rpms/selinux-policy/devel policy-20070703.patch, 1.70, 1.71 selinux-policy.spec, 1.531, 1.532
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Sep 24 14:19:01 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1040
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-10
- Eliminate rpm_t:fifo_file avcs
- Fix dbus path for helper app
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- policy-20070703.patch 24 Sep 2007 12:42:07 -0000 1.70
+++ policy-20070703.patch 24 Sep 2007 14:18:57 -0000 1.71
@@ -835,8 +835,33 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.8/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2007-09-17 16:20:18.000000000 -0400
-@@ -210,6 +210,24 @@
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2007-09-24 09:34:18.000000000 -0400
+@@ -152,6 +152,24 @@
+
+ ########################################
+ ## <summary>
++## dontaudit read and write an unnamed RPM pipe.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`rpm_dontaudit_rw_pipes',`
++ gen_require(`
++ type rpm_t;
++ ')
++
++ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## rpm over dbus.
+ ## </summary>
+@@ -210,6 +228,24 @@
########################################
## <summary>
@@ -861,7 +886,7 @@
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
-@@ -224,8 +242,29 @@
+@@ -224,8 +260,29 @@
type rpm_script_tmp_t;
')
@@ -892,7 +917,7 @@
')
########################################
-@@ -289,3 +328,84 @@
+@@ -289,3 +346,84 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -2306,7 +2331,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-09-21 14:41:45.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-09-24 09:59:57.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -2340,7 +2365,7 @@
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -259,3 +265,8 @@
+@@ -259,3 +265,9 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -2348,7 +2373,8 @@
+/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
-+/lib(64)?/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
++/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
++/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-09-17 16:20:18.000000000 -0400
@@ -10991,8 +11017,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-09-22 07:07:39.000000000 -0400
-@@ -211,6 +211,13 @@
++++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-09-24 09:49:24.000000000 -0400
+@@ -211,6 +211,20 @@
kernel_dontaudit_use_fds($1)
')
')
@@ -11003,10 +11029,17 @@
+ term_dontaudit_use_all_user_ttys($1)
+ term_dontaudit_use_all_user_ptys($1)
+ ')
++ optional_policy(`
++ tunable_policy(`allow_daemons_use_tty',`
++ unconfined_use_terminals($1)
++ ', `
++ unconfined_dontaudit_use_terminals($1)
++ ')
++ ')
')
########################################
-@@ -540,18 +547,19 @@
+@@ -540,18 +554,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -11030,23 +11063,26 @@
')
')
-@@ -567,18 +575,46 @@
+@@ -567,18 +582,46 @@
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute initscript;
-+ ')
-+
-+ files_list_etc($1)
+ ')
+
+ files_list_etc($1)
+- domtrans_pattern($1,initrc_exec_t,initrc_t)
+ domtrans_pattern($1,initscript,initrc_t)
-+
-+ ifdef(`enable_mcs',`
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 initscript:process s0;
-+ ')
-+
-+ ifdef(`enable_mls',`
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 initscript:process s0 - mls_systemhigh;
+ ')
+')
@@ -11064,24 +11100,21 @@
+interface(`init_script_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
-
- files_list_etc($1)
-- domtrans_pattern($1,initrc_exec_t,initrc_t)
++ ')
++
++ files_list_etc($1)
+ domtrans_pattern($1,$2,initrc_t)
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
++
++ ifdef(`enable_mcs',`
+ range_transition $1 $2:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ ')
++
++ ifdef(`enable_mls',`
+ range_transition $1 $2:process s0 - mls_systemhigh;
')
')
-@@ -609,11 +645,11 @@
+@@ -609,11 +652,11 @@
# cjp: added for gentoo integrated run_init
interface(`init_script_file_domtrans',`
gen_require(`
@@ -11095,7 +11128,7 @@
')
########################################
-@@ -684,11 +720,11 @@
+@@ -684,11 +727,11 @@
#
interface(`init_getattr_script_files',`
gen_require(`
@@ -11109,7 +11142,7 @@
')
########################################
-@@ -703,11 +739,11 @@
+@@ -703,11 +746,11 @@
#
interface(`init_exec_script_files',`
gen_require(`
@@ -11123,7 +11156,7 @@
')
