rpms/selinux-policy/devel policy-20071130.patch, 1.123, 1.124 selinux-policy.spec, 1.651, 1.652
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Apr 11 18:58:19 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30866
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-34
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.123
retrieving revision 1.124
diff -u -r1.123 -r1.124
--- policy-20071130.patch 10 Apr 2008 19:45:47 -0000 1.123
+++ policy-20071130.patch 11 Apr 2008 18:58:07 -0000 1.124
@@ -7892,7 +7892,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-10 13:50:44.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-11 14:40:04.000000000 -0400
@@ -851,9 +851,8 @@
type proc_t, proc_afs_t;
')
@@ -8971,7 +8971,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-07 14:54:08.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-11 14:48:54.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -9302,13 +9302,14 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +610,19 @@
+@@ -521,6 +610,20 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
+optional_policy(`
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
++ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
@@ -9322,7 +9323,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +652,24 @@
+@@ -550,18 +653,24 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -9350,7 +9351,7 @@
')
########################################
-@@ -585,6 +693,8 @@
+@@ -585,6 +694,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -9359,7 +9360,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +703,7 @@
+@@ -593,9 +704,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -9370,7 +9371,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +736,7 @@
+@@ -628,6 +737,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -9378,7 +9379,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +747,12 @@
+@@ -638,6 +748,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -9391,7 +9392,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +770,6 @@
+@@ -655,10 +771,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -9402,7 +9403,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +779,8 @@
+@@ -668,7 +780,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -9412,7 +9413,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +794,44 @@
+@@ -682,15 +795,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -9458,7 +9459,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +841,15 @@
+@@ -700,9 +842,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
@@ -9474,7 +9475,7 @@
')
########################################
-@@ -724,3 +871,47 @@
+@@ -724,3 +872,47 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -29586,7 +29587,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-04 17:19:53.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-11 14:03:28.000000000 -0400
@@ -75,7 +75,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -29673,7 +29674,7 @@
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -435,67 +432,21 @@
+@@ -435,67 +432,22 @@
# semodule local policy
#
@@ -29692,13 +29693,9 @@
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
-+seutil_semanage_policy(semanage_t)
-+can_exec(semanage_t, semanage_exec_t)
-
+-
-dev_read_urand(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
-
+-
-domain_use_interactive_fds(semanage_t)
-
-files_read_etc_files(semanage_t)
@@ -29713,13 +29710,17 @@
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
--selinux_set_boolean(semanage_t)
--
++seutil_semanage_policy(semanage_t)
+ selinux_set_boolean(semanage_t)
++can_exec(semanage_t, semanage_exec_t)
+
-term_use_all_terms(semanage_t)
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+
-libs_use_ld_so(semanage_t)
-libs_use_shared_libs(semanage_t)
-
@@ -29748,7 +29749,7 @@
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
-@@ -507,6 +458,11 @@
+@@ -507,6 +459,11 @@
')
')
@@ -29760,7 +29761,7 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -514,26 +470,44 @@
+@@ -514,26 +471,44 @@
# Handle pp files created in homedir and /tmp
userdom_read_sysadm_home_content_files(semanage_t)
userdom_read_sysadm_tmp_files(semanage_t)
@@ -29810,7 +29811,7 @@
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -555,9 +529,13 @@
+@@ -555,9 +530,13 @@
files_read_etc_files(setfiles_t)
files_list_all(setfiles_t)
files_relabel_all_files(setfiles_t)
@@ -29824,7 +29825,7 @@
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -617,16 +595,8 @@
+@@ -617,16 +596,8 @@
')
')
@@ -34435,8 +34436,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-04 12:06:56.000000000 -0400
-@@ -0,0 +1,173 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-11 14:40:17.000000000 -0400
+@@ -0,0 +1,174 @@
+
+policy_module(virt,1.0.0)
+
@@ -34491,7 +34492,7 @@
+#
+# virtd local policy
+#
-+allow virtd_t self:capability { sys_module dac_override kill net_admin setgid };
++allow virtd_t self:capability { dac_override kill net_admin setgid };
+allow virtd_t self:process { sigkill signal };
+allow virtd_t self:fifo_file rw_file_perms;
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
@@ -34541,6 +34542,7 @@
+kernel_rw_net_sysctls(virtd_t)
+kernel_read_xen_state(virtd_t)
+kernel_write_xen_state(virtd_t)
++kernel_load_module(virtd_t)
+
+# Init script handling
+domain_use_interactive_fds(virtd_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.651
retrieving revision 1.652
diff -u -r1.651 -r1.652
--- selinux-policy.spec 10 Apr 2008 19:45:47 -0000 1.651
+++ selinux-policy.spec 11 Apr 2008 18:58:08 -0000 1.652
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 33%{?dist}
+Release: 34%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -157,7 +157,7 @@
%define loadpolicy() \
( cd /usr/share/selinux/%1; \
semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
-) > /dev/null 2>&1; \
+); \
%define relabel() \
. %{_sysconfdir}/selinux/config; \
@@ -383,6 +383,8 @@
%endif
%changelog
+* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-34
+
* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-33
- Allow dhcpd to read kernel network state
More information about the fedora-extras-commits
mailing list