rpms/selinux-policy/devel policy-20070703.patch, 1.72, 1.73 selinux-policy.spec, 1.533, 1.534
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Sep 25 13:30:41 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31510
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-12
- Allow nsswitch apps to read samba_var_t
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- policy-20070703.patch 24 Sep 2007 20:26:11 -0000 1.72
+++ policy-20070703.patch 25 Sep 2007 13:30:08 -0000 1.73
@@ -2658,11 +2658,13 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.fc 2007-09-18 20:56:27.000000000 -0400
-@@ -210,6 +210,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/files.fc 2007-09-25 09:00:58.000000000 -0400
+@@ -209,7 +209,8 @@
+ /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
- /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+-/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
++#/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -8514,8 +8516,34 @@
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.if 2007-09-17 16:20:18.000000000 -0400
-@@ -349,6 +349,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/samba.if 2007-09-24 17:17:53.000000000 -0400
+@@ -332,6 +332,25 @@
+
+ ########################################
+ ## <summary>
++## dontaudit the specified domain to
++## write samba /var files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`samba_dontaudit_write_var_files',`
++ gen_require(`
++ type samba_var_t;
++ ')
++
++ dontaudit $1 samba_var_t:file write;
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to
+ ## read and write samba /var files.
+ ## </summary>
+@@ -349,6 +368,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1,samba_var_t,samba_var_t)
@@ -8523,7 +8551,7 @@
')
########################################
-@@ -493,3 +494,102 @@
+@@ -493,3 +513,102 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -10428,7 +10456,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-24 10:44:04.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-24 17:17:30.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -10620,7 +10648,16 @@
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1381,3 +1453,163 @@
+@@ -1347,6 +1419,8 @@
+
+ optional_policy(`
+ samba_stream_connect_winbind($1)
++ samba_read_var_files($1)
++ samba_dontaudit_write_var_files($1)
+ ')
+ ')
+
+@@ -1381,3 +1455,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -13644,8 +13681,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-21 06:44:58.000000000 -0400
-@@ -5,28 +5,36 @@
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-24 17:02:03.000000000 -0400
+@@ -5,28 +5,38 @@
#
# Declarations
#
@@ -13683,13 +13720,15 @@
# Local policy
#
++dontaudit unconfined_t self:dir write;
++
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
domtrans_pattern(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
files_create_boot_flag(unconfined_t)
-@@ -35,6 +43,7 @@
+@@ -35,6 +45,7 @@
mcs_ptrace_all(unconfined_t)
init_run_daemon(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -13697,7 +13736,7 @@
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +51,30 @@
+@@ -42,37 +53,30 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -13715,17 +13754,17 @@
optional_policy(`
- ada_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
-- # this is disallowed usage:
-- unconfined_domain(httpd_unconfined_script_t)
+ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
+- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
+- # this is disallowed usage:
+- unconfined_domain(httpd_unconfined_script_t)
+-')
+-
+-optional_policy(`
- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
@@ -13743,7 +13782,7 @@
')
optional_policy(`
-@@ -118,11 +120,11 @@
+@@ -118,11 +122,11 @@
')
optional_policy(`
@@ -13757,7 +13796,7 @@
')
optional_policy(`
-@@ -134,11 +136,7 @@
+@@ -134,11 +138,7 @@
')
optional_policy(`
@@ -13770,7 +13809,7 @@
')
optional_policy(`
-@@ -155,32 +153,23 @@
+@@ -155,32 +155,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -13807,7 +13846,7 @@
')
optional_policy(`
-@@ -205,11 +194,18 @@
+@@ -205,11 +196,18 @@
')
optional_policy(`
@@ -13828,7 +13867,7 @@
')
########################################
-@@ -225,8 +221,20 @@
+@@ -225,8 +223,20 @@
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.533
retrieving revision 1.534
diff -u -r1.533 -r1.534
--- selinux-policy.spec 24 Sep 2007 20:26:12 -0000 1.533
+++ selinux-policy.spec 25 Sep 2007 13:30:08 -0000 1.534
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -272,6 +272,7 @@
%if %{BUILD_TARGETED}
%package targeted
Summary: SELinux targeted base policy
+Provides: selinux-policy-base
Group: System Environment/Base
Obsoletes: selinux-policy-targeted-sources < 2
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
@@ -315,6 +316,7 @@
%package olpc
Summary: SELinux olpc base policy
Group: System Environment/Base
+Provides: selinux-policy-base
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
@@ -339,6 +341,7 @@
%package mls
Summary: SELinux mls base policy
Group: System Environment/Base
+Provides: selinux-policy-base
Obsoletes: selinux-policy-mls-sources < 2
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
@@ -362,6 +365,9 @@
%endif
%changelog
+* Mon Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-12
+- Allow nsswitch apps to read samba_var_t
+
* Mon Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-11
- Fix maxima
More information about the fedora-extras-commits
mailing list