rpms/selinux-policy/devel policy-20071130.patch, 1.123, 1.124 selinux-policy.spec, 1.651, 1.652

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Fri Apr 11 18:58:19 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30866

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-34


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.123
retrieving revision 1.124
diff -u -r1.123 -r1.124
--- policy-20071130.patch	10 Apr 2008 19:45:47 -0000	1.123
+++ policy-20071130.patch	11 Apr 2008 18:58:07 -0000	1.124
@@ -7892,7 +7892,7 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-04-10 13:50:44.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-04-11 14:40:04.000000000 -0400
 @@ -851,9 +851,8 @@
  		type proc_t, proc_afs_t;
  	')
@@ -8971,7 +8971,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-04-07 14:54:08.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-04-11 14:48:54.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -9302,13 +9302,14 @@
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -521,6 +610,19 @@
+@@ -521,6 +610,20 @@
  	userdom_use_sysadm_terms(httpd_helper_t)
  ')
  
 +optional_policy(`
 +	type httpd_unconfined_script_t;
 +	type httpd_unconfined_script_exec_t;
++	domain_type(httpd_unconfined_script_t)
 +	domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
 +	domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
 +	unconfined_domain(httpd_unconfined_script_t)
@@ -9322,7 +9323,7 @@
  ########################################
  #
  # Apache PHP script local policy
-@@ -550,18 +652,24 @@
+@@ -550,18 +653,24 @@
  
  fs_search_auto_mountpoints(httpd_php_t)
  
@@ -9350,7 +9351,7 @@
  ')
  
  ########################################
-@@ -585,6 +693,8 @@
+@@ -585,6 +694,8 @@
  manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -9359,7 +9360,7 @@
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +703,7 @@
+@@ -593,9 +704,7 @@
  
  fs_search_auto_mountpoints(httpd_suexec_t)
  
@@ -9370,7 +9371,7 @@
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +736,7 @@
+@@ -628,6 +737,7 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -9378,7 +9379,7 @@
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
  ')
-@@ -638,6 +747,12 @@
+@@ -638,6 +748,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -9391,7 +9392,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +770,6 @@
+@@ -655,10 +771,6 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -9402,7 +9403,7 @@
  ########################################
  #
  # Apache system script local policy
-@@ -668,7 +779,8 @@
+@@ -668,7 +780,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -9412,7 +9413,7 @@
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +794,44 @@
+@@ -682,15 +795,44 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -9458,7 +9459,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +841,15 @@
+@@ -700,9 +842,15 @@
  	clamav_domtrans_clamscan(httpd_sys_script_t)
  ')
  
@@ -9474,7 +9475,7 @@
  ')
  
  ########################################
-@@ -724,3 +871,47 @@
+@@ -724,3 +872,47 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -29586,7 +29587,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te	2008-04-04 17:19:53.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te	2008-04-11 14:03:28.000000000 -0400
 @@ -75,7 +75,6 @@
  type restorecond_exec_t;
  init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -29673,7 +29674,7 @@
  auth_dontaudit_read_shadow(run_init_t)
  
  init_spec_domtrans_script(run_init_t)
-@@ -435,67 +432,21 @@
+@@ -435,67 +432,22 @@
  # semodule local policy
  #
  
@@ -29692,13 +29693,9 @@
 -kernel_read_kernel_sysctls(semanage_t)
 -
 -corecmd_exec_bin(semanage_t)
-+seutil_semanage_policy(semanage_t)
-+can_exec(semanage_t, semanage_exec_t)
- 
+-
 -dev_read_urand(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
- 
+-
 -domain_use_interactive_fds(semanage_t)
 -
 -files_read_etc_files(semanage_t)
@@ -29713,13 +29710,17 @@
 -selinux_get_enforce_mode(semanage_t)
 -selinux_getattr_fs(semanage_t)
 -# for setsebool:
--selinux_set_boolean(semanage_t)
--
++seutil_semanage_policy(semanage_t)
+ selinux_set_boolean(semanage_t)
++can_exec(semanage_t, semanage_exec_t)
+ 
 -term_use_all_terms(semanage_t)
 -
 -# Running genhomedircon requires this for finding all users
 -auth_use_nsswitch(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+ 
 -libs_use_ld_so(semanage_t)
 -libs_use_shared_libs(semanage_t)
 -
@@ -29748,7 +29749,7 @@
  ifdef(`distro_debian',`
  	files_read_var_lib_files(semanage_t)
  	files_read_var_lib_symlinks(semanage_t)
-@@ -507,6 +458,11 @@
+@@ -507,6 +459,11 @@
  	')
  ')
  
@@ -29760,7 +29761,7 @@
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -514,26 +470,44 @@
+@@ -514,26 +471,44 @@
  	# Handle pp files created in homedir and /tmp
  	userdom_read_sysadm_home_content_files(semanage_t)
  	userdom_read_sysadm_tmp_files(semanage_t)
@@ -29810,7 +29811,7 @@
  kernel_read_system_state(setfiles_t)
  kernel_relabelfrom_unlabeled_dirs(setfiles_t)
  kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -555,9 +529,13 @@
+@@ -555,9 +530,13 @@
  files_read_etc_files(setfiles_t)
  files_list_all(setfiles_t)
  files_relabel_all_files(setfiles_t)
@@ -29824,7 +29825,7 @@
  fs_search_auto_mountpoints(setfiles_t)
  fs_relabelfrom_noxattr_fs(setfiles_t)
  
-@@ -617,16 +595,8 @@
+@@ -617,16 +596,8 @@
  	')
  ')
  
@@ -34435,8 +34436,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-04-04 12:06:56.000000000 -0400
-@@ -0,0 +1,173 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-04-11 14:40:17.000000000 -0400
+@@ -0,0 +1,174 @@
 +
 +policy_module(virt,1.0.0)
 +
@@ -34491,7 +34492,7 @@
 +#
 +# virtd local policy
 +#
-+allow virtd_t self:capability { sys_module dac_override kill net_admin setgid };
++allow virtd_t self:capability { dac_override kill net_admin setgid };
 +allow virtd_t self:process { sigkill signal };
 +allow virtd_t self:fifo_file rw_file_perms;
 +allow virtd_t self:unix_stream_socket create_stream_socket_perms;
@@ -34541,6 +34542,7 @@
 +kernel_rw_net_sysctls(virtd_t)
 +kernel_read_xen_state(virtd_t)
 +kernel_write_xen_state(virtd_t)
++kernel_load_module(virtd_t)
 +
 +# Init script handling
 +domain_use_interactive_fds(virtd_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.651
retrieving revision 1.652
diff -u -r1.651 -r1.652
--- selinux-policy.spec	10 Apr 2008 19:45:47 -0000	1.651
+++ selinux-policy.spec	11 Apr 2008 18:58:08 -0000	1.652
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 33%{?dist}
+Release: 34%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -157,7 +157,7 @@
 %define loadpolicy() \
 ( cd /usr/share/selinux/%1; \
 semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
-) > /dev/null 2>&1; \
+); \
 
 %define relabel() \
 . %{_sysconfdir}/selinux/config; \
@@ -383,6 +383,8 @@
 %endif
 
 %changelog
+* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-34
+
 * Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-33
 - Allow dhcpd to read kernel network state

More information about the fedora-extras-commits mailing list