3987,7 +3987,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-01 14:02:44.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-12 16:36:39.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -3997,7 +3997,32 @@
relabelfrom_fifo_files_pattern($1,device_t,device_node)
relabelfrom_sock_files_pattern($1,device_t,device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
-@@ -1306,6 +1306,44 @@
+@@ -185,6 +185,24 @@
+
+ ########################################
+ ## <summary>
++## Manage of directories in /dev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to relabel.
++## </summary>
++## </param>
++#
++interface(`dev_manage_generic_dirs',`
++ gen_require(`
++ type device_t;
++ ')
++
++ manage_dirs_pattern($1,device_t,device_t)
++')
++
++########################################
++## <summary>
+ ## Allow full relabeling (to and from) of directories in /dev.
+ ## </summary>
+ ## <param name="domain">
+@@ -1306,6 +1324,44 @@
########################################
## <summary>
@@ -4042,7 +4067,7 @@
## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
-@@ -1623,6 +1661,78 @@
+@@ -1623,6 +1679,78 @@
########################################
## <summary>
@@ -4184,7 +4209,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-07 17:28:12.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-12 15:59:14.000000000 -0500
@@ -6,6 +6,22 @@
# Declarations
#
@@ -4222,7 +4247,7 @@
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -134,3 +154,28 @@
+@@ -134,3 +154,32 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -4251,6 +4276,10 @@
+optional_policy(`
+ rpm_rw_pipes(domain)
+')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(domain)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-10-22 13:21:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.fc 2007-10-29 23:59:29.000000000 -0400
@@ -5778,7 +5807,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-12 10:03:38.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-12 15:10:54.000000000 -0500
@@ -20,6 +20,9 @@
# Declarations
#
@@ -6146,15 +6175,15 @@
+')
+
+tunable_policy(`httpd_use_nfs', `
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -6206,19 +6235,45 @@
')
########################################
-@@ -728,3 +878,20 @@
+@@ -728,3 +878,48 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
++
++type httpd_bugzilla_tmp_t;
++files_tmp_file(httpd_bugzilla_tmp_t)
++
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
++allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
++allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
++
++corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
++corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
++corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
++corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
++
++manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
++manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
++files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_t,{ file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
++sysnet_read_config(httpd_bugzilla_script_t)
++
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
@@ -6227,6 +6282,8 @@
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.0.8/policy/modules/services/apcupsd.if
--- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apcupsd.if 2007-10-29 23:59:29.000000000 -0400
@@ -8845,8 +8902,8 @@
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-11-06 16:58:01.000000000 -0500
-@@ -42,6 +42,10 @@
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-11-12 16:50:00.000000000 -0500
+@@ -42,11 +42,17 @@
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -8857,7 +8914,14 @@
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
-@@ -61,9 +65,6 @@
+ allow $1 self:udp_socket create_socket_perms;
+
++ fs_rw_tmpfs_files($1)
++
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_all_if($1)
+@@ -61,9 +67,6 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
@@ -8867,7 +8931,7 @@
')
optional_policy(`
-@@ -172,3 +173,51 @@
+@@ -172,3 +175,51 @@
allow $1 krb5kdc_conf_t:file read_file_perms;
')
@@ -13167,8 +13231,18 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-12 11:59:59.000000000 -0500
-@@ -126,6 +126,8 @@
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-12 16:36:52.000000000 -0500
+@@ -116,8 +116,7 @@
+ dev_rw_agp($1_xserver_t)
+ dev_rw_framebuffer($1_xserver_t)
+ dev_manage_dri_dev($1_xserver_t)
+- dev_create_generic_dirs($1_xserver_t)
+- dev_setattr_generic_dirs($1_xserver_t)
++ dev_manage_generic_dirs($1_xserver_t)
+ # raw memory access is needed if not using the frame buffer
+ dev_read_raw_memory($1_xserver_t)
+ dev_wx_raw_memory($1_xserver_t)
+@@ -126,6 +125,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
@@ -13177,7 +13251,7 @@
domain_mmap_low($1_xserver_t)
-@@ -141,10 +143,12 @@
+@@ -141,10 +142,12 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@@ -13191,7 +13265,7 @@
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -178,13 +182,7 @@
+@@ -178,13 +181,7 @@
