rpms/selinux-policy/devel policy-20070703.patch, 1.50, 1.51 selinux-policy.spec, 1.517, 1.518

Fri Sep 7 20:10:11 UTC 2007

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24599

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Fri Sep 7 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-7
- Turn off direct transition


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -r1.50 -r1.51

--- policy-20070703.patch	7 Sep 2007 19:03:11 -0000	1.50
+++ policy-20070703.patch	7 Sep 2007 20:10:07 -0000	1.51
@@ -12734,7 +12734,7 @@
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-07 15:05:57.000000000 -0400
 @@ -45,7 +45,7 @@
  	type $1_tty_device_t; 
  	term_user_tty($1_t,$1_tty_device_t)
@@ -13106,7 +13106,7 @@
  		samba_stream_connect_winbind($1_t)
  	')
  
-@@ -954,21 +881,162 @@
+@@ -954,21 +881,163 @@
  ##	</summary>
  ## </param>
  #
@@ -13166,6 +13166,7 @@
 +	dontaudit $1_t self:capability { sys_nice fsetid };
 +
 +	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
++	dontaudit $1_t self:process setrlimit;
 +	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 +
 +	allow $1_t self:context contains;
@@ -13275,7 +13276,7 @@
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1045,51 @@
+@@ -977,23 +1046,51 @@
  	typeattribute $1_tmp_t user_tmpfile;
  	typeattribute $1_tty_device_t user_ttynode;
  
@@ -13338,7 +13339,7 @@
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1125,7 @@
+@@ -1029,15 +1126,7 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
@@ -13355,7 +13356,7 @@
  	')
  
  	optional_policy(`
-@@ -1054,17 +1142,6 @@
+@@ -1054,17 +1143,6 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -13373,7 +13374,7 @@
  ')
  
  #######################################
-@@ -1102,6 +1179,8 @@
+@@ -1102,6 +1180,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -13382,7 +13383,7 @@
  	##############################
  	#
  	# Declarations
-@@ -1127,7 +1206,7 @@
+@@ -1127,7 +1207,7 @@
  	# $1_t local policy
  	#
  
@@ -13391,7 +13392,7 @@
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1139,7 +1218,11 @@
+@@ -1139,7 +1219,11 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -13404,7 +13405,7 @@
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1856,17 +1939,53 @@
+@@ -1856,17 +1940,53 @@
  ##	</summary>
  ## </param>
  #
@@ -13462,7 +13463,7 @@
  ##	in a user home subdirectory.
  ## </summary>
  ## <desc>
-@@ -1891,13 +2010,12 @@
+@@ -1891,13 +2011,12 @@
  ##	</summary>
  ## </param>
  #
@@ -13479,7 +13480,7 @@
  ')
  
  ########################################
-@@ -3078,7 +3196,7 @@
+@@ -3078,7 +3197,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -13488,7 +13489,7 @@
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4733,24 @@
+@@ -4615,6 +4734,24 @@
  	files_list_home($1)
  	allow $1 home_dir_type:dir search_dir_perms;
  ')
@@ -13513,7 +13514,7 @@
  
  ########################################
  ## <summary>
-@@ -5323,7 +5459,7 @@
+@@ -5323,7 +5460,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -13522,7 +13523,7 @@
  ')
  
  ########################################
-@@ -5559,3 +5695,299 @@
+@@ -5559,3 +5696,299 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.517
retrieving revision 1.518
diff -u -r1.517 -r1.518
--- selinux-policy.spec	7 Sep 2007 19:03:11 -0000	1.517
+++ selinux-policy.spec	7 Sep 2007 20:10:07 -0000	1.518
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.7
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -194,8 +194,8 @@
 %if %{BUILD_TARGETED}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds targeted mcs y y
-%installCmds targeted mcs y y
+%setupCmds targeted mcs n y
+%installCmds targeted mcs n y
 %endif
 
 %if %{BUILD_MLS}
@@ -207,8 +207,8 @@
 %if %{BUILD_OLPC}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds olpc mcs y y
-%installCmds olpc mcs y y
+%setupCmds olpc mcs n y
+%installCmds olpc mcs n y
 %endif
 
 make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
@@ -362,6 +362,9 @@
 %endif
 
 %changelog
+* Fri Sep 7 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-7
+- Turn off direct transition
+
 * Fri Sep 7 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-6
 - Allow wine to run in system role
 


