rpms/selinux-policy/devel booleans-targeted.conf, 1.29, 1.30 policy-20070703.patch, 1.80, 1.81 selinux-policy.spec, 1.539, 1.540
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Oct 5 11:44:19 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18630
Modified Files:
booleans-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Thu Oct 4 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-18
- Remove homedir_template
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- booleans-targeted.conf 24 Jul 2007 14:39:01 -0000 1.29
+++ booleans-targeted.conf 5 Oct 2007 11:43:46 -0000 1.30
@@ -1,6 +1,6 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
-allow_execmem = false
+allow_execmem = True
# Allow making a modified private filemapping executable (text relocation).
#
@@ -8,7 +8,7 @@
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = false
+allow_execstack = True
# Allow ftpd to read cifs directories.
#
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- policy-20070703.patch 4 Oct 2007 14:34:02 -0000 1.80
+++ policy-20070703.patch 5 Oct 2007 11:43:46 -0000 1.81
@@ -1746,8 +1746,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-10-03 11:10:24.000000000 -0400
-@@ -18,3 +18,103 @@
++++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-10-04 13:08:55.000000000 -0400
+@@ -18,3 +18,105 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
')
@@ -1842,11 +1842,13 @@
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+
-+ allow $1_mono_t self:process { signal getsched execheap execmem };
++ allow $1_mono_t self:process { execheap execmem };
+ allow $2 $1_mono_t:process noatsecure;
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
++ fs_dontaudit_rw_tmpfs_files($1_mono_t)
++
+ optional_policy(`
+ xserver_xdm_rw_shm($1_mono_t)
+ ')
@@ -3001,7 +3003,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-04 12:58:42.000000000 -0400
@@ -271,45 +271,6 @@
########################################
@@ -6313,7 +6315,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.8/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2007-10-04 10:58:28.000000000 -0400
@@ -88,6 +88,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -6322,7 +6324,19 @@
allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -122,6 +123,7 @@
+@@ -105,9 +106,10 @@
+ manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
+ fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
++manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+ manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+ manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+-files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
++files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} )
+
+ # proftpd requires the client side to bind a socket so that
+ # it can stat the socket to perform access control decisions,
+@@ -122,6 +124,7 @@
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -6330,7 +6344,7 @@
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
-@@ -157,6 +159,7 @@
+@@ -157,6 +160,7 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -6338,7 +6352,7 @@
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
-@@ -168,7 +171,9 @@
+@@ -168,7 +172,9 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
@@ -6348,7 +6362,7 @@
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
-@@ -217,6 +222,11 @@
+@@ -217,6 +223,11 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -6360,7 +6374,7 @@
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -252,7 +262,10 @@
+@@ -252,7 +263,10 @@
')
optional_policy(`
@@ -13016,7 +13030,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-10-04 09:25:55.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-10-05 07:42:17.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -13025,6 +13039,24 @@
')
########################################
+@@ -585,7 +586,7 @@
+ type selinux_config_t;
+ ')
+
+- dontaudit $1 selinux_config_t:dir search;
++ dontaudit $1 selinux_config_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -604,7 +605,7 @@
+ type selinux_config_t;
+ ')
+
+- dontaudit $1 selinux_config_t:dir search;
++ dontaudit $1 selinux_config_t:dir search_dir_perms;
+ dontaudit $1 selinux_config_t:file { getattr read };
+ ')
+
@@ -669,6 +670,7 @@
')
@@ -13703,7 +13735,7 @@
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-04 17:36:52.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -13731,10 +13763,10 @@
- allow $1 self:dbus *;
- allow $1 self:passwd *;
- allow $1 self:association *;
-+ allow $1 self:nscd all_nscd;
-+ allow $1 self:dbus all_dbus;
-+ allow $1 self:passwd all_passwd;
-+ allow $1 self:association all_association;
++ allow $1 self:nscd all_nscd_perms;
++ allow $1 self:dbus all_dbus_perms;
++ allow $1 self:passwd all_passwd_perms;
++ allow $1 self:association all_association_perms;
kernel_unconfined($1)
corenet_unconfined($1)
@@ -14154,7 +14186,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-03 12:00:01.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-04 17:33:14.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -14195,7 +14227,7 @@
- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
-+ allow $1_t $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
++ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+ allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
@@ -15167,7 +15199,7 @@
')
########################################
-@@ -5559,3 +5710,376 @@
+@@ -5559,3 +5710,380 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -15364,7 +15396,11 @@
+userdom_xwindows_client_template($1)
+
+logging_send_syslog_msg($1_usertype)
-+logging_dontaudit_send_audit_msgs($1_usertype)
++logging_dontaudit_send_audit_msgs($1_t)
++
++# Need to to this just so screensaver will work. Should be moved to screensaver domain
++logging_send_audit_msgs($1_t)
++selinux_get_enforce_mode($1_t)
+
+optional_policy(`
+ alsa_read_rw_config($1_usertype)
@@ -16031,7 +16067,7 @@
+allow webadm_t gadmin_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-08-22 07:14:18.000000000 -0400
-+++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-10-04 17:36:29.000000000 -0400
@@ -216,7 +216,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -16049,10 +16085,10 @@
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
+')
+
-+define(`all_nscd', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
-+define(`all_dbus', `{ acquire_svc send_msg } ')
-+define(`all_passwd', `{ passwd chfn chsh rootok crontab } ')
-+define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
++define(`all_nscd_perms', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
++define(`all_dbus_perms', `{ acquire_svc send_msg } ')
++define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
++define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.8/policy/users
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.539
retrieving revision 1.540
diff -u -r1.539 -r1.540
--- selinux-policy.spec 4 Oct 2007 14:34:02 -0000 1.539
+++ selinux-policy.spec 5 Oct 2007 11:43:46 -0000 1.540
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -100,7 +100,6 @@
touch %{buildroot}%{_sysconfdir}/selinux/%1/seusers \
touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
-touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
@@ -132,7 +131,6 @@
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
%dir %{_sysconfdir}/selinux/%1/contexts/files \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
-%ghost %{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
@@ -372,6 +370,9 @@
%endif
%changelog
+* Thu Oct 4 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-18
+- Remove homedir_template
+
* Tue Oct 2 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-17
- Check asound.state
More information about the fedora-extras-commits
mailing list