auth_search_pam_console_data($1_xserver_t)
')
@@ -13206,7 +13280,7 @@
optional_policy(`
rhgb_getpgid($1_xserver_t)
-@@ -251,7 +249,7 @@
+@@ -251,7 +248,7 @@
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
@@ -13215,7 +13289,7 @@
type $1_iceauth_t;
domain_type($1_iceauth_t)
-@@ -282,11 +280,15 @@
+@@ -282,11 +279,15 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -13231,7 +13305,7 @@
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -316,6 +318,7 @@
+@@ -316,6 +317,7 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@@ -13239,7 +13313,7 @@
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -324,13 +327,6 @@
+@@ -324,13 +326,6 @@
userhelper_search_config($1_xserver_t)
')
@@ -13253,7 +13327,7 @@
##############################
#
# $1_xauth_t Local policy
-@@ -353,12 +349,6 @@
+@@ -353,12 +348,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -13266,7 +13340,7 @@
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +377,14 @@
+@@ -387,6 +376,14 @@
')
optional_policy(`
@@ -13281,7 +13355,7 @@
nis_use_ypbind($1_xauth_t)
')
-@@ -536,17 +534,15 @@
+@@ -536,17 +533,15 @@
template(`xserver_user_client_template',`
gen_require(`
@@ -13305,7 +13379,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +551,54 @@
+@@ -555,25 +550,54 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -13368,7 +13442,7 @@
')
')
-@@ -626,6 +651,24 @@
+@@ -626,6 +650,24 @@
########################################
## <summary>
@@ -13393,7 +13467,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +702,73 @@
+@@ -659,6 +701,73 @@
########################################
## <summary>
@@ -13467,7 +13541,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1037,7 @@
+@@ -927,6 +1036,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -13475,7 +13549,7 @@
')
########################################
-@@ -987,6 +1098,37 @@
+@@ -987,6 +1097,37 @@
########################################
## <summary>
@@ -13513,7 +13587,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1278,7 @@
+@@ -1136,7 +1277,7 @@
type xdm_xserver_tmp_t;
')
@@ -13522,7 +13596,7 @@
')
########################################
-@@ -1325,3 +1467,82 @@
+@@ -1325,3 +1466,82 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -16201,7 +16275,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2007-11-12 15:58:45.000000000 -0500
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -16211,7 +16285,15 @@
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -63,6 +63,7 @@
+@@ -54,6 +54,7 @@
+ can_exec(insmod_t, insmod_exec_t)
+
+ kernel_load_module(insmod_t)
++kernel_search_network_state(insmod_t)
+ kernel_read_system_state(insmod_t)
+ kernel_write_proc_files(insmod_t)
+ kernel_mount_debugfs(insmod_t)
+@@ -63,6 +64,7 @@
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
@@ -16219,7 +16301,7 @@
files_read_kernel_modules(insmod_t)
# for locking: (cjp: ????)
-@@ -76,9 +77,7 @@
+@@ -76,9 +78,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -16230,7 +16312,7 @@
fs_getattr_xattr_fs(insmod_t)
-@@ -101,6 +100,7 @@
+@@ -101,6 +101,7 @@
init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
init_use_script_ptys(insmod_t)
@@ -16238,7 +16320,7 @@
libs_use_ld_so(insmod_t)
libs_use_shared_libs(insmod_t)
-@@ -112,11 +112,27 @@
+@@ -112,11 +113,27 @@
seutil_read_file_contexts(insmod_t)
@@ -16266,7 +16348,7 @@
hotplug_search_config(insmod_t)
')
-@@ -149,10 +165,12 @@
+@@ -149,10 +166,13 @@
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -16276,10 +16358,11 @@
optional_policy(`
unconfined_dontaudit_rw_pipes(insmod_t)
+ unconfined_dontaudit_use_terminals(insmod_t)
++ unconfined_domain(insmod_t)
')
optional_policy(`
-@@ -179,6 +197,7 @@
+@@ -179,6 +199,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
@@ -16287,7 +16370,7 @@
fs_getattr_xattr_fs(depmod_t)
-@@ -205,9 +224,12 @@
+@@ -205,9 +226,12 @@
userdom_read_staff_home_content_files(depmod_t)
userdom_read_sysadm_home_content_files(depmod_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.575
retrieving revision 1.576
diff -u -r1.575 -r1.576
--- selinux-policy.spec 12 Nov 2007 18:42:15 -0000 1.575
+++ selinux-policy.spec 12 Nov 2007 21:51:05 -0000 1.576
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 52%{?dist}
+Release: 53%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -380,7 +380,10 @@
%endif
%changelog
-* Mon Nov 11 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-52
+* Mon Nov 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-53
+- Allow bugzilla policy to connect to postgresql and mysql on other machines
+
+* Mon Nov 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-52
- Allow apache to read unconfined users content
* Sat Nov 10 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-51
- Previous message (by thread): rpms/perl-Net-Packet-Target/devel .cvsignore, NONE, 1.1 Makefile, NONE, 1.1 sources, NONE, 1.1
- Next message (by thread): rpms/schroedinger/devel .cvsignore, 1.2, 1.3 schroedinger.spec, 1.2, 1.3 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list