########################################
-@@ -931,6 +967,7 @@
+@@ -931,6 +974,7 @@
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
@@ -11131,7 +11164,7 @@
########################################
## <summary>
## Send messages to init scripts over dbus.
-@@ -1030,11 +1067,11 @@
+@@ -1030,11 +1074,11 @@
#
interface(`init_read_script_files',`
gen_require(`
@@ -11145,7 +11178,7 @@
')
########################################
-@@ -1252,7 +1289,7 @@
+@@ -1252,7 +1296,7 @@
type initrc_var_run_t;
')
@@ -11154,7 +11187,7 @@
')
########################################
-@@ -1273,3 +1310,64 @@
+@@ -1273,3 +1317,64 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
@@ -11221,7 +11254,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-09-22 07:06:37.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-09-24 09:50:18.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -11316,7 +11349,7 @@
selinux_get_enforce_mode(initrc_t)
-@@ -497,6 +515,43 @@
+@@ -497,6 +515,47 @@
')
optional_policy(`
@@ -11342,17 +11375,21 @@
+ files_dump_core(daemon)
+')
+
++tunable_policy(`allow_daemons_use_tty',`
++ term_use_all_user_ttys(daemon)
++ term_use_all_user_ptys(daemon)
++', `
++ term_dontaudit_use_all_user_ttys(daemon)
++ term_dontaudit_use_all_user_ptys(daemon)
++')
++
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+
+ tunable_policy(`allow_daemons_use_tty',`
+ unconfined_use_terminals(daemon)
-+ term_use_all_user_ttys(daemon)
-+ term_use_all_user_ptys(daemon)
+ ', `
+ unconfined_dontaudit_use_terminals(daemon)
-+ term_dontaudit_use_all_user_ttys(daemon)
-+ term_dontaudit_use_all_user_ptys(daemon)
+ ')
+')
+
@@ -11360,7 +11397,7 @@
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
-@@ -632,12 +687,6 @@
+@@ -632,12 +691,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -11373,7 +11410,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -703,6 +752,9 @@
+@@ -703,6 +756,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -11383,6 +11420,17 @@
')
optional_policy(`
+@@ -750,6 +806,10 @@
+ ')
+
+ optional_policy(`
++ rpm_dontaudit_rw_pipes(daemon)
++')
++
++optional_policy(`
+ vmware_read_system_config(initrc_t)
+ vmware_append_system_config(initrc_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-09-17 16:20:18.000000000 -0400
@@ -12803,7 +12851,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 11:55:54.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-24 09:36:36.000000000 -0400
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -12933,7 +12981,7 @@
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
-@@ -423,77 +426,53 @@
+@@ -423,77 +426,54 @@
nscd_socket_use(run_init_t)
')
@@ -13035,12 +13083,13 @@
+
+optional_policy(`
+ rpm_dontaudit_rw_tmp_files(semanage_t)
++ rpm_dontaudit_rw_pipes(semanage_t)
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -521,6 +500,8 @@
+@@ -521,6 +501,8 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@@ -13049,7 +13098,7 @@
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -537,6 +518,7 @@
+@@ -537,6 +519,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -13057,8 +13106,14 @@
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -592,6 +574,10 @@
+@@ -590,8 +573,16 @@
+ fs_relabel_tmpfs_chr_file(setfiles_t)
+ ')
++optional_policy(`
++ rpm_dontaudit_rw_pipes(setfiles_t)
++')
++
ifdef(`hide_broken_symptoms',`
optional_policy(`
+ ppp_dontaudit_use_fds(setfiles_t)
@@ -13068,6 +13123,18 @@
udev_dontaudit_rw_dgram_sockets(setfiles_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc
+--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2007-05-29 14:10:58.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc 2007-09-24 08:54:25.000000000 -0400
+@@ -54,7 +54,7 @@
+
+ /var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+ /var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+-
++/var/run/dhclient-[^/]*\.lease -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+ ifdef(`distro_gentoo',`
+ /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-03 07:06:32.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-09-17 16:20:18.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.531
retrieving revision 1.532
diff -u -r1.531 -r1.532
--- selinux-policy.spec 22 Sep 2007 12:15:13 -0000 1.531
+++ selinux-policy.spec 24 Sep 2007 14:18:57 -0000 1.532
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,10 @@
%endif
%changelog
+* Mon Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-10
+- Eliminate rpm_t:fifo_file avcs
+- Fix dbus path for helper app
+
* Sat Sep 22 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-9
- Fix service start stop terminal avc's
More information about the fedora-extras-commits
mailing list