rpms/selinux-policy/devel policy-20071114.patch, 1.1, 1.2 selinux-policy.spec, 1.557, 1.558
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Nov 28 16:57:40 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18128
Modified Files:
policy-20071114.patch selinux-policy.spec
Log Message:
* Wed Nov 28 2007 Dan Walsh <dwalsh at redhat.com> 3.1.2-2
- Remove user specific crond_t
policy-20071114.patch:
Index: policy-20071114.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071114.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20071114.patch 27 Nov 2007 04:11:10 -0000 1.1
+++ policy-20071114.patch 28 Nov 2007 16:56:57 -0000 1.2
@@ -1256,7 +1256,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.1.2/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.2/policy/modules/admin/rpm.te 2007-11-26 16:40:13.000000000 -0500
++++ serefpolicy-3.1.2/policy/modules/admin/rpm.te 2007-11-28 10:57:00.000000000 -0500
@@ -139,6 +139,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
@@ -1287,7 +1287,15 @@
')
optional_policy(`
-@@ -289,6 +296,7 @@
+@@ -195,6 +202,7 @@
+ unconfined_domain(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
++ unconfined_dbus_chat(rpm_script_t)
+ ')
+
+ ifdef(`TODO',`
+@@ -289,6 +297,7 @@
auth_dontaudit_getattr_shadow(rpm_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(rpm_script_t)
@@ -1295,7 +1303,7 @@
corecmd_exec_all_executables(rpm_script_t)
-@@ -321,6 +329,7 @@
+@@ -321,6 +330,7 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1303,7 +1311,7 @@
userdom_use_all_users_fds(rpm_script_t)
-@@ -339,10 +348,6 @@
+@@ -339,10 +349,6 @@
')
optional_policy(`
@@ -2869,7 +2877,7 @@
network_port(postgrey, tcp,60000,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.1.2/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-11-14 16:20:13.000000000 -0500
-+++ serefpolicy-3.1.2/policy/modules/kernel/devices.fc 2007-11-26 16:40:13.000000000 -0500
++++ serefpolicy-3.1.2/policy/modules/kernel/devices.fc 2007-11-28 10:30:00.000000000 -0500
@@ -4,6 +4,7 @@
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -2896,18 +2904,16 @@
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
-@@ -30,7 +34,10 @@
+@@ -30,6 +34,8 @@
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
+/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
- /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-@@ -114,9 +121,14 @@
+@@ -114,9 +120,14 @@
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
@@ -4610,8 +4616,8 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.1.2/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.2/policy/modules/services/cron.if 2007-11-26 16:40:13.000000000 -0500
-@@ -35,6 +35,7 @@
++++ serefpolicy-3.1.2/policy/modules/services/cron.if 2007-11-28 08:46:16.000000000 -0500
+@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
gen_require(`
@@ -4619,10 +4625,13 @@
attribute cron_spool_type;
type crond_t, cron_spool_t, crontab_exec_t;
')
-@@ -44,29 +45,13 @@
++ typealias $1_t alias $1_crond_t;
+
+ # Type of user crontabs once moved to cron spool.
+ type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t)
- type $1_crond_t;
+- type $1_crond_t;
- domain_type($1_crond_t)
- domain_cron_exemption_target($1_crond_t)
- corecmd_shell_entry_type($1_crond_t)
@@ -4815,7 +4824,23 @@
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -438,6 +333,25 @@
+@@ -285,14 +180,12 @@
+ template(`cron_admin_template',`
+ gen_require(`
+ attribute cron_spool_type;
+- type $1_crontab_t, $1_crond_t;
++ type $1_crontab_t;
+ ')
+
+ # Allow our crontab domain to unlink a user cron spool file.
+ allow $1_crontab_t cron_spool_type:file { getattr read unlink };
+
+- logging_read_generic_logs($1_crond_t)
+-
+ # Manipulate other users crontab.
