rpms/selinux-policy/devel booleans-targeted.conf, 1.29, 1.30 policy-20070703.patch, 1.80, 1.81 selinux-policy.spec, 1.539, 1.540

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Fri Oct 5 11:44:19 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18630

Modified Files:
	booleans-targeted.conf policy-20070703.patch 
	selinux-policy.spec 
Log Message:
* Thu Oct 4 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-18
- Remove homedir_template



Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- booleans-targeted.conf	24 Jul 2007 14:39:01 -0000	1.29
+++ booleans-targeted.conf	5 Oct 2007 11:43:46 -0000	1.30
@@ -1,6 +1,6 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
-allow_execmem = false
+allow_execmem = True
 
 # Allow making a modified private filemapping executable (text relocation).
 # 
@@ -8,7 +8,7 @@
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = false
+allow_execstack = True
 
 # Allow ftpd to read cifs directories.
 # 

policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- policy-20070703.patch	4 Oct 2007 14:34:02 -0000	1.80
+++ policy-20070703.patch	5 Oct 2007 11:43:46 -0000	1.81
@@ -1746,8 +1746,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mono.if	2007-10-03 11:10:24.000000000 -0400
-@@ -18,3 +18,103 @@
++++ serefpolicy-3.0.8/policy/modules/apps/mono.if	2007-10-04 13:08:55.000000000 -0400
+@@ -18,3 +18,105 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1, mono_exec_t, mono_t)
  ')
@@ -1842,11 +1842,13 @@
 +
 +	userdom_unpriv_usertype($1, $1_mono_t)
 +
-+	allow $1_mono_t self:process { signal getsched execheap execmem };
++	allow $1_mono_t self:process { execheap execmem };
 +	allow $2 $1_mono_t:process noatsecure;
 +
 +	domtrans_pattern($2, mono_exec_t, $1_mono_t)
 +
++	fs_dontaudit_rw_tmpfs_files($1_mono_t)
++
 +	optional_policy(`
 +		xserver_xdm_rw_shm($1_mono_t)
 +	')
@@ -3001,7 +3003,7 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-10-04 12:58:42.000000000 -0400
 @@ -271,45 +271,6 @@
  
  ########################################
@@ -6313,7 +6315,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.8/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ftp.te	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ftp.te	2007-10-04 10:58:28.000000000 -0400
 @@ -88,6 +88,7 @@
  allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
  allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -6322,7 +6324,19 @@
  
  allow ftpd_t ftpd_etc_t:file read_file_perms;
  
-@@ -122,6 +123,7 @@
+@@ -105,9 +106,10 @@
+ manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
+ fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ 
++manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+ manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+ manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+-files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
++files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} )
+ 
+ # proftpd requires the client side to bind a socket so that
+ # it can stat the socket to perform access control decisions,
+@@ -122,6 +124,7 @@
  
  kernel_read_kernel_sysctls(ftpd_t)
  kernel_read_system_state(ftpd_t)
@@ -6330,7 +6344,7 @@
  
  dev_read_sysfs(ftpd_t)
  dev_read_urand(ftpd_t)
-@@ -157,6 +159,7 @@
+@@ -157,6 +160,7 @@
  
  auth_use_nsswitch(ftpd_t)
  auth_domtrans_chk_passwd(ftpd_t)
@@ -6338,7 +6352,7 @@
  # Append to /var/log/wtmp.
  auth_append_login_records(ftpd_t)
  #kerberized ftp requires the following
-@@ -168,7 +171,9 @@
+@@ -168,7 +172,9 @@
  libs_use_ld_so(ftpd_t)
  libs_use_shared_libs(ftpd_t)
  
@@ -6348,7 +6362,7 @@
  
  miscfiles_read_localization(ftpd_t)
  miscfiles_read_public_files(ftpd_t)
-@@ -217,6 +222,11 @@
+@@ -217,6 +223,11 @@
  	userdom_manage_all_users_home_content_dirs(ftpd_t)
  	userdom_manage_all_users_home_content_files(ftpd_t)
  	userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -6360,7 +6374,7 @@
  ')
  
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -252,7 +262,10 @@
+@@ -252,7 +263,10 @@
  ')
  
  optional_policy(`
@@ -13016,7 +13030,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if	2007-10-04 09:25:55.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if	2007-10-05 07:42:17.000000000 -0400
 @@ -432,6 +432,7 @@
  	role $2 types run_init_t;
  	allow run_init_t $3:chr_file rw_term_perms;
@@ -13025,6 +13039,24 @@
  ')
  
