rpms/selinux-policy/devel policy-20070703.patch, 1.100, 1.101 selinux-policy.spec, 1.550, 1.551
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Oct 19 21:21:44 UTC 2007
- Previous message (by thread): rpms/qt4/devel qt4.spec,1.72,1.73
- Next message (by thread): fedora-release fedora-development.repo, 1.14.2.1, 1.14.2.1.2.1 fedora-release.spec, 1.54.2.1.2.1, 1.54.2.1.2.2 fedora-updates.repo, 1.14, 1.14.4.1 fedora.repo, 1.12, 1.12.4.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29657
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Oct 17 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-28
- Fixes for hald_mac
- Treat unconfined_home_dir_t as a home dir
- dontaudit rhgb writes to fonts and root
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.100
retrieving revision 1.101
diff -u -r1.100 -r1.101
--- policy-20070703.patch 19 Oct 2007 15:01:30 -0000 1.100
+++ policy-20070703.patch 19 Oct 2007 21:21:40 -0000 1.101
@@ -1039,7 +1039,7 @@
# Init script handling
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-10-08 10:28:20.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-10-19 15:49:45.000000000 -0400
@@ -8,9 +8,11 @@
type consoletype_t;
@@ -1470,7 +1470,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.8/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te 2007-10-19 15:11:04.000000000 -0400
@@ -21,8 +21,8 @@
# Local policy
#
@@ -1482,7 +1482,15 @@
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -103,6 +103,8 @@
+@@ -68,6 +68,7 @@
+ modutils_read_module_deps(kudzu_t)
+ modutils_read_module_config(kudzu_t)
+ modutils_rename_module_config(kudzu_t)
++modutils_unlink_module_config(kudzu_t)
+
+ storage_read_scsi_generic(kudzu_t)
+ storage_read_tape(kudzu_t)
+@@ -103,6 +104,8 @@
init_use_fds(kudzu_t)
init_use_script_ptys(kudzu_t)
init_stream_connect_script(kudzu_t)
@@ -1491,7 +1499,7 @@
# kudzu will telinit to make init re-read
# the inittab after configuring serial consoles
init_telinit(kudzu_t)
-@@ -134,20 +136,15 @@
+@@ -134,20 +137,15 @@
')
optional_policy(`
@@ -3417,8 +3425,20 @@
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-10-17 16:11:40.000000000 -0400
-@@ -1449,6 +1449,43 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-10-19 14:41:51.000000000 -0400
+@@ -903,9 +903,11 @@
+ interface(`corenet_udp_bind_generic_port',`
+ gen_require(`
+ type port_t;
++ attribute port_type;
+ ')
+
+ allow $1 port_t:udp_socket name_bind;
++ dontaudit $1 { port_type -port_t }:udp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1449,6 +1451,43 @@
########################################
## <summary>
@@ -3721,7 +3741,7 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-10-18 16:47:15.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-10-19 15:31:15.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -3851,7 +3871,33 @@
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -2023,6 +2021,31 @@
+@@ -1192,6 +1190,25 @@
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to write
++## files in the root directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_write_root_dir',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir write;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read or write
+ ## character device nodes in the root directory.
