rpms/selinux-policy/devel policy-20080710.patch,1.9,1.10
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Aug 1 16:28:25 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30404
Modified Files:
policy-20080710.patch
Log Message:
* Fri Jul 25 2008 Dan Walsh <dwalsh at redhat.com> 3.5.1-4
- Consolodate pyzor,spamassassin, razor into one security domain
- Fix xdm requiring additional perms.
policy-20080710.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.9 -r 1.10 policy-20080710.patch
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20080710.patch 30 Jul 2008 13:44:15 -0000 1.9
+++ policy-20080710.patch 1 Aug 2008 16:27:54 -0000 1.10
@@ -1691,8 +1691,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te 2008-07-28 08:40:54.000000000 -0400
-@@ -22,12 +22,16 @@
++++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te 2008-07-31 07:13:29.000000000 -0400
+@@ -22,12 +22,18 @@
dev_read_urand(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
@@ -1706,10 +1706,12 @@
+files_getattr_lost_found_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
++files_delete_usr_dirs(tmpreaper_t)
++files_delete_usr_files(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -42,6 +46,26 @@
+@@ -42,6 +48,23 @@
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
@@ -1717,9 +1719,6 @@
+userdom_delete_all_users_home_content_files(tmpreaper_t)
+userdom_delete_all_users_home_content_symlinks(tmpreaper_t)
+
-+files_manage_isid_type_dirs(tmpreaper_t)
-+files_delete_isid_type_files(tmpreaper_t)
-+
+optional_policy(`
+ amavis_manage_spool_files(tmpreaper_t)
+')
@@ -5195,7 +5194,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.1/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2008-07-10 14:13:44.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/apps/qemu.if 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/apps/qemu.if 2008-08-01 08:42:09.000000000 -0400
@@ -104,7 +104,71 @@
########################################
@@ -5306,91 +5305,94 @@
## Creates types and rules for a basic
## qemu process domain.
## </summary>
-@@ -133,24 +227,23 @@
+@@ -132,86 +226,91 @@
+ ## </param>
#
template(`qemu_domain_template',`
++ gen_require(`
++ attribute qemutype;
++ ')
- ##############################
- #
- # Local Policy
- #
-
- type $1_t;
+- type $1_t;
++ type $1_t, qemutype;
domain_type($1_t)
type $1_tmp_t;
files_tmp_file($1_tmp_t)
+- ##############################
+- #
+- # Local Policy
+- #
+-
+- allow $1_t self:capability { dac_read_search dac_override };
+- allow $1_t self:process { execstack execmem signal getsched };
+- allow $1_t self:fifo_file rw_file_perms;
+- allow $1_t self:shm create_shm_perms;
+- allow $1_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_t self:tcp_socket create_stream_socket_perms;
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
- ##############################
- #
- # Local Policy
- #
-
- allow $1_t self:capability { dac_read_search dac_override };
-- allow $1_t self:process { execstack execmem signal getsched };
-+ allow $1_t self:process { execstack execmem signal getsched signull };
++ type $1_image_t;
++ virt_image($1_image_t)
+
- allow $1_t self:fifo_file rw_file_perms;
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
-@@ -160,6 +253,11 @@
++ manage_dirs_pattern($1, $1_image_t, $1_image_t)
++ manage_files_pattern($1, $1_image_t, $1_image_t)
++ read_lnk_files_pattern($1, $1_image_t, $1_image_t)
++ rw_blk_files_pattern($1, $1_image_t, $1_image_t)
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+- kernel_read_system_state($1_t)
+-
+- corenet_all_recvfrom_unlabeled($1_t)
+- corenet_all_recvfrom_netlabel($1_t)
+- corenet_tcp_sendrecv_all_if($1_t)
+- corenet_tcp_sendrecv_all_nodes($1_t)
+- corenet_tcp_sendrecv_all_ports($1_t)
+- corenet_tcp_bind_all_nodes($1_t)
+- corenet_tcp_bind_vnc_port($1_t)
+- corenet_rw_tun_tap_dev($1_t)
+-
+-# dev_rw_kvm($1_t)
+-
+- domain_use_interactive_fds($1_t)
+-
+- files_read_etc_files($1_t)
+- files_read_usr_files($1_t)
+- files_read_var_files($1_t)
+- files_search_all($1_t)
+-
+- fs_list_inotifyfs($1_t)
+- fs_rw_anon_inodefs_files($1_t)
+- fs_rw_tmpfs_files($1_t)
+-
+- storage_raw_write_removable_device($1_t)
+- storage_raw_read_removable_device($1_t)
+-
+- term_use_ptmx($1_t)
+- term_getattr_pty_fs($1_t)
+- term_use_generic_ptys($1_t)
+-
+- libs_use_ld_so($1_t)
+- libs_use_shared_libs($1_t)
+-
+- miscfiles_read_localization($1_t)
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
-+
- kernel_read_system_state($1_t)
-
- corenet_all_recvfrom_unlabeled($1_t)
-@@ -171,7 +269,10 @@
- corenet_tcp_bind_vnc_port($1_t)
- corenet_rw_tun_tap_dev($1_t)
