rpms/selinux-policy/F-8 policy-20070703.patch, 1.110, 1.111 selinux-policy.spec, 1.559, 1.560
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Oct 29 19:02:24 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30474
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Sat Oct 27 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-38
- Allow ip to load sys_modules in order to bring up ip6 networks
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.110
retrieving revision 1.111
diff -u -r1.110 -r1.111
--- policy-20070703.patch 26 Oct 2007 13:38:05 -0000 1.110
+++ policy-20070703.patch 29 Oct 2007 19:02:21 -0000 1.111
@@ -717,7 +717,7 @@
+selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.8/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/flask/access_vectors 2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/flask/access_vectors 2007-10-26 11:54:33.000000000 -0400
@@ -639,6 +639,8 @@
send
recv
@@ -3733,7 +3733,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-25 10:23:02.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-26 12:04:03.000000000 -0400
@@ -6,6 +6,22 @@
# Declarations
#
@@ -3757,7 +3757,7 @@
# Mark process types as domains
attribute domain;
-@@ -80,6 +96,9 @@
+@@ -80,9 +96,13 @@
allow domain self:lnk_file r_file_perms;
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
@@ -3767,7 +3767,11 @@
# create child processes in the domain
allow domain self:process { fork sigchld };
-@@ -134,3 +153,22 @@
++dontaudit domain domain:key manage_key_perms;
+
+ # Use trusted objects in /dev
+ dev_rw_null(domain)
+@@ -134,3 +154,22 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -7354,7 +7358,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-26 09:02:10.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-26 14:01:08.000000000 -0400
@@ -0,0 +1,157 @@
+## <summary>Exim service</summary>
+
@@ -7484,7 +7488,7 @@
+## </summary>
+## </param>
+#
-+interface(`exim_manage_spool',`
++interface(`exim_manage_spool_files',`
+ gen_require(`
+ type exim_spool_t;
+ ')
@@ -7515,8 +7519,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-26 09:02:43.000000000 -0400
-@@ -0,0 +1,229 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-27 07:39:12.000000000 -0400
+@@ -0,0 +1,230 @@
+
+policy_module(exim, 1.0.0)
+
@@ -7643,8 +7647,9 @@
+
+can_exec(exim_t,exim_exec_t)
+
-+exim_create_spool(exim_t)
-+exim_manage_spool(exim_t)
++manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
++manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
++manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+allow exim_t exim_spool_t:sock_file create_file_perms;
+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
+
@@ -8378,20 +8383,21 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-22 13:22:31.000000000 -0400
-@@ -142,6 +142,11 @@
++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-26 14:01:58.000000000 -0400
+@@ -142,6 +142,12 @@
sendmail_create_log($1_mail_t)
')
+ optional_policy(`
+ exim_read_logs($1_mail_t)
-+ exim_manage_spool($1_mail_t)
++ exim_append_log($1_mail_t)
++ exim_manage_spool_files($1_mail_t)
+ ')
+
')
#######################################
-@@ -226,6 +231,15 @@
+@@ -226,6 +232,15 @@
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
fs_manage_cifs_symlinks($1_mail_t)
@@ -8407,7 +8413,7 @@
')
