rpms/selinux-policy/devel policy-20071130.patch, 1.122, 1.123 selinux-policy.spec, 1.650, 1.651
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Apr 10 19:45:59 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1753
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-33
- Allow dhcpd to read kernel network state
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.122
retrieving revision 1.123
diff -u -r1.122 -r1.123
--- policy-20071130.patch 10 Apr 2008 14:37:57 -0000 1.122
+++ policy-20071130.patch 10 Apr 2008 19:45:47 -0000 1.123
@@ -7892,7 +7892,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-10 13:50:44.000000000 -0400
@@ -851,9 +851,8 @@
type proc_t, proc_afs_t;
')
@@ -7916,7 +7916,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
-+ dontaudit $1 sysctl_type:file getattr;
++ dontaudit $1 sysctl_type:file read_file_perms;
')
########################################
@@ -8382,7 +8382,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-05 07:45:49.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-10 13:06:52.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -8538,7 +8538,21 @@
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
-@@ -177,48 +159,6 @@
+@@ -151,9 +133,13 @@
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+
++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
++
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
++ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
++
+ allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+ allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+@@ -177,48 +163,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
@@ -8587,7 +8601,7 @@
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -265,72 +205,77 @@
+@@ -265,72 +209,77 @@
template(`apache_per_role_template', `
gen_require(`
attribute httpdcontent, httpd_script_domains;
@@ -8718,7 +8732,7 @@
')
')
-@@ -352,12 +297,11 @@
+@@ -352,12 +301,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
@@ -8735,7 +8749,7 @@
')
########################################
-@@ -378,12 +322,12 @@
+@@ -378,12 +326,12 @@
#
template(`apache_read_user_content',`
gen_require(`
@@ -8752,7 +8766,7 @@
')
########################################
-@@ -761,6 +705,7 @@
+@@ -761,6 +709,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -8760,7 +8774,7 @@
')
########################################
-@@ -841,12 +786,16 @@
+@@ -841,12 +790,16 @@
# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
@@ -8779,7 +8793,7 @@
')
')
-@@ -932,7 +881,7 @@
+@@ -932,7 +885,7 @@
type httpd_squirrelmail_t;
')
@@ -8788,7 +8802,7 @@
')
########################################
-@@ -1023,16 +972,16 @@
+@@ -1023,16 +976,16 @@
#
interface(`apache_manage_all_user_content',`
gen_require(`
@@ -8812,7 +8826,7 @@
')
########################################
-@@ -1088,3 +1037,142 @@
+@@ -1088,3 +1041,142 @@
allow httpd_t $1:process signal;
')
@@ -13399,7 +13413,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.3.1/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dhcp.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dhcp.te 2008-04-10 11:29:00.000000000 -0400
@@ -19,18 +19,20 @@
type dhcpd_var_run_t;
files_pid_file(dhcpd_var_run_t)
@@ -13423,7 +13437,15 @@
allow dhcpd_t self:tcp_socket create_stream_socket_perms;
allow dhcpd_t self:udp_socket create_socket_perms;
# Allow dhcpd_t to use packet sockets
-@@ -88,6 +90,8 @@
+@@ -51,6 +53,7 @@
+
+ kernel_read_system_state(dhcpd_t)
+ kernel_read_kernel_sysctls(dhcpd_t)
++kernel_read_network_state(dhcpd_t)
+
+ corenet_all_recvfrom_unlabeled(dhcpd_t)
+ corenet_all_recvfrom_netlabel(dhcpd_t)
+@@ -88,6 +91,8 @@
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
@@ -13432,7 +13454,7 @@
libs_use_ld_so(dhcpd_t)
libs_use_shared_libs(dhcpd_t)
-@@ -95,7 +99,6 @@
+@@ -95,7 +100,6 @@
miscfiles_read_localization(dhcpd_t)
@@ -13440,7 +13462,7 @@
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-@@ -116,14 +119,6 @@
+@@ -116,14 +120,6 @@
')
optional_policy(`
@@ -27809,7 +27831,7 @@
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-05 14:44:00.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-10 10:48:18.000000000 -0400
@@ -213,12 +213,7 @@
## </param>
#
@@ -27905,7 +27927,7 @@
')
########################################
-@@ -804,3 +838,127 @@
+@@ -804,3 +838,128 @@
logging_admin_audit($1, $2, $3)
logging_admin_syslog($1, $2, $3)
')
@@ -28013,6 +28035,7 @@
+ domtrans_pattern(audisp_t,$2,$1)
+
+ allow audisp_t $2:file getattr;
++ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.650
retrieving revision 1.651
diff -u -r1.650 -r1.651
--- selinux-policy.spec 10 Apr 2008 14:37:57 -0000 1.650
+++ selinux-policy.spec 10 Apr 2008 19:45:47 -0000 1.651
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 32%{?dist}
+Release: 33%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -383,6 +383,9 @@
%endif
%changelog
+* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-33
+- Allow dhcpd to read kernel network state
+
* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-32
- Label /var/run/gdm correctly
- Fix unconfined_u user creation
More information about the fedora-extras-commits
mailing list