rpms/selinux-policy/F-8 modules-targeted.conf, 1.68, 1.69 policy-20070703.patch, 1.103, 1.104 selinux-policy.spec, 1.553, 1.554

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Wed Oct 24 02:54:34 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16650

Modified Files:
	modules-targeted.conf policy-20070703.patch 
	selinux-policy.spec 
Log Message:
* Tue Oct 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-31
- Fixes for vmware
- Additional textrel_shlib_t for codecs



Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/modules-targeted.conf,v
retrieving revision 1.68
retrieving revision 1.69
diff -u -r1.68 -r1.69
--- modules-targeted.conf	18 Oct 2007 21:09:26 -0000	1.68
+++ modules-targeted.conf	24 Oct 2007 02:54:01 -0000	1.69
@@ -1522,3 +1522,10 @@
 # 
 kismet = module
 
+# Layer: services
+# Module: munin
+#
+# Munin
+# 
+munin = module
+

policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.103
retrieving revision 1.104
diff -u -r1.103 -r1.104
--- policy-20070703.patch	22 Oct 2007 21:34:46 -0000	1.103
+++ policy-20070703.patch	24 Oct 2007 02:54:01 -0000	1.104
@@ -1554,8 +1554,8 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.8/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/netutils.te	2007-10-22 13:22:31.000000000 -0400
-@@ -94,9 +94,18 @@
++++ serefpolicy-3.0.8/policy/modules/admin/netutils.te	2007-10-23 07:36:14.000000000 -0400
+@@ -94,9 +94,22 @@
  ')
  
  optional_policy(`
@@ -1567,6 +1567,10 @@
 +')
 +
 +optional_policy(`
++	vmware_append_log(netutils_t)
++')
++
++optional_policy(`
  	xen_append_log(netutils_t)
  ')
  
@@ -1574,7 +1578,7 @@
  ########################################
  #
  # Ping local policy
-@@ -113,6 +122,7 @@
+@@ -113,6 +126,7 @@
  corenet_tcp_sendrecv_all_if(ping_t)
  corenet_raw_sendrecv_all_if(ping_t)
  corenet_raw_sendrecv_all_nodes(ping_t)
@@ -3214,7 +3218,7 @@
  	auth_search_pam_console_data($1_userhelper_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.8/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/vmware.fc	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/vmware.fc	2007-10-23 07:34:52.000000000 -0400
 @@ -21,19 +21,25 @@
  /usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
  /usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -3241,10 +3245,51 @@
  
  ifdef(`distro_gentoo',`
  /opt/vmware/workstation/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+@@ -49,3 +55,4 @@
+ /opt/vmware/workstation/bin/vmware-wizard --	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /opt/vmware/workstation/bin/vmware	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+ ')
++/var/log/vmware.* 	--	gen_context(system_u:object_r:vmware_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.0.8/policy/modules/apps/vmware.if
+--- nsaserefpolicy/policy/modules/apps/vmware.if	2007-10-22 13:21:41.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/vmware.if	2007-10-23 07:34:47.000000000 -0400
+@@ -202,3 +202,22 @@
+ 
+ 	allow $1 vmware_sys_conf_t:file append;
+ ')
++
++########################################
++## <summary>
++##	Append to VMWare log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`vmware_append_log',`
++	gen_require(`
++		type vmware_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1,vmware_log_t,vmware_log_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.8/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/vmware.te	2007-10-22 13:22:31.000000000 -0400
-@@ -29,7 +29,7 @@
++++ serefpolicy-3.0.8/policy/modules/apps/vmware.te	2007-10-23 07:34:35.000000000 -0400
+@@ -22,6 +22,9 @@
+ type vmware_var_run_t;
+ files_pid_file(vmware_var_run_t)
+ 
++type vmware_log_t;
++logging_log_file(vmware_log_t)
++
+ ########################################
+ #
+ # VMWare host local policy
+@@ -29,7 +32,7 @@
  