+ ## </summary>
+@@ -2023,6 +2040,31 @@
########################################
## <summary>
@@ -3883,7 +3929,7 @@
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3107,6 +3130,24 @@
+@@ -3107,6 +3149,24 @@
########################################
## <summary>
@@ -3908,7 +3954,7 @@
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3198,6 +3239,44 @@
+@@ -3198,6 +3258,44 @@
########################################
## <summary>
@@ -3953,7 +3999,7 @@
## Read all tmp files.
## </summary>
## <param name="domain">
-@@ -3323,6 +3402,42 @@
+@@ -3323,6 +3421,42 @@
########################################
## <summary>
@@ -3996,7 +4042,7 @@
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3381,7 +3496,7 @@
+@@ -3381,7 +3515,7 @@
########################################
## <summary>
@@ -4005,7 +4051,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3389,17 +3504,17 @@
+@@ -3389,17 +3523,17 @@
## </summary>
## </param>
#
@@ -4026,7 +4072,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3407,12 +3522,12 @@
+@@ -3407,12 +3541,12 @@
## </summary>
## </param>
#
@@ -4041,7 +4087,7 @@
')
########################################
-@@ -4043,7 +4158,7 @@
+@@ -4043,7 +4177,7 @@
type var_t, var_lock_t;
')
@@ -4050,7 +4096,7 @@
')
########################################
-@@ -4560,6 +4675,8 @@
+@@ -4560,6 +4694,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -4059,7 +4105,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4699,11 @@
+@@ -4582,6 +4718,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -4071,7 +4117,7 @@
')
########################################
-@@ -4619,3 +4741,28 @@
+@@ -4619,3 +4760,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -4618,7 +4664,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.0.8/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/amavis.te 2007-10-17 10:28:41.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/amavis.te 2007-10-19 14:39:41.000000000 -0400
@@ -65,6 +65,7 @@
# Spool Files
manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
@@ -4627,6 +4673,14 @@
manage_sock_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
filetrans_pattern(amavis_t,amavis_spool_t,amavis_var_run_t,sock_file)
files_search_spool(amavis_t)
+@@ -116,6 +117,7 @@
+ # bind to incoming port
+ corenet_tcp_bind_amavisd_recv_port(amavis_t)
+ corenet_udp_bind_generic_port(amavis_t)
++corenet_dontaudit_udp_bind_all_ports(amavis_t)
+ corenet_tcp_connect_razor_port(amavis_t)
+
+ dev_read_rand(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2007-10-03 11:10:24.000000000 -0400
@@ -5613,6 +5667,17 @@
optional_policy(`
hostname_exec(apcupsd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.0.8/policy/modules/services/asterisk.te
+--- nsaserefpolicy/policy/modules/services/asterisk.te 2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/asterisk.te 2007-10-19 14:32:49.000000000 -0400
+@@ -98,6 +98,7 @@
+ # for VOIP voice channels.
+ corenet_tcp_bind_generic_port(asterisk_t)
+ corenet_udp_bind_generic_port(asterisk_t)
++corenet_dontaudit_udp_bind_all_ports(asterisk_t)
+ corenet_sendrecv_generic_server_packets(asterisk_t)
+
+ dev_read_sysfs(asterisk_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.0.8/policy/modules/services/audioentropy.te
--- nsaserefpolicy/policy/modules/services/audioentropy.te 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/audioentropy.te 2007-10-03 11:10:24.000000000 -0400
@@ -5866,7 +5931,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-10-10 11:33:13.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-10-19 15:47:32.000000000 -0400
@@ -10,7 +10,6 @@
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -7648,8 +7713,14 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2007-10-05 15:23:01.000000000 -0400
-@@ -13,9 +13,12 @@
++++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2007-10-19 15:05:59.000000000 -0400
+@@ -8,14 +8,18 @@
+ /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
+ /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
+ /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
++/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+
+ /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
@@ -7664,7 +7735,7 @@
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-08 11:29:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-19 15:06:33.000000000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -7709,7 +7780,11 @@