optional_policy(`
-@@ -314,6 +328,24 @@
+@@ -314,6 +329,24 @@
########################################
## <summary>
@@ -8432,7 +8438,7 @@
## Modified mailserver interface for
## sendmail daemon use.
## </summary>
-@@ -392,6 +424,7 @@
+@@ -392,6 +425,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -8440,7 +8446,7 @@
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-@@ -447,20 +480,18 @@
+@@ -447,20 +481,18 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
@@ -8467,7 +8473,7 @@
')
########################################
-@@ -595,6 +626,25 @@
+@@ -595,6 +627,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
@@ -8495,7 +8501,7 @@
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-26 09:07:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-26 13:59:23.000000000 -0400
@@ -6,6 +6,7 @@
# Declarations
#
@@ -8554,17 +8560,6 @@
cron_dontaudit_write_pipes(system_mail_t)
')
-@@ -81,6 +94,10 @@
- ')
-
- optional_policy(`
-+ exim_append_log(system_mail_t)
-+')
-+
-+optional_policy(`
- logrotate_read_tmp_files(system_mail_t)
- ')
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/munin.if 2007-10-24 08:51:46.000000000 -0400
@@ -12029,7 +12024,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-24 14:01:12.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-27 07:35:37.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -12114,11 +12109,13 @@
nis_use_ypbind($1_xauth_t)
')
-@@ -537,16 +548,14 @@
+@@ -536,17 +547,15 @@
+ template(`xserver_user_client_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
+- type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
++ type xdm_t, xdm_tmp_t, xdm_xserver_t;
')
- allow $2 self:shm create_shm_perms;
@@ -12136,7 +12133,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +564,53 @@
+@@ -555,25 +564,54 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -12171,6 +12168,7 @@
+ # Handling of pam_keyring
+ gnome_manage_user_gnome_config($1, xdm_t)
+
++ read_files_pattern(xdm_xserver_t, $2, $2)
+ optional_policy(`
+ userdom_read_all_users_home_content_files(xdm_t)
+ userdom_read_all_users_home_content_files(xdm_xserver_t)
@@ -12198,7 +12196,7 @@
')
')
-@@ -626,6 +663,24 @@
+@@ -626,6 +664,24 @@
########################################
## <summary>
@@ -12223,7 +12221,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +714,73 @@
+@@ -659,6 +715,73 @@
########################################
## <summary>
@@ -12297,7 +12295,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1049,7 @@
+@@ -927,6 +1050,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -12305,7 +12303,7 @@
')
########################################
-@@ -987,6 +1110,37 @@
+@@ -987,6 +1111,37 @@
########################################
## <summary>
@@ -12343,7 +12341,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1290,7 @@
+@@ -1136,7 +1291,7 @@
type xdm_xserver_tmp_t;
')
@@ -12352,7 +12350,7 @@
')
########################################
-@@ -1325,3 +1479,63 @@
+@@ -1325,3 +1480,63 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -12675,7 +12673,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-26 11:58:59.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -12714,8 +12712,8 @@
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_write_proc_files($1)
+
-+ auth_keyring_domain($1)
-+ allow $1 keyring_type:key { search link };
++ allow $1 self:key manage_key_perms;
++ userdom_manage_all_users_keys($1)
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
@@ -15825,7 +15823,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-10-23 07:35:30.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-10-27 06:30:07.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -15892,7 +15890,15 @@
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
-@@ -254,6 +263,7 @@
+@@ -240,7 +249,6 @@
+
+ allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+ allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
+-dontaudit ifconfig_t self:capability sys_module;
+
+ allow ifconfig_t self:fd use;
+ allow ifconfig_t self:fifo_file rw_fifo_file_perms;
+@@ -254,6 +262,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -15900,7 +15906,16 @@
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -280,8 +290,11 @@
+@@ -270,6 +279,8 @@
+ kernel_read_network_state(ifconfig_t)
+ kernel_search_network_sysctl(ifconfig_t)
+ kernel_rw_net_sysctls(ifconfig_t)
++# This should be put inside a boolean, but can not because of attributes
++kernel_load_module(ifconfig_t)
+
+ corenet_rw_tun_tap_dev(ifconfig_t)
+
+@@ -280,8 +291,11 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -15912,7 +15927,7 @@
domain_use_interactive_fds(ifconfig_t)
-@@ -327,6 +340,14 @@
+@@ -327,6 +341,14 @@
')
optional_policy(`
@@ -16275,7 +16290,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-26 08:42:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-26 11:52:26.000000000 -0400
@@ -5,36 +5,52 @@
#
# Declarations
@@ -16525,7 +16540,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-22 17:00:09.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-26 11:59:59.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -17559,7 +17574,32 @@
')
########################################
-@@ -5559,3 +5724,386 @@
+@@ -5529,6 +5694,24 @@
+
+ ########################################
+ ## <summary>
++## Manage keys for all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key manage_key_perms;
++')
++
++########################################
++## <summary>
+ ## Send a dbus message to all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -5559,3 +5742,386 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -18473,7 +18513,7 @@
+allow webadm_t gadmin_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-22 13:21:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-10-26 12:00:13.000000000 -0400
@@ -216,7 +216,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -18483,7 +18523,7 @@
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
-@@ -327,3 +327,13 @@
+@@ -327,3 +327,16 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
@@ -18496,6 +18536,9 @@
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
++define(`manage_key_perms', `{ create link read search setattr view write } ')
++
++
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.8/policy/users
--- nsaserefpolicy/policy/users 2007-10-22 13:21:43.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.559
retrieving revision 1.560
diff -u -r1.559 -r1.560
--- selinux-policy.spec 26 Oct 2007 13:38:05 -0000 1.559
+++ selinux-policy.spec 29 Oct 2007 19:02:21 -0000 1.560
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 36%{?dist}
+Release: 38%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,12 @@
%endif
%changelog
+* Sat Oct 27 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-38
+- Allow ip to load sys_modules in order to bring up ip6 networks
+
+* Fri Oct 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-37
+- Fix keyring handling
+
* Fri Oct 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-36
- Allow unconfined_t to run crontab -e as root
More information about the fedora-extras-commits
mailing list