rpms/selinux-policy/F-7 policy-20070501.patch, 1.70, 1.71 selinux-policy.spec, 1.501, 1.502
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Oct 30 21:03:07 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7410
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-51
- Allow fd passing
- dontaudit rpm_rw_pipes
- Allow mount to start rpc_mountd
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- policy-20070501.patch 27 Oct 2007 11:44:01 -0000 1.70
+++ policy-20070501.patch 30 Oct 2007 21:02:59 -0000 1.71
@@ -916,7 +916,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-10-30 06:41:29.000000000 -0400
@@ -211,6 +211,24 @@
########################################
@@ -973,7 +973,7 @@
')
########################################
-@@ -290,3 +329,103 @@
+@@ -290,3 +329,120 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1077,6 +1077,23 @@
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+')
+
++########################################
++## <summary>
++## dontaudit read and write an unnamed RPM pipe.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`rpm_dontaudit_rw_pipes',`
++ gen_require(`
++ type rpm_t;
++ ')
++
++ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.6.4/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-05-07 14:51:05.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/admin/rpm.te 2007-08-07 09:42:35.000000000 -0400
@@ -2388,7 +2405,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.6.4/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-10-30 16:16:45.000000000 -0400
@@ -6,6 +6,29 @@
# Declarations
#
@@ -2430,7 +2447,7 @@
# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;
-@@ -144,3 +171,26 @@
+@@ -144,3 +171,33 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -2457,6 +2474,13 @@
+ ipsec_labeled(domain)
+ ')
+')
++
++# Allow all domains to use fds past to them
++allow domain domain:fd use;
++optional_policy(`
++ rpm_dontaudit_rw_pipes(domain)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-10-18 17:13:23.000000000 -0400
@@ -5899,8 +5923,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-2.6.4/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-22 11:12:46.000000000 -0400
-@@ -0,0 +1,230 @@
++++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-30 16:46:45.000000000 -0400
+@@ -0,0 +1,231 @@
+# $Id$
+# Draft SELinux refpolicy module for the Exim MTA
+#
@@ -5915,6 +5939,7 @@
+
+type exim_t;
+type exim_exec_t;
++init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
@@ -6211,7 +6236,7 @@
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.6.4/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-10-09 17:19:50.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-10-29 23:28:20.000000000 -0400
@@ -2,15 +2,22 @@
/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
@@ -6230,7 +6255,6 @@
+/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+
/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-+/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
+
+/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
+/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
@@ -6240,6 +6264,7 @@
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
++/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.6.4/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/hal.if 2007-08-07 09:42:35.000000000 -0400
@@ -12728,7 +12753,7 @@
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-10-08 17:27:32.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-10-30 16:18:14.000000000 -0400
@@ -9,6 +9,13 @@
ifdef(`targeted_policy',`
## <desc>
@@ -12819,13 +12844,14 @@
')
')
-@@ -162,13 +186,8 @@
+@@ -162,13 +186,9 @@
fs_search_rpc(mount_t)
- sysnet_dns_name_resolve(mount_t)
-
rpc_stub(mount_t)
++ rpc_domtrans_rpcd(mount_t)
- optional_policy(`
- nis_use_ypbind(mount_t)
@@ -12833,7 +12859,7 @@
')
optional_policy(`
-@@ -192,9 +211,6 @@
+@@ -192,9 +212,6 @@
samba_domtrans_smbmount(mount_t)
')
@@ -12843,7 +12869,7 @@
########################################
#
-@@ -204,4 +220,30 @@
+@@ -204,4 +221,30 @@
ifdef(`targeted_policy',`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -12995,7 +13021,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-09-10 14:35:42.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-10-30 06:40:52.000000000 -0400
@@ -1,10 +1,8 @@
policy_module(selinuxutil,1.5.0)
@@ -13209,7 +13235,7 @@
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
-@@ -621,6 +640,15 @@
+@@ -621,6 +640,16 @@
userdom_search_sysadm_home_dirs(semanage_t)
@@ -13220,12 +13246,13 @@
+
+optional_policy(`
+ rpm_dontaudit_rw_tmp_files(semanage_t)
++ rpm_dontaudit_rw_pipes(semanage_t)
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -700,6 +728,8 @@
+@@ -700,6 +729,8 @@
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.501
retrieving revision 1.502
diff -u -r1.501 -r1.502
--- selinux-policy.spec 27 Oct 2007 11:44:01 -0000 1.501
+++ selinux-policy.spec 30 Oct 2007 21:02:59 -0000 1.502
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 50%{?dist}
+Release: 51%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,11 @@
%endif
%changelog
+* Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-51
+- Allow fd passing
+- dontaudit rpm_rw_pipes
+- Allow mount to start rpc_mountd
+
* Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-50
- Fixes for exim to run from cron
- Fix /var/run/ppp* spec
More information about the fedora-extras-commits
mailing list