-
--# dev_rw_kvm($1_t)
-+ dev_read_sound($1_t)
-+ dev_write_sound($1_t)
-+ dev_rw_kvm($1_t)
-+ dev_rw_qemu($1_t)
-
- domain_use_interactive_fds($1_t)
-
-@@ -191,6 +292,8 @@
- term_getattr_pty_fs($1_t)
- term_use_generic_ptys($1_t)
-
-+ auth_use_nsswitch($1_t)
-+
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
-
-@@ -198,9 +301,9 @@
-
- sysnet_read_config($1_t)
-
--# optional_policy(`
--# samba_domtrans_smb($1_t)
--# ')
-+ optional_policy(`
-+ samba_domtrans_smb($1_t)
-+ ')
++')
- optional_policy(`
- virt_manage_images($1_t)
-@@ -212,6 +315,24 @@
- xserver_stream_connect_xdm_xserver($1_t)
- xserver_read_xdm_tmp_files($1_t)
- xserver_read_xdm_pid($1_t)
--# xserver_xdm_rw_shm($1_t)
-+ xserver_xdm_rw_shm($1_t)
[...1737 lines suppressed...]
')
########################################
-@@ -2792,10 +2894,10 @@
+@@ -2792,10 +2895,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -36798,7 +37080,7 @@
')
########################################
-@@ -2825,12 +2927,12 @@
+@@ -2825,12 +2928,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -36814,7 +37096,7 @@
')
########################################
-@@ -2862,10 +2964,10 @@
+@@ -2862,10 +2965,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -36827,7 +37109,7 @@
')
########################################
-@@ -2897,12 +2999,12 @@
+@@ -2897,12 +3000,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -36843,7 +37125,7 @@
')
########################################
-@@ -2934,11 +3036,11 @@
+@@ -2934,11 +3037,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -36857,7 +37139,7 @@
')
########################################
-@@ -2970,11 +3072,11 @@
+@@ -2970,11 +3073,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -36871,7 +37153,7 @@
')
########################################
-@@ -3006,11 +3108,11 @@
+@@ -3006,11 +3109,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -36885,7 +37167,7 @@
')
########################################
-@@ -3042,11 +3144,11 @@
+@@ -3042,11 +3145,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -36899,7 +37181,7 @@
')
########################################
-@@ -3078,11 +3180,11 @@
+@@ -3078,11 +3181,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -36913,7 +37195,7 @@
')
########################################
-@@ -3127,10 +3229,10 @@
+@@ -3127,10 +3230,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -36926,7 +37208,7 @@
files_search_tmp($2)
')
-@@ -3171,19 +3273,19 @@
+@@ -3171,19 +3274,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -36950,7 +37232,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -4609,11 +4711,11 @@
+@@ -4609,11 +4712,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -36964,13 +37246,14 @@
')
########################################
-@@ -4633,9 +4735,17 @@
+@@ -4633,10 +4736,18 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
-')
-########################################
+-## <summary>
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
@@ -36981,10 +37264,11 @@
+')
+
+########################################
- ## <summary>
++## <summary>
## Search all users home directories.
## </summary>
-@@ -4670,6 +4780,8 @@
+ ## <param name="domain">
+@@ -4670,6 +4781,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -36993,7 +37277,7 @@
')
########################################
-@@ -4714,6 +4826,25 @@
+@@ -4714,6 +4827,25 @@
########################################
## <summary>
@@ -37019,7 +37303,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4939,7 +5070,7 @@
+@@ -4939,7 +5071,7 @@
########################################
## <summary>
@@ -37028,7 +37312,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5311,6 +5442,42 @@
+@@ -5311,6 +5443,42 @@
########################################
## <summary>
@@ -37071,7 +37355,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5361,7 +5528,7 @@
+@@ -5361,7 +5529,7 @@
attribute userdomain;
')
@@ -37080,7 +37364,7 @@
kernel_search_proc($1)
')
-@@ -5476,6 +5643,42 @@
+@@ -5476,6 +5644,42 @@
########################################
## <summary>
@@ -37123,7 +37407,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5506,3 +5709,525 @@
+@@ -5506,3 +5710,525 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -38089,7 +38373,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.1/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.5.1/policy/support/obj_perm_sets.spt 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/support/obj_perm_sets.spt 2008-07-30 16:47:18.000000000 -0400
@@ -316,3 +316,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
More information about the fedora-extras-commits
mailing list