rpms/selinux-policy/devel modules-targeted.conf, 1.66, 1.67 policy-20070703.patch, 1.52, 1.53 selinux-policy.spec, 1.518, 1.519
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Sep 10 22:02:40 UTC 2007
- Previous message (by thread): rpms/flac/devel .cvsignore, 1.5, 1.6 flac.spec, 1.29, 1.30 sources, 1.6, 1.7 flac-1.1.3-noxmms.patch, 1.1, NONE flac-1.1.4-hide-byteswap.patch, 1.1, NONE flac-1.1.4-link-ogg.patch, 1.1, NONE
- Next message (by thread): rpms/eclipse-cdt/devel .cvsignore, 1.31, 1.32 eclipse-cdt.spec, 1.83, 1.84 sources, 1.39, 1.40
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27888
Modified Files:
modules-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Mon Sep 10 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-8
- Allow newalias/sendmail dac_override
- Allow bind to bind to all udp ports
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -r1.66 -r1.67
--- modules-targeted.conf 6 Sep 2007 23:34:02 -0000 1.66
+++ modules-targeted.conf 10 Sep 2007 22:02:06 -0000 1.67
@@ -1505,3 +1505,12 @@
# Minimally prived root role for managing apache
#
webadm = module
+
+#
+# Layer: services
+# Module: exim
+#
+# exim mail server
+#
+exim = module
+
policy-20070703.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.52 -r 1.53 policy-20070703.patch
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- policy-20070703.patch 7 Sep 2007 20:26:11 -0000 1.52
+++ policy-20070703.patch 10 Sep 2007 22:02:06 -0000 1.53
@@ -495,12 +495,12 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-3.0.7/policy/modules/admin/dmidecode.te
--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/dmidecode.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/admin/dmidecode.te 2007-09-07 17:05:59.000000000 -0400
@@ -20,6 +20,7 @@
# Allow dmidecode to read /dev/mem
dev_read_raw_memory(dmidecode_t)
-+dev_search_sysfs(dmidecode_t)
++dev_read_sysfs(dmidecode_t)
mls_file_read_all_levels(dmidecode_t)
@@ -2745,7 +2745,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.7/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/files.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/files.if 2007-09-10 16:27:16.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2830,7 +2830,32 @@
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -3323,6 +3359,42 @@
+@@ -3107,6 +3143,24 @@
+
+ ########################################
+ ## <summary>
++## Manage temporary directories in /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ manage_dirs_pattern($1,tmp_t,tmp_t)
++')
++
++########################################
++## <summary>
+ ## Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -3323,6 +3377,42 @@
########################################
## <summary>
@@ -2873,7 +2898,7 @@
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3381,7 +3453,7 @@
+@@ -3381,7 +3471,7 @@
########################################
## <summary>
@@ -2882,7 +2907,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3389,17 +3461,17 @@
+@@ -3389,17 +3479,17 @@
## </summary>
## </param>
#
@@ -2903,7 +2928,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3407,12 +3479,12 @@
+@@ -3407,12 +3497,12 @@
## </summary>
## </param>
#
@@ -2918,7 +2943,7 @@
')
########################################
-@@ -4043,7 +4115,7 @@
+@@ -4043,7 +4133,7 @@
type var_t, var_lock_t;
')
@@ -2927,7 +2952,7 @@
')
########################################
-@@ -4560,6 +4632,8 @@
+@@ -4560,6 +4650,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2936,7 +2961,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4656,11 @@
+@@ -4582,6 +4674,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2948,7 +2973,7 @@
')
########################################
-@@ -4619,3 +4698,28 @@
+@@ -4619,3 +4716,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -3171,6 +3196,99 @@
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.7/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/storage.fc 2007-09-10 15:52:30.000000000 -0400
+@@ -52,7 +52,7 @@
+
+ /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+-/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
+ /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+ /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.7/policy/modules/kernel/storage.if
+--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/storage.if 2007-09-10 15:54:45.000000000 -0400
+@@ -673,3 +673,61 @@
+
+ typeattribute $1 storage_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## Allow the caller to get the attributes
++## of device nodes of fuse devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`storage_getattr_fuse_dev',`
++ gen_require(`
++ type fuse_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 fuse_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++## read or write fuse device interfaces.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`storage_rw_fuse',`
++ gen_require(`
++ type fuse_device_t;
++ ')
++
++ allow $1 fuse_device_t:chr_file rw_file_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read or write
++## fuse device interfaces.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
[...1648 lines suppressed...]