  ########################################
+@@ -585,7 +586,7 @@
+ 		type selinux_config_t;
+ 	')
+ 
+-	dontaudit $1 selinux_config_t:dir search;
++	dontaudit $1 selinux_config_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+@@ -604,7 +605,7 @@
+ 		type selinux_config_t;
+ 	')
+ 
+-	dontaudit $1 selinux_config_t:dir search;
++	dontaudit $1 selinux_config_t:dir search_dir_perms;
+ 	dontaudit $1 selinux_config_t:file { getattr read };
+ ')
+ 
 @@ -669,6 +670,7 @@
  	')
  
@@ -13703,7 +13735,7 @@
 +/usr/bin/sbcl			    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if	2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if	2007-10-04 17:36:52.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -13731,10 +13763,10 @@
 -	allow $1 self:dbus *;
 -	allow $1 self:passwd *;
 -	allow $1 self:association *;
-+	allow $1 self:nscd all_nscd;
-+	allow $1 self:dbus all_dbus;
-+	allow $1 self:passwd all_passwd;
-+	allow $1 self:association all_association;
++	allow $1 self:nscd all_nscd_perms;
++	allow $1 self:dbus all_dbus_perms;
++	allow $1 self:passwd all_passwd_perms;
++	allow $1 self:association all_association_perms;
  
  	kernel_unconfined($1)
  	corenet_unconfined($1)
@@ -14154,7 +14186,7 @@
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-03 12:00:01.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-04 17:33:14.000000000 -0400
 @@ -29,8 +29,9 @@
  	')
  
@@ -14195,7 +14227,7 @@
 -	kernel_dontaudit_getattr_unlabeled_sockets($1_t)
 -	kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
 -	kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
-+	allow $1_t $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
++	allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
 +	allow $1_usertype $1_usertype:fd use;
 +	allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
 +	allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
@@ -15167,7 +15199,7 @@
  ')
  
  ########################################
-@@ -5559,3 +5710,376 @@
+@@ -5559,3 +5710,380 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -15364,7 +15396,11 @@
 +userdom_xwindows_client_template($1)
 +
 +logging_send_syslog_msg($1_usertype)
-+logging_dontaudit_send_audit_msgs($1_usertype)
++logging_dontaudit_send_audit_msgs($1_t)
++
++# Need to to this just so screensaver will work. Should be moved to screensaver domain
++logging_send_audit_msgs($1_t)
++selinux_get_enforce_mode($1_t)
 +
 +optional_policy(`
 +	alsa_read_rw_config($1_usertype)
@@ -16031,7 +16067,7 @@
 +allow webadm_t gadmin_t:dir getattr;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2007-08-22 07:14:18.000000000 -0400
-+++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt	2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt	2007-10-04 17:36:29.000000000 -0400
 @@ -216,7 +216,7 @@
  define(`getattr_file_perms',`{ getattr }')
  define(`setattr_file_perms',`{ setattr }')
@@ -16049,10 +16085,10 @@
 +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
 +')
 +
-+define(`all_nscd', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
-+define(`all_dbus', `{ acquire_svc send_msg } ')
-+define(`all_passwd', `{ passwd chfn chsh rootok crontab } ')
-+define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
++define(`all_nscd_perms', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
++define(`all_dbus_perms', `{ acquire_svc send_msg } ')
++define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
++define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
 +
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.8/policy/users


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.539
retrieving revision 1.540
diff -u -r1.539 -r1.540
--- selinux-policy.spec	4 Oct 2007 14:34:02 -0000	1.539
+++ selinux-policy.spec	5 Oct 2007 11:43:46 -0000	1.540
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -100,7 +100,6 @@
 touch %{buildroot}%{_sysconfdir}/selinux/%1/seusers \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
-touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
 install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
 install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
@@ -132,7 +131,6 @@
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
 %dir %{_sysconfdir}/selinux/%1/contexts/files \
 %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
-%ghost %{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
 %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
 %config %{_sysconfdir}/selinux/%1/contexts/files/media \
 %dir %{_sysconfdir}/selinux/%1/contexts/users \
@@ -372,6 +370,9 @@
 %endif
 
 %changelog
+* Thu Oct 4 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-18
+- Remove homedir_template
+
 * Tue Oct 2 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-17
 - Check asound.state

More information about the fedora-extras-commits mailing list