rpms/selinux-policy/F-8 modules-targeted.conf, 1.68, 1.69 policy-20070703.patch, 1.103, 1.104 selinux-policy.spec, 1.553, 1.554
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Oct 24 02:54:34 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16650
Modified Files:
modules-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Tue Oct 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-31
- Fixes for vmware
- Additional textrel_shlib_t for codecs
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/modules-targeted.conf,v
retrieving revision 1.68
retrieving revision 1.69
diff -u -r1.68 -r1.69
--- modules-targeted.conf 18 Oct 2007 21:09:26 -0000 1.68
+++ modules-targeted.conf 24 Oct 2007 02:54:01 -0000 1.69
@@ -1522,3 +1522,10 @@
#
kismet = module
+# Layer: services
+# Module: munin
+#
+# Munin
+#
+munin = module
+
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.103
retrieving revision 1.104
diff -u -r1.103 -r1.104
--- policy-20070703.patch 22 Oct 2007 21:34:46 -0000 1.103
+++ policy-20070703.patch 24 Oct 2007 02:54:01 -0000 1.104
@@ -1554,8 +1554,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.8/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/netutils.te 2007-10-22 13:22:31.000000000 -0400
-@@ -94,9 +94,18 @@
++++ serefpolicy-3.0.8/policy/modules/admin/netutils.te 2007-10-23 07:36:14.000000000 -0400
+@@ -94,9 +94,22 @@
')
optional_policy(`
@@ -1567,6 +1567,10 @@
+')
+
+optional_policy(`
++ vmware_append_log(netutils_t)
++')
++
++optional_policy(`
xen_append_log(netutils_t)
')
@@ -1574,7 +1578,7 @@
########################################
#
# Ping local policy
-@@ -113,6 +122,7 @@
+@@ -113,6 +126,7 @@
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
@@ -3214,7 +3218,7 @@
auth_search_pam_console_data($1_userhelper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.8/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/vmware.fc 2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/vmware.fc 2007-10-23 07:34:52.000000000 -0400
@@ -21,19 +21,25 @@
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -3241,10 +3245,51 @@
ifdef(`distro_gentoo',`
/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+@@ -49,3 +55,4 @@
+ /opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+ /opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+ ')
++/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.0.8/policy/modules/apps/vmware.if
+--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-10-22 13:21:41.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/vmware.if 2007-10-23 07:34:47.000000000 -0400
+@@ -202,3 +202,22 @@
+
+ allow $1 vmware_sys_conf_t:file append;
+ ')
++
++########################################
++## <summary>
++## Append to VMWare log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vmware_append_log',`
++ gen_require(`
++ type vmware_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1,vmware_log_t,vmware_log_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.8/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/vmware.te 2007-10-22 13:22:31.000000000 -0400
-@@ -29,7 +29,7 @@
++++ serefpolicy-3.0.8/policy/modules/apps/vmware.te 2007-10-23 07:34:35.000000000 -0400
+@@ -22,6 +22,9 @@
+ type vmware_var_run_t;
+ files_pid_file(vmware_var_run_t)
+
++type vmware_log_t;
++logging_log_file(vmware_log_t)
++
+ ########################################
+ #
+ # VMWare host local policy
+@@ -29,7 +32,7 @@
allow vmware_host_t self:capability { setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
@@ -3253,6 +3298,16 @@
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
+@@ -41,6 +44,9 @@
+ manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
+ files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
+
++manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t)
++logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir })
++
+ kernel_read_kernel_sysctls(vmware_host_t)
+ kernel_list_proc(vmware_host_t)
+ kernel_read_proc_symlinks(vmware_host_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-10-22 13:21:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2007-10-22 13:22:31.000000000 -0400
@@ -13680,7 +13735,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-10-23 11:51:10.000000000 -0400
@@ -65,11 +65,12 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -13695,7 +13750,15 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -135,6 +136,8 @@
+@@ -112,6 +113,7 @@
+ /usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -135,6 +137,8 @@
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -13704,7 +13767,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -236,6 +239,8 @@
+@@ -236,6 +240,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -13713,7 +13776,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +289,9 @@
+@@ -284,3 +290,9 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -15571,7 +15634,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-10-23 07:35:30.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -15627,7 +15690,18 @@
')
optional_policy(`
-@@ -254,6 +259,7 @@
+@@ -227,6 +232,10 @@
+ ')
+
+ optional_policy(`
++ vmware_append_log(dhcpc_t)
++')
++
++optional_policy(`
+ kernel_read_xen_state(dhcpc_t)
+ kernel_write_xen_state(dhcpc_t)
+ xen_append_log(dhcpc_t)
+@@ -254,6 +263,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -15635,7 +15709,7 @@
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -280,8 +286,11 @@
+@@ -280,8 +290,11 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -15647,14 +15721,21 @@
domain_use_interactive_fds(ifconfig_t)
-@@ -332,3 +341,7 @@
- xen_append_log(ifconfig_t)
- xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+@@ -327,6 +340,14 @@
')
+
+ optional_policy(`
++ unconfined_dontaudit_rw_pipes(ifconfig_t)
++')
+
+optional_policy(`
-+ unconfined_dontaudit_rw_pipes(ifconfig_t)
++ vmware_append_log(ifconfig_t)
+')
++
++optional_policy(`
+ kernel_read_xen_state(ifconfig_t)
+ kernel_write_xen_state(ifconfig_t)
+ xen_append_log(ifconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-22 13:22:31.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.553
retrieving revision 1.554
diff -u -r1.553 -r1.554
--- selinux-policy.spec 22 Oct 2007 21:28:58 -0000 1.553
+++ selinux-policy.spec 24 Oct 2007 02:54:01 -0000 1.554
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 30%{?dist}
+Release: 31%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,10 @@
%endif
%changelog
+* Tue Oct 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-31
+- Fixes for vmware
+- Additional textrel_shlib_t for codecs
+
* Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-30
- Allow XServer to read /proc/self/cmdline
- Fix unconfined cron jobs
More information about the fedora-extras-commits
mailing list