rpms/selinux-policy/F-7 policy-20070501.patch, 1.76, 1.77 selinux-policy.spec, 1.506, 1.507

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Nov 20 12:11:30 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9642

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Tue Nov 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-58
- Allow rhgb to getattr on filesystems
- Allow dictd to use /var/run direcory
- Fix printer labels under /usr/local/Printer and Brother
- Fix /var/log/clamav labeling
- Remove a lot of foolish avc's from terminal redirection\


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- policy-20070501.patch	13 Nov 2007 21:43:23 -0000	1.76
+++ policy-20070501.patch	20 Nov 2007 12:11:26 -0000	1.77
@@ -1827,7 +1827,7 @@
  /opt/vmware/workstation/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc	2007-10-18 17:18:18.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc	2007-11-14 10:47:47.000000000 -0500
 @@ -36,6 +36,11 @@
  /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -1863,16 +1863,18 @@
  /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
-@@ -164,6 +168,8 @@
+@@ -164,6 +168,10 @@
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
  /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Brother/lpd(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)?      gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother(/.*)?/lpd(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother(/.*)?/cupswrapper(/.*)?	gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Printer/[^/]*/lpd(/.*)?      	gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Printer/[^/]*/cupswrapper(/.*)?      gen_context(system_u:object_r:bin_t,s0)
  
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  
-@@ -189,6 +195,7 @@
+@@ -189,6 +197,7 @@
  ifdef(`distro_redhat', `
  /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
@@ -1880,7 +1882,7 @@
  /usr/lib64/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -220,6 +227,7 @@
+@@ -220,6 +229,7 @@
  /usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -1888,7 +1890,7 @@
  /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -248,6 +256,7 @@
+@@ -248,6 +258,7 @@
  /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
@@ -1896,7 +1898,7 @@
  
  /var/qmail/bin                  -d      gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?                    gen_context(system_u:object_r:bin_t,s0)
-@@ -256,3 +265,18 @@
+@@ -256,3 +267,18 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -2422,7 +2424,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.6.4/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/domain.te	2007-10-30 16:16:45.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/domain.te	2007-11-16 09:43:24.000000000 -0500
 @@ -6,6 +6,29 @@
  # Declarations
  #
@@ -2464,7 +2466,7 @@
  # Domains that can set their current context
  # (perform dynamic transitions)
  attribute set_curr_context;
-@@ -144,3 +171,33 @@
+@@ -144,3 +171,35 @@
  
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
@@ -2495,9 +2497,11 @@
 +# Allow all domains to use fds past to them
 +allow domain domain:fd use;
 +optional_policy(`
-+	rpm_dontaudit_rw_pipes(domain)
++	rpm_rw_pipes(domain)
++')
++optional_policy(`
++	unconfined_dontaudit_rw_pipes(domain)
 +')
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/kernel/files.fc	2007-10-18 17:13:23.000000000 -0400
@@ -4623,7 +4627,7 @@
  fs_getattr_xattr_fs(ndc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.6.4/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/bluetooth.te	2007-09-18 13:32:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/bluetooth.te	2007-11-14 10:31:00.000000000 -0500
 @@ -139,6 +139,8 @@
  	dbus_system_bus_client_template(bluetooth,bluetooth_t)
  	dbus_connect_system_bus(bluetooth_t)
@@ -4635,16 +4639,19 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.6.4/policy/modules/services/clamav.fc
 --- nsaserefpolicy/policy/modules/services/clamav.fc	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/clamav.fc	2007-08-07 09:42:35.000000000 -0400
-@@ -9,6 +9,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/clamav.fc	2007-11-14 10:43:00.000000000 -0500
+@@ -9,8 +9,9 @@
  
  /var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
  /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
 +/var/run/clamd\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
 +/var/run/clamav\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
  /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
- /var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
- /var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
+-/var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
+-/var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_log_t,s0)
+ /var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
+ /var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.6.4/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2007-05-07 14:50:57.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/clamav.te	2007-08-13 19:28:50.000000000 -0400
@@ -5139,7 +5146,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.fc	2007-09-11 08:58:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.fc	2007-11-14 10:50:09.000000000 -0500
 @@ -8,6 +8,7 @@
  /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5157,11 +5164,12 @@
  /usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
  /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
  
-@@ -52,3 +53,4 @@
+@@ -52,3 +53,5 @@
  /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  
  /var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
 +/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Printer/[^/]*/inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/cups.te	2007-10-05 08:56:23.000000000 -0400
@@ -5507,6 +5515,37 @@
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-2.6.4/policy/modules/services/dictd.fc
+--- nsaserefpolicy/policy/modules/services/dictd.fc	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dictd.fc	2007-11-14 12:27:15.000000000 -0500
+@@ -4,3 +4,4 @@
+ /usr/sbin/dictd		--	gen_context(system_u:object_r:dictd_exec_t,s0)
+ 
+ /var/lib/dictd(/.*)?		gen_context(system_u:object_r:dictd_var_lib_t,s0)
++/var/run/dictd\.pid	--	gen_context(system_u:object_r:dictd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-2.6.4/policy/modules/services/dictd.te
+--- nsaserefpolicy/policy/modules/services/dictd.te	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dictd.te	2007-11-14 11:34:47.000000000 -0500
+@@ -16,6 +16,9 @@
+ type dictd_var_lib_t alias var_lib_dictd_t;
+ files_type(dictd_var_lib_t)
+ 
++type dictd_var_run_t;
++files_pid_file(dictd_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -34,6 +37,9 @@
+ allow dictd_t dictd_var_lib_t:dir list_dir_perms;
+ allow dictd_t dictd_var_lib_t:file read_file_perms;
+ 
++manage_files_pattern(dictd_t,dictd_var_run_t,dictd_var_run_t)
++files_pid_filetrans(dictd_t,dictd_var_run_t,file)
++
+ kernel_read_system_state(dictd_t)
+ kernel_read_kernel_sysctls(dictd_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-2.6.4/policy/modules/services/djbdns.te
 --- nsaserefpolicy/policy/modules/services/djbdns.te	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/djbdns.te	2007-08-07 09:42:35.000000000 -0400
@@ -12063,7 +12102,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.6.4/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/init.te	2007-09-04 12:06:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/init.te	2007-11-16 09:39:37.000000000 -0500
 @@ -10,13 +10,20 @@
  # Declarations
  #
@@ -12184,6 +12223,15 @@
  ')
  
  optional_policy(`
+@@ -786,3 +815,8 @@
+ optional_policy(`
+ 	zebra_read_config(initrc_t)
+ ')
++
++optional_policy(`
++	rpm_dontaudit_rw_pipes(daemon)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-2.6.4/policy/modules/system/ipsec.if
 --- nsaserefpolicy/policy/modules/system/ipsec.if	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/ipsec.if	2007-08-07 09:42:35.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.506
retrieving revision 1.507
diff -u -r1.506 -r1.507
--- selinux-policy.spec	13 Nov 2007 21:43:23 -0000	1.506
+++ selinux-policy.spec	20 Nov 2007 12:11:27 -0000	1.507
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 57%{?dist}
+Release: 58%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -363,6 +363,13 @@
 %endif
 
 %changelog
+* Tue Nov 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-58
+- Allow rhgb to getattr on filesystems
+- Allow dictd to use /var/run direcory
+- Fix printer labels under /usr/local/Printer and Brother
+- Fix /var/log/clamav labeling
+- Remove a lot of foolish avc's from terminal redirection\
+
 * Tue Nov 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-57
 - Allow dovecot to communicate with postfix_private sockets

More information about the fedora-extras-commits mailing list