rpms/selinux-policy/F-8 policy-20070703.patch, 1.118, 1.119 selinux-policy.spec, 1.564, 1.565

[Daniel J Walsh (dwalsh)]

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1667

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-43
- Add type definition for /dev/kvm


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.118
retrieving revision 1.119
diff -u -r1.118 -r1.119
--- policy-20070703.patch	31 Oct 2007 01:12:45 -0000	1.118
+++ policy-20070703.patch	31 Oct 2007 13:50:55 -0000	1.119
@@ -3643,7 +3643,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2007-10-31 09:43:13.000000000 -0400
 @@ -20,6 +20,7 @@
  /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -3652,7 +3652,15 @@
  /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
-@@ -98,6 +99,7 @@
+@@ -30,6 +31,7 @@
+ /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
++/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,mls_systemhigh)
+ /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+@@ -98,6 +100,7 @@
  /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
  /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
@@ -3662,7 +3670,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if	2007-10-31 09:46:00.000000000 -0400
 @@ -1306,6 +1306,44 @@
  
  ########################################
@@ -3708,6 +3716,102 @@
  ##	Read input event devices (/dev/input).
  ## </summary>
  ## <param name="domain">
+@@ -1623,6 +1661,78 @@
+ 
+ ########################################
+ ## <summary>
++##	Get the attributes of the kvm devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_kvm_dev',`
++	gen_require(`
++		type device_t, kvm_device_t;
++	')
++
++	getattr_chr_files_pattern($1,device_t,kvm_device_t)
++')
++
++########################################
++## <summary>
++##	Set the attributes of the kvm devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_kvm_dev',`
++	gen_require(`
++		type device_t, kvm_device_t;
++	')
++
++	setattr_chr_files_pattern($1,device_t,kvm_device_t)
++')
++
++########################################
++## <summary>
++##	Read the kvm devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_kvm',`
++	gen_require(`
++		type device_t, kvm_device_t;
++	')
++
++	read_chr_files_pattern($1,device_t,kvm_device_t)
++')
++
++########################################
++## <summary>
++##      Read and write to kvm devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_kvm',`
++	gen_require(`
++		type device_t, kvm_device_t;
++	')
++
++	rw_chr_files_pattern($1,device_t,kvm_device_t)
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of miscellaneous devices.
+ ## </summary>
+ ## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.0.8/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te	2007-10-22 13:21:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.te	2007-10-31 09:43:37.000000000 -0400
+@@ -72,6 +72,13 @@
+ dev_node(kmsg_device_t)
+ 
+ #
++# kvm_device_t is the type of
++# /dev/kvm
++#
++type kvm_device_t;
++dev_node(kvm_device_t)
++
++#
+ # Type for /dev/mapper/control
+ #
+ type lvm_control_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2007-10-22 13:21:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/kernel/domain.if	2007-10-30 19:48:13.000000000 -0400
@@ -8543,7 +8647,7 @@
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.if	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.if	2007-10-31 07:35:43.000000000 -0400
 @@ -142,6 +142,12 @@
  		sendmail_create_log($1_mail_t)
  	')
@@ -8606,7 +8710,32 @@
  	create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
  	read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
  
-@@ -447,20 +481,18 @@
+@@ -436,6 +470,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Make the specified type readable for a system_mail_t
++## </summary>
++## <param name="type">
++##	<summary>
++##	Type to be used as a mail client.
++##	</summary>
++## </param>
++#
++interface(`mta_mailcontent',`
++	gen_require(`
++		attribute mailcontent_type;
++	')
++
++	typeattribute $1 mailcontent_type;
++')
++
++########################################
++## <summary>
+ ##	Send mail from the system.
+ ## </summary>
+ ## <param name="domain">
+@@ -447,20 +499,18 @@
  interface(`mta_send_mail',`
  	gen_require(`
  		attribute mta_user_agent;
@@ -8633,7 +8762,7 @@
  ')
  
  ########################################
-@@ -595,6 +627,25 @@
+@@ -595,6 +645,25 @@
  	files_search_etc($1)
  	allow $1 etc_aliases_t:file { rw_file_perms setattr };
  ')
@@ -8661,16 +8790,17 @@
  ## <summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te	2007-10-29 23:59:29.000000000 -0400
-@@ -6,6 +6,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/mta.te	2007-10-31 07:35:09.000000000 -0400
+@@ -6,6 +6,8 @@
  # Declarations
  #
  
++attribute mailcontent_type;
 +attribute mailclient_exec_type;
  attribute mta_user_agent;
  attribute mailserver_delivery;
  attribute mailserver_domain;
-@@ -27,6 +28,7 @@
+@@ -27,6 +29,7 @@
  
  type sendmail_exec_t;
  application_executable_file(sendmail_exec_t)
@@ -8678,7 +8808,12 @@
  
  mta_base_mail_template(system)
  role system_r types system_mail_t;
-@@ -44,23 +46,33 @@
+@@ -40,27 +43,38 @@
+ allow system_mail_t self:capability { dac_override };
+ 
+ read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
++read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
+ 
  kernel_read_system_state(system_mail_t)
  kernel_read_network_state(system_mail_t)
  
@@ -8712,7 +8847,7 @@
  ')
  
  optional_policy(`
-@@ -73,6 +85,7 @@
+@@ -73,6 +87,7 @@
  
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
@@ -11670,6 +11805,18 @@
  	seutil_sigchld_newrole(soundd_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te	2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te	2007-10-31 09:26:27.000000000 -0400
+@@ -81,7 +81,7 @@
+ 
+ # var/lib files for spamd
+ allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+-read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
++manage_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
+ 
+ manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc
 --- nsaserefpolicy/policy/modules/services/squid.fc	2007-10-22 13:21:36.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/squid.fc	2007-10-29 23:59:29.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.564
retrieving revision 1.565
diff -u -r1.564 -r1.565
--- selinux-policy.spec	30 Oct 2007 21:02:53 -0000	1.564
+++ selinux-policy.spec	31 Oct 2007 13:50:55 -0000	1.565
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 42%{?dist}
+Release: 43%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,9 @@
 %endif
 
 %changelog
+* Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-43
+- Add type definition for /dev/kvm
+
 * Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-42
 - Make tcbdomain 
 - Allow domain domain:fd use