allow hald_acl_t self:fifo_file read_fifo_file_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -344,6 +351,8 @@
+@@ -341,9 +348,12 @@
+ files_search_var_lib(hald_mac_t)
+
+ dev_write_raw_memory(hald_mac_t)
++dev_read_sysfs(hald_t)
files_read_usr_files(hald_mac_t)
@@ -9088,6 +9163,17 @@
rpm_exec(pegasus_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.0.8/policy/modules/services/portmap.te
+--- nsaserefpolicy/policy/modules/services/portmap.te 2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/portmap.te 2007-10-19 14:35:04.000000000 -0400
+@@ -63,6 +63,7 @@
+ # portmap binds to arbitary ports
+ corenet_tcp_bind_generic_port(portmap_t)
+ corenet_udp_bind_generic_port(portmap_t)
++corenet_dontaudit_udp_bind_all_ports(portmap_t)
+ corenet_tcp_bind_reserved_port(portmap_t)
+ corenet_udp_bind_reserved_port(portmap_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.0.8/policy/modules/services/portslave.te
--- nsaserefpolicy/policy/modules/services/portslave.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/portslave.te 2007-10-03 11:10:24.000000000 -0400
@@ -9690,7 +9776,7 @@
+/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.8/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/radius.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/radius.te 2007-10-19 14:35:18.000000000 -0400
@@ -19,6 +19,9 @@
type radiusd_log_t;
logging_log_file(radiusd_log_t)
@@ -9710,7 +9796,15 @@
manage_files_pattern(radiusd_t,radiusd_var_run_t,radiusd_var_run_t)
files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
-@@ -82,6 +87,7 @@
+@@ -73,6 +78,7 @@
+ corenet_sendrecv_radacct_server_packets(radiusd_t)
+ # for RADIUS proxy port
+ corenet_udp_bind_generic_port(radiusd_t)
++corenet_dontaudit_udp_bind_all_ports(radiusd_t)
+ corenet_sendrecv_generic_server_packets(radiusd_t)
+
+ dev_read_sysfs(radiusd_t)
+@@ -82,6 +88,7 @@
auth_read_shadow(radiusd_t)
auth_domtrans_chk_passwd(radiusd_t)
@@ -9755,7 +9849,7 @@
# Only permit unprivileged user domains to be entered via rlogin,
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.8/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rhgb.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rhgb.te 2007-10-19 15:31:30.000000000 -0400
@@ -59,6 +59,7 @@
corenet_sendrecv_all_client_packets(rhgb_t)
@@ -9764,7 +9858,23 @@
domain_use_interactive_fds(rhgb_t)
-@@ -109,6 +110,7 @@
+@@ -68,6 +69,7 @@
+ files_search_tmp(rhgb_t)
+ files_read_usr_files(rhgb_t)
+ files_mounton_mnt(rhgb_t)
++files_dontaudit_write_root_dir(rhgb_t)
+ files_dontaudit_read_default_files(rhgb_t)
+ files_dontaudit_search_pids(rhgb_t)
+ # for nscd
+@@ -100,6 +102,7 @@
+
+ miscfiles_read_localization(rhgb_t)
+ miscfiles_read_fonts(rhgb_t)
++miscfiles_dontaudit_write_fonts(rhgb_t)
+
+ seutil_search_default_contexts(rhgb_t)
+ seutil_read_config(rhgb_t)
+@@ -109,6 +112,7 @@
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
@@ -9772,7 +9882,7 @@
xserver_read_xdm_xserver_tmp_files(rhgb_t)
xserver_kill_xdm_xserver(rhgb_t)
-@@ -117,6 +119,7 @@
+@@ -117,6 +121,7 @@
xserver_domtrans_xdm_xserver(rhgb_t)
xserver_signal_xdm_xserver(rhgb_t)
xserver_read_xdm_tmp_files(rhgb_t)
@@ -11476,6 +11586,25 @@
gen_require(`
type ucspitcp_t;
role system_r;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.0.8/policy/modules/services/ucspitcp.te
+--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ucspitcp.te 2007-10-19 14:36:02.000000000 -0400
+@@ -35,6 +35,7 @@
+ corenet_udp_sendrecv_all_ports(rblsmtpd_t)
+ corenet_tcp_bind_all_nodes(rblsmtpd_t)
+ corenet_udp_bind_generic_port(rblsmtpd_t)
++corenet_dontaudit_udp_bind_all_ports(rblsmtpd_t)
+
+ files_read_etc_files(rblsmtpd_t)
+ files_search_var(rblsmtpd_t)
+@@ -78,6 +79,7 @@
+ corenet_tcp_bind_dns_port(ucspitcp_t)
+ corenet_udp_bind_dns_port(ucspitcp_t)
+ corenet_udp_bind_generic_port(ucspitcp_t)
++corenet_dontaudit_udp_bind_all_ports(ucspitcp_t)
+
+ # server packets:
+ corenet_sendrecv_ftp_server_packets(ucspitcp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.8/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/uwimap.te 2007-10-03 11:10:25.000000000 -0400
@@ -11578,7 +11707,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-10 16:06:34.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-19 16:57:07.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -11688,9 +11817,6 @@
+ userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
+ userdom_manage_user_tmp_dirs($1, xdm_t)
+ userdom_manage_user_tmp_files($1, xdm_t)
-+
-+ # Handling of pam_keyring
-+ gnome_manage_user_gnome_config($1, xdm_t)
xserver_ro_session_template(xdm,$2,$3)
- xserver_rw_session_template($1,$2,$3)
@@ -11704,6 +11830,9 @@
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ xserver_xdm_stream_connect($2)
+
++ # Handling of pam_keyring
++ gnome_manage_user_gnome_config($1, xdm_t)
++
+ optional_policy(`
+ userdom_read_all_users_home_content_files(xdm_t)
+ userdom_read_all_users_home_content_files(xdm_xserver_t)
@@ -11951,7 +12080,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-15 13:34:37.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-19 14:06:25.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@@ -12094,7 +12223,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +464,25 @@
+@@ -434,47 +464,26 @@
')
optional_policy(`
@@ -12111,6 +12240,7 @@
+ unconfined_rw_shm(xdm_xserver_t)
+ unconfined_execmem_rw_shm(xdm_xserver_t)
+ unconfined_rw_tmpfs_files(xdm_xserver_t)
++ unconfined_manage_tmp_files(xdm_xserver_t)
- ifdef(`distro_rhel4',`
- allow xdm_xserver_t self:process { execheap execmem };
@@ -12884,6 +13014,17 @@
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.0.8/policy/modules/system/hotplug.te
+--- nsaserefpolicy/policy/modules/system/hotplug.te 2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/hotplug.te 2007-10-19 16:02:32.000000000 -0400
+@@ -179,6 +179,7 @@
+ sysnet_read_dhcpc_pid(hotplug_t)
+ sysnet_rw_dhcp_config(hotplug_t)
+ sysnet_domtrans_ifconfig(hotplug_t)
++ sysnet_signal_ifconfig(hotplug_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-08-22 07:14:12.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-10-10 15:15:51.000000000 -0400
@@ -14344,8 +14485,35 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.0.8/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if 2007-10-03 11:10:25.000000000 -0400
-@@ -253,6 +253,8 @@
++++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if 2007-10-19 15:29:31.000000000 -0400
+@@ -57,6 +57,26 @@
+ ## </param>
+ ## <rolecap/>
+ #
++interface(`miscfiles_dontaudit_write_fonts',`
++ gen_require(`
++ type fonts_t;
++ ')
++
++ dontaudit $1 fonts_t:dir write;
++ dontaudit $1 fonts_t:file write;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete fonts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
+ interface(`miscfiles_manage_fonts',`
+ gen_require(`
+ type fonts_t;
+@@ -253,6 +273,8 @@
files_search_usr($1)
allow $1 man_t:dir setattr;
@@ -14354,6 +14522,35 @@
delete_dirs_pattern($1,man_t,man_t)
delete_files_pattern($1,man_t,man_t)
delete_lnk_files_pattern($1,man_t,man_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.0.8/policy/modules/system/modutils.if
+--- nsaserefpolicy/policy/modules/system/modutils.if 2007-05-29 14:10:58.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/modutils.if 2007-10-19 15:10:57.000000000 -0400
+@@ -66,6 +66,25 @@
+
+ ########################################
+ ## <summary>
++## Unlink a file with the configuration options used when
++## loading modules.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`modutils_unlink_module_config',`
++ gen_require(`
++ type modules_conf_t;
++ ')
++
++ allow $1 modules_conf_t:file unlink;
++')
++
++########################################
++## <summary>
+ ## Unconditionally execute insmod in the insmod domain.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2007-10-03 11:10:25.000000000 -0400
@@ -14465,7 +14662,7 @@
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-10-19 14:40:29.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -15220,8 +15417,34 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-10-03 11:10:25.000000000 -0400
-@@ -522,6 +522,8 @@
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-10-19 16:03:30.000000000 -0400
+@@ -145,6 +145,25 @@
+
+ ########################################
+ ## <summary>
++## Send a generic signal to the ifconfig client.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain sending the signal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`sysnet_signal_ifconfig',`
++ gen_require(`
++ type ifconfig_t;
++ ')
++
++ allow $1 ifconfig_t:process signal;
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## dhcpc over dbus.