  allow vmware_host_t self:capability { setuid net_raw };
  dontaudit vmware_host_t self:capability sys_tty_config;
@@ -3253,6 +3298,16 @@
  allow vmware_host_t self:fifo_file rw_fifo_file_perms;
  allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
  allow vmware_host_t self:rawip_socket create_socket_perms;
+@@ -41,6 +44,9 @@
+ manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
+ files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
+ 
++manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t)	
++logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir })
++
+ kernel_read_kernel_sysctls(vmware_host_t)
+ kernel_list_proc(vmware_host_t)
+ kernel_read_proc_symlinks(vmware_host_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2007-10-22 13:21:41.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/apps/wine.if	2007-10-22 13:22:31.000000000 -0400
@@ -13680,7 +13735,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc	2007-10-23 11:51:10.000000000 -0400
 @@ -65,11 +65,12 @@
  /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -13695,7 +13750,15 @@
  
  ifdef(`distro_gentoo',`
  # despite the extensions, they are actually libs
-@@ -135,6 +136,8 @@
+@@ -112,6 +113,7 @@
+ /usr/lib/vlc/codec/libdmo_plugin.so	   --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/vlc/codec/librealaudio_plugin.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
++/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -135,6 +137,8 @@
  /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -13704,7 +13767,7 @@
  
  /usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -236,6 +239,8 @@
+@@ -236,6 +240,8 @@
  /usr/lib(64)?/libdivxdecore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libdivxencore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -13713,7 +13776,7 @@
  /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  # vmware 
-@@ -284,3 +289,9 @@
+@@ -284,3 +290,9 @@
  /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -15571,7 +15634,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te	2007-10-23 07:35:30.000000000 -0400
 @@ -45,7 +45,7 @@
  dontaudit dhcpc_t self:capability sys_tty_config;
  # for access("/etc/bashrc", X_OK) on Red Hat
@@ -15627,7 +15690,18 @@
  ')
  
  optional_policy(`
-@@ -254,6 +259,7 @@
+@@ -227,6 +232,10 @@
+ ')
+ 
+ optional_policy(`
++	vmware_append_log(dhcpc_t)
++')
++
++optional_policy(`
+ 	kernel_read_xen_state(dhcpc_t)
+ 	kernel_write_xen_state(dhcpc_t)
+ 	xen_append_log(dhcpc_t)
+@@ -254,6 +263,7 @@
  allow ifconfig_t self:sem create_sem_perms;
  allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
@@ -15635,7 +15709,7 @@
  
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -280,8 +286,11 @@
+@@ -280,8 +290,11 @@
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
  
@@ -15647,14 +15721,21 @@
  
  domain_use_interactive_fds(ifconfig_t)
  
-@@ -332,3 +341,7 @@
- 	xen_append_log(ifconfig_t)
- 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+@@ -327,6 +340,14 @@
  ')
+ 
+ optional_policy(`
++	unconfined_dontaudit_rw_pipes(ifconfig_t)
++')
 +
 +optional_policy(`
-+	unconfined_dontaudit_rw_pipes(ifconfig_t)
++	vmware_append_log(ifconfig_t)
 +')
++
++optional_policy(`
+ 	kernel_read_xen_state(ifconfig_t)
+ 	kernel_write_xen_state(ifconfig_t)
+ 	xen_append_log(ifconfig_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-10-22 13:21:40.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-10-22 13:22:31.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.553
retrieving revision 1.554
diff -u -r1.553 -r1.554
--- selinux-policy.spec	22 Oct 2007 21:28:58 -0000	1.553
+++ selinux-policy.spec	24 Oct 2007 02:54:01 -0000	1.554
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 30%{?dist}
+Release: 31%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,10 @@
 %endif
 
 %changelog
+* Tue Oct 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-31
+- Fixes for vmware
+- Additional textrel_shlib_t for codecs
+
 * Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-30
 - Allow XServer to read /proc/self/cmdline
 - Fix unconfined cron jobs

More information about the fedora-extras-commits mailing list