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -11637,7 +12686,7 @@
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)
-@@ -127,10 +138,15 @@
+@@ -127,10 +139,15 @@
')
')
@@ -11654,7 +12703,7 @@
')
optional_policy(`
-@@ -159,13 +175,8 @@
+@@ -159,13 +176,8 @@
fs_search_rpc(mount_t)
@@ -11668,7 +12717,7 @@
')
optional_policy(`
-@@ -189,10 +200,6 @@
+@@ -189,10 +201,6 @@
samba_domtrans_smbmount(mount_t)
')
@@ -11679,7 +12728,7 @@
########################################
#
# Unconfined mount local policy
-@@ -201,4 +208,29 @@
+@@ -201,4 +209,29 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -11993,7 +13042,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.7/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/selinuxutil.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/selinuxutil.te 2007-09-10 14:35:10.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.6.2)
@@ -12110,7 +13159,15 @@
dev_read_urand(semanage_t)
-@@ -465,6 +479,8 @@
+@@ -452,6 +466,7 @@
+ files_read_etc_runtime_files(semanage_t)
+ files_read_usr_files(semanage_t)
+ files_list_pids(semanage_t)
++fs_list_inotifyfs(semanage_t)
+
+ mls_file_write_all_levels(semanage_t)
+ mls_file_read_all_levels(semanage_t)
+@@ -465,6 +480,8 @@
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
@@ -12119,7 +13176,7 @@
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
-@@ -488,6 +504,17 @@
+@@ -488,6 +505,17 @@
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
@@ -12137,7 +13194,7 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -515,6 +542,8 @@
+@@ -515,6 +543,8 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@@ -12146,7 +13203,7 @@
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -531,6 +560,7 @@
+@@ -531,6 +561,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -12154,7 +13211,7 @@
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -586,6 +616,10 @@
+@@ -586,6 +617,10 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
@@ -12527,7 +13584,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.7/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/unconfined.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/unconfined.te 2007-09-10 16:37:23.000000000 -0400
@@ -5,28 +5,36 @@
#
# Declarations
@@ -12598,17 +13655,17 @@
optional_policy(`
- ada_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
-- # this is disallowed usage:
-- unconfined_domain(httpd_unconfined_script_t)
+ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
+- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
+- # this is disallowed usage:
+- unconfined_domain(httpd_unconfined_script_t)
+-')
+-
+-optional_policy(`
- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
@@ -12653,7 +13710,7 @@
')
optional_policy(`
-@@ -155,22 +153,12 @@
+@@ -155,32 +153,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -12678,18 +13735,18 @@
')
optional_policy(`
-@@ -180,9 +168,10 @@
+ samba_per_role_template(unconfined)
+ samba_run_net(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_winbind_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ samba_run_smbcontrol(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- spamassassin_per_role_template(unconfined,unconfined_t,unconfined_r)
-+ sendmail_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ sendmail_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
-+
optional_policy(`
- sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- sysnet_dbus_chat_dhcpc(unconfined_t)
@@ -205,11 +194,12 @@
')
@@ -13825,7 +14882,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/userdomain.te 2007-09-10 14:07:37.000000000 -0400
@@ -74,6 +74,9 @@
# users home directory contents
attribute home_type;
@@ -13908,7 +14965,12 @@
netutils_run(sysadm_t,sysadm_r,admin_terminal)
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
-@@ -447,11 +448,15 @@
+@@ -443,15 +444,20 @@
+
+ optional_policy(`
+ samba_run_net(sysadm_t,sysadm_r,admin_terminal)
++ samba_run_smbcontrol(sysadm_t,sysadm_r,admin_terminal)
+ samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
@@ -13924,7 +14986,7 @@
', `
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
')
-@@ -494,3 +499,7 @@
+@@ -494,3 +500,7 @@
optional_policy(`
yam_run(sysadm_t,sysadm_r,admin_terminal)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.518
retrieving revision 1.519
diff -u -r1.518 -r1.519
--- selinux-policy.spec 7 Sep 2007 20:10:07 -0000 1.518
+++ selinux-policy.spec 10 Sep 2007 22:02:06 -0000 1.519
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.7
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,10 @@
%endif
%changelog
+* Mon Sep 10 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-8
+- Allow newalias/sendmail dac_override
+- Allow bind to bind to all udp ports
+
* Fri Sep 7 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-7
- Turn off direct transition
- Previous message (by thread): rpms/flac/devel .cvsignore, 1.5, 1.6 flac.spec, 1.29, 1.30 sources, 1.6, 1.7 flac-1.1.3-noxmms.patch, 1.1, NONE flac-1.1.4-hide-byteswap.patch, 1.1, NONE flac-1.1.4-link-ogg.patch, 1.1, NONE
- Next message (by thread): rpms/eclipse-cdt/devel .cvsignore, 1.31, 1.32 eclipse-cdt.spec, 1.83, 1.84 sources, 1.39, 1.40
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list