rpms/selinux-policy/F-7 policy-20070501.patch, 1.70, 1.71 selinux-policy.spec, 1.501, 1.502

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Oct 30 21:03:07 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7410

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-51
- Allow fd passing
- dontaudit rpm_rw_pipes
- Allow mount to start rpc_mountd


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- policy-20070501.patch	27 Oct 2007 11:44:01 -0000	1.70
+++ policy-20070501.patch	30 Oct 2007 21:02:59 -0000	1.71
@@ -916,7 +916,7 @@
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if	2007-10-30 06:41:29.000000000 -0400
 @@ -211,6 +211,24 @@
  
  ########################################
@@ -973,7 +973,7 @@
  ')
  
  ########################################
-@@ -290,3 +329,103 @@
+@@ -290,3 +329,120 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -1077,6 +1077,23 @@
 +	dontaudit $1 rpm_t:shm rw_shm_perms;
 +')
 +
++########################################
++## <summary>
++##	dontaudit read and write an unnamed RPM pipe.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`rpm_dontaudit_rw_pipes',`
++	gen_require(`
++		type rpm_t;
++	')
++
++	dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.6.4/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-05-07 14:51:05.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/admin/rpm.te	2007-08-07 09:42:35.000000000 -0400
@@ -2388,7 +2405,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.6.4/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/domain.te	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/domain.te	2007-10-30 16:16:45.000000000 -0400
 @@ -6,6 +6,29 @@
  # Declarations
  #
@@ -2430,7 +2447,7 @@
  # Domains that can set their current context
  # (perform dynamic transitions)
  attribute set_curr_context;
-@@ -144,3 +171,26 @@
+@@ -144,3 +171,33 @@
  
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
@@ -2457,6 +2474,13 @@
 +		ipsec_labeled(domain)
 +	')
 +')
++
++# Allow all domains to use fds past to them
++allow domain domain:fd use;
++optional_policy(`
++	rpm_dontaudit_rw_pipes(domain)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/kernel/files.fc	2007-10-18 17:13:23.000000000 -0400
@@ -5899,8 +5923,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-2.6.4/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/exim.te	2007-10-22 11:12:46.000000000 -0400
-@@ -0,0 +1,230 @@
++++ serefpolicy-2.6.4/policy/modules/services/exim.te	2007-10-30 16:46:45.000000000 -0400
+@@ -0,0 +1,231 @@
 +# $Id$
 +# Draft SELinux refpolicy module for the Exim MTA
 +# 
@@ -5915,6 +5939,7 @@
 +
 +type exim_t;
 +type exim_exec_t;
++init_daemon_domain(exim_t, exim_exec_t)
 +mta_mailserver(exim_t, exim_exec_t)
 +mta_mailserver_user_agent(exim_t)
 +application_executable_file(exim_exec_t)
@@ -6211,7 +6236,7 @@
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.6.4/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/hal.fc	2007-10-09 17:19:50.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/hal.fc	2007-10-29 23:28:20.000000000 -0400
 @@ -2,15 +2,22 @@
  /etc/hal/device\.d/printer_remove\.hal -- 	gen_context(system_u:object_r:hald_exec_t,s0)
  /etc/hal/capability\.d/printer_update\.hal --	gen_context(system_u:object_r:hald_exec_t,s0)
@@ -6230,7 +6255,6 @@
 +/var/cache/hald(/.*)?				gen_context(system_u:object_r:hald_cache_t,s0)
 +
  /var/run/haldaemon.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
-+/var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 +
 +/usr/libexec/hal-acl-tool		--	gen_context(system_u:object_r:hald_acl_exec_t,s0)
 +/usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
@@ -6240,6 +6264,7 @@
 +/var/run/pm(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
 +/var/log/pm-suspend.log				gen_context(system_u:object_r:hald_log_t,s0)
 +/var/log/pm(/.*)?				gen_context(system_u:object_r:hald_log_t,s0)
++/var/run/vbe.* 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.6.4/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/hal.if	2007-08-07 09:42:35.000000000 -0400
@@ -12728,7 +12753,7 @@
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-10-08 17:27:32.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-10-30 16:18:14.000000000 -0400
 @@ -9,6 +9,13 @@
  ifdef(`targeted_policy',`
  ## <desc>
@@ -12819,13 +12844,14 @@
  	')
  ')
  
-@@ -162,13 +186,8 @@
+@@ -162,13 +186,9 @@
  
  	fs_search_rpc(mount_t)
  
 -	sysnet_dns_name_resolve(mount_t)
 -
  	rpc_stub(mount_t)
++	rpc_domtrans_rpcd(mount_t)
  
 -	optional_policy(`
 -		nis_use_ypbind(mount_t)
@@ -12833,7 +12859,7 @@
  ')
  
  optional_policy(`
-@@ -192,9 +211,6 @@
+@@ -192,9 +212,6 @@
  	samba_domtrans_smbmount(mount_t)
  ')
  
@@ -12843,7 +12869,7 @@
  
  ########################################
  #
-@@ -204,4 +220,30 @@
+@@ -204,4 +221,30 @@
  ifdef(`targeted_policy',`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -12995,7 +13021,7 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te	2007-09-10 14:35:42.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te	2007-10-30 06:40:52.000000000 -0400
 @@ -1,10 +1,8 @@
  
  policy_module(selinuxutil,1.5.0)
@@ -13209,7 +13235,7 @@
  
  libs_use_ld_so(semanage_t)
  libs_use_shared_libs(semanage_t)
-@@ -621,6 +640,15 @@
+@@ -621,6 +640,16 @@
  
  userdom_search_sysadm_home_dirs(semanage_t)
  
@@ -13220,12 +13246,13 @@
 +
 +optional_policy(`
 +	rpm_dontaudit_rw_tmp_files(semanage_t)
++	rpm_dontaudit_rw_pipes(semanage_t)
 +')
 +
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -700,6 +728,8 @@
+@@ -700,6 +729,8 @@
  ifdef(`hide_broken_symptoms',`
  	# cjp: cover up stray file descriptors.
  	optional_policy(`


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.501
retrieving revision 1.502
diff -u -r1.501 -r1.502
--- selinux-policy.spec	27 Oct 2007 11:44:01 -0000	1.501
+++ selinux-policy.spec	30 Oct 2007 21:02:59 -0000	1.502
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 50%{?dist}
+Release: 51%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,11 @@
 %endif
 
 %changelog
+* Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-51
+- Allow fd passing
+- dontaudit rpm_rw_pipes
+- Allow mount to start rpc_mountd
+
 * Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-50
 - Fixes for exim to run from cron
 - Fix /var/run/ppp* spec

More information about the fedora-extras-commits mailing list