+ selinux_get_fs_mount($1_crontab_t)
+ selinux_validate_context($1_crontab_t)
+@@ -438,6 +331,25 @@
########################################
## <summary>
@@ -5054,8 +5079,8 @@
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.1.2/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.1.2/policy/modules/services/cups.fc 2007-11-26 16:40:13.000000000 -0500
-@@ -8,17 +8,14 @@
++++ serefpolicy-3.1.2/policy/modules/services/cups.fc 2007-11-28 08:28:27.000000000 -0500
+@@ -8,17 +8,15 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5068,13 +5093,14 @@
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -26,6 +23,11 @@
+@@ -26,6 +24,11 @@
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
@@ -5086,7 +5112,7 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -33,7 +35,7 @@
+@@ -33,7 +36,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5095,7 +5121,7 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -50,3 +52,6 @@
+@@ -50,3 +53,6 @@
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -9312,7 +9338,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.1.2/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.2/policy/modules/services/sendmail.te 2007-11-26 16:40:13.000000000 -0500
++++ serefpolicy-3.1.2/policy/modules/services/sendmail.te 2007-11-28 07:25:24.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -9347,7 +9373,7 @@
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -94,30 +99,32 @@
+@@ -94,30 +99,33 @@
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
@@ -9356,6 +9382,7 @@
-
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
++userdom_read_all_users_home_content_files(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
@@ -9386,7 +9413,7 @@
')
optional_policy(`
-@@ -131,10 +138,18 @@
+@@ -131,10 +139,18 @@
')
optional_policy(`
@@ -9405,7 +9432,7 @@
udev_read_db(sendmail_t)
')
-@@ -156,3 +171,15 @@
+@@ -156,3 +172,15 @@
dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
') dnl end TODO
@@ -13007,6 +13034,19 @@
optional_policy(`
hotplug_use_fds(setfiles_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.1.2/policy/modules/system/sysnetwork.fc
+--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2006-11-16 17:15:24.000000000 -0500
++++ serefpolicy-3.1.2/policy/modules/system/sysnetwork.fc 2007-11-28 11:55:44.000000000 -0500
+@@ -52,8 +52,7 @@
+ /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+ /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+
+-/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+-/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
++/var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+
+ ifdef(`distro_gentoo',`
+ /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.1.2/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
+++ serefpolicy-3.1.2/policy/modules/system/sysnetwork.if 2007-11-26 16:40:13.000000000 -0500
@@ -13484,7 +13524,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.2/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.1.2/policy/modules/system/unconfined.te 2007-11-26 16:40:13.000000000 -0500
++++ serefpolicy-3.1.2/policy/modules/system/unconfined.te 2007-11-28 08:47:02.000000000 -0500
@@ -16,6 +16,10 @@
type unconfined_exec_t;
@@ -13545,17 +13585,18 @@
unconfined_domain(httpd_unconfined_script_t)
')
-@@ -73,6 +87,9 @@
+@@ -71,8 +85,8 @@
+
+ optional_policy(`
cron_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(unconfined_crond_t)
+- # this is disallowed usage:
+- unconfined_domain(unconfined_crond_t)
+ unconfined_domain(unconfined_crontab_t)
+ role system_r types unconfined_crontab_t;
-+ rpm_transition_script(unconfined_crond_t)
')
optional_policy(`
-@@ -107,6 +124,10 @@
+@@ -107,6 +121,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -13566,7 +13607,7 @@
')
optional_policy(`
-@@ -118,11 +139,11 @@
+@@ -118,11 +136,11 @@
')
optional_policy(`
@@ -13580,7 +13621,7 @@
')
optional_policy(`
-@@ -134,11 +155,7 @@
+@@ -134,11 +152,7 @@
')
optional_policy(`
@@ -13593,7 +13634,7 @@
')
optional_policy(`
-@@ -154,33 +171,20 @@
+@@ -154,33 +168,20 @@
')
optional_policy(`
@@ -13631,7 +13672,7 @@
')
optional_policy(`
-@@ -205,11 +209,22 @@
+@@ -205,11 +206,22 @@
')
optional_policy(`
@@ -13656,7 +13697,7 @@
')
########################################
-@@ -219,14 +234,26 @@
+@@ -219,14 +231,26 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -13694,7 +13735,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.1.2/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.1.2/policy/modules/system/userdomain.if 2007-11-26 22:54:17.000000000 -0500
++++ serefpolicy-3.1.2/policy/modules/system/userdomain.if 2007-11-28 07:19:08.000000000 -0500
@@ -29,8 +29,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.557
retrieving revision 1.558
diff -u -r1.557 -r1.558
--- selinux-policy.spec 26 Nov 2007 15:40:45 -0000 1.557
+++ selinux-policy.spec 28 Nov 2007 16:56:57 -0000 1.558
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.1.2
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -379,6 +379,9 @@
%endif
%changelog
+* Wed Nov 28 2007 Dan Walsh <dwalsh at redhat.com> 3.1.2-2
+- Remove user specific crond_t
+
* Mon Nov 19 2007 Dan Walsh <dwalsh at redhat.com> 3.1.2-1
- Merge with upstream
- Allow xsever to read hwdata_t
More information about the fedora-extras-commits
mailing list