+ ## </summary>
+@@ -522,6 +541,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -15230,7 +15453,7 @@
')
########################################
-@@ -556,3 +558,23 @@
+@@ -556,3 +577,23 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
')
@@ -15256,7 +15479,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-10-19 15:08:29.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -15320,7 +15543,7 @@
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -280,6 +286,8 @@
+@@ -280,8 +286,11 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -15328,8 +15551,11 @@
+
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
++term_dontaudit_use_ptmx(ifconfig_t)
-@@ -332,3 +340,7 @@
+ domain_use_interactive_fds(ifconfig_t)
+
+@@ -332,3 +341,7 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -15383,7 +15609,7 @@
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-15 13:33:52.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-19 14:06:05.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -15684,12 +15910,13 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-19 10:29:16.000000000 -0400
-@@ -5,36 +5,48 @@
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-19 17:16:21.000000000 -0400
+@@ -5,36 +5,51 @@
#
# Declarations
#
-+attribute unconfined_terminal;
++type unconfined_gnome_home_t;
++files_type(unconfined_gnome_home_t)
-# usage in this module of types created by these
-# calls is not correct, however we dont currently
@@ -15698,8 +15925,10 @@
-userdom_manage_home_template(unconfined)
-userdom_manage_tmp_template(unconfined)
-userdom_manage_tmpfs_template(unconfined)
-+userdom_unpriv_login_user(unconfined)
-+userdom_common_user_template(unconfined)
++attribute unconfined_terminal;
++
++userdom_unpriv_user_template(unconfined)
++userdom_xwindows_client_template(unconfined)
+
+unconfined_terminal_type(unconfined_devpts_t)
+unconfined_terminal_type(unconfined_tty_device_t)
@@ -15741,7 +15970,7 @@
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +54,29 @@
+@@ -42,37 +57,29 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15786,7 +16015,7 @@
')
optional_policy(`
-@@ -107,6 +111,10 @@
+@@ -107,6 +114,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -15797,34 +16026,44 @@
')
optional_policy(`
-@@ -118,11 +126,11 @@
+@@ -114,15 +125,15 @@
+ ')
+
+ optional_policy(`
+- ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ java_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- inn_domtrans(unconfined_t)
-+ iptables_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- java_domtrans(unconfined_t)
-+ java_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ iptables_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -134,11 +142,7 @@
+@@ -130,15 +141,10 @@
')
optional_policy(`
+- modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
+-
+ optional_policy(`
- mono_domtrans(unconfined_t)
-')
-
-optional_policy(`
- mta_per_role_template(unconfined,unconfined_t,unconfined_r)
-+ mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -155,32 +159,23 @@
+@@ -155,32 +161,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15861,16 +16100,15 @@
')
optional_policy(`
-@@ -205,11 +200,22 @@
+@@ -205,11 +202,22 @@
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- ')
-
- optional_policy(`
-- xserver_domtrans_xdm_xserver(unconfined_t)
++')
++
++optional_policy(`
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
@@ -15878,15 +16116,16 @@
+
+optional_policy(`
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- xserver_domtrans_xdm_xserver(unconfined_t)
+ xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t)
')
########################################
-@@ -225,8 +231,21 @@
+@@ -225,8 +233,21 @@
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
@@ -15919,7 +16158,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-18 16:49:15.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-19 16:52:39.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -17336,7 +17575,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-10-18 16:49:05.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-10-19 16:18:21.000000000 -0400
@@ -24,13 +24,6 @@
## <desc>
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.550
retrieving revision 1.551
diff -u -r1.550 -r1.551
--- selinux-policy.spec 19 Oct 2007 15:01:30 -0000 1.550
+++ selinux-policy.spec 19 Oct 2007 21:21:40 -0000 1.551
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 27%{?dist}
+Release: 28%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,11 @@
%endif
%changelog
+* Fri Oct 17 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-28
+- Fixes for hald_mac
+- Treat unconfined_home_dir_t as a home dir
+- dontaudit rhgb writes to fonts and root
+
* Fri Oct 17 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-27
- Fix dnsmasq
- Allow rshd full login privs
- Previous message (by thread): rpms/qt4/devel qt4.spec,1.72,1.73
- Next message (by thread): fedora-release fedora-development.repo, 1.14.2.1, 1.14.2.1.2.1 fedora-release.spec, 1.54.2.1.2.1, 1.54.2.1.2.2 fedora-updates.repo, 1.14, 1.14.4.1 fedora.repo, 1.12, 1.12.4.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list