rpms/selinux-policy/devel policy-20080710.patch,1.15,1.16
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Aug 12 14:28:30 UTC 2008
- Previous message (by thread): rpms/iproute/F-8 iproute2-2.6.25-aead.patch, NONE, 1.1 iproute2-2.6.25-segfault.patch, NONE, 1.1 iproute2-movelib.patch, NONE, 1.1 .cvsignore, 1.22, 1.23 iproute-ip-man.patch, 1.1, 1.2 iproute.spec, 1.71, 1.72 iproute2-2.6.9-kernel.patch, 1.1, 1.2 iproute2-ss050901-opt_flags.patch, 1.3, 1.4 sources, 1.22, 1.23
- Next message (by thread): rpms/qgis/devel qgis.spec,1.24,1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1098
Modified Files:
policy-20080710.patch
Log Message:
* Mon Aug 11 2008 Dan Walsh <dwalsh at redhat.com> 3.5.4-1
- Update to upstream
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- policy-20080710.patch 11 Aug 2008 21:19:25 -0000 1.15
+++ policy-20080710.patch 12 Aug 2008 14:28:00 -0000 1.16
@@ -7834,75 +7834,6 @@
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.5.4/policy/modules/kernel/storage.if
---- nsaserefpolicy/policy/modules/kernel/storage.if 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.4/policy/modules/kernel/storage.if 2008-08-11 16:39:48.000000000 -0400
-@@ -81,6 +81,26 @@
-
- ########################################
- ## <summary>
-+## dontaudit the caller attempts to read from a fixed disk.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`storage_dontaudit_raw_read_fixed_disk',`
-+ gen_require(`
-+ attribute fixed_disk_raw_read;
-+ type fixed_disk_device_t;
-+ ')
-+
-+ dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
-+ dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Allow the caller to directly read from a fixed disk.
- ## This is extremly dangerous as it can bypass the
- ## SELinux protections for filesystem objects, and
-@@ -121,8 +141,7 @@
-
- ')
-
-- dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
-- dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
-+ dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
- ')
-
- ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.4/policy/modules/kernel/terminal.if
---- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.4/policy/modules/kernel/terminal.if 2008-08-11 16:39:48.000000000 -0400
-@@ -525,11 +525,13 @@
- interface(`term_use_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ attribute server_ptynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir list_dir_perms;
- allow $1 devpts_t:chr_file { rw_term_perms lock append };
-+ allow $1 server_ptynode:chr_file { getattr read write ioctl };
- ')
-
- ########################################
-@@ -547,9 +549,11 @@
- interface(`term_dontaudit_use_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ attribute server_ptynode;
- ')
-
- dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
-+ dontaudit $1 server_ptynode:chr_file { getattr read write ioctl };
- ')
-
- ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.4/policy/modules/roles/guest.fc
--- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.4/policy/modules/roles/guest.fc 2008-08-11 16:39:48.000000000 -0400
@@ -16703,7 +16634,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.4/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.4/policy/modules/services/hal.te 2008-08-11 16:56:59.000000000 -0400
++++ serefpolicy-3.5.4/policy/modules/services/hal.te 2008-08-12 09:03:02.000000000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -16714,15 +16645,6 @@
########################################
#
# Local policy
-@@ -159,7 +162,7 @@
- selinux_compute_relabel_context(hald_t)
- selinux_compute_user_contexts(hald_t)
-
--storage_raw_read_removable_device(hald_t)
-+storage_raw_read_removable_device(hald_t
- storage_raw_write_removable_device(hald_t)
- storage_raw_read_fixed_disk(hald_t)
- storage_raw_write_fixed_disk(hald_t)
@@ -280,6 +283,12 @@
')
@@ -20059,8 +19981,8 @@
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.4/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.4/policy/modules/services/polkit.if 2008-08-11 16:39:48.000000000 -0400
-@@ -0,0 +1,208 @@
++++ serefpolicy-3.5.4/policy/modules/services/polkit.if 2008-08-12 08:59:25.000000000 -0400
+@@ -0,0 +1,212 @@
+
+## <summary>policy for polkit_auth</summary>
+
@@ -20160,6 +20082,10 @@
+ ')
+
+ domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t)
++
++ allow polkit_resolve_t $1:dir list_dir_perms;
++ read_files_pattern(polkit_resolve_t, $1, $1)
++ read_lnk_files_pattern(polkit_resolve_t, $1, $1)
+')
+
+########################################
@@ -22756,7 +22682,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.4/policy/modules/services/rpc.te 2008-08-11 16:39:48.000000000 -0400
++++ serefpolicy-3.5.4/policy/modules/services/rpc.te 2008-08-11 17:47:17.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -22810,7 +22736,7 @@
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+
+dev_rw_lvm_control(nfsd_t)
-+storage_dontaudit_raw_read_fixed_disk(nfsd_t)
++storage_dontaudit_read_fixed_disk(nfsd_t)
+
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
@@ -24834,8 +24760,8 @@
+/etc/rc.d/init.d/nasd -- gen_context(system_u:object_r:soundd_script_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.5.4/policy/modules/services/soundserver.if
--- nsaserefpolicy/policy/modules/services/soundserver.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.4/policy/modules/services/soundserver.if 2008-08-11 16:39:48.000000000 -0400
-@@ -13,3 +13,74 @@
++++ serefpolicy-3.5.4/policy/modules/services/soundserver.if 2008-08-11 17:35:26.000000000 -0400
+@@ -13,3 +13,70 @@
interface(`soundserver_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -24883,15 +24809,13 @@
+#
+interface(`soundserver_admin',`
+ gen_require(`
-+ type soundd_t;
++ type soundd_t, soundd_etc_t;
++ type soundd_tmp_t, soundd_var_run_t;
+ type soundd_script_exec_t;
-+ type soundd_etc_t;
-+ type soundd_tmp_t;
-+ type soundd_var_run_t;
+ ')
+
-+ allow $1 soundd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, soundd_t, soundd_t)
++ allow $1 soundd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, soundd_t)
+
+ # Allow soundd_t to restart the apache service
+ soundserver_script_domtrans($1)
@@ -24908,8 +24832,6 @@
+ files_list_pids($1)
+ admin_pattern($1, soundd_var_run_t)
+')
-+
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.5.4/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.4/policy/modules/services/soundserver.te 2008-08-11 16:39:48.000000000 -0400
@@ -28986,14 +28908,11 @@
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.5.4/policy/modules/system/fstools.if
--- nsaserefpolicy/policy/modules/system/fstools.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.4/policy/modules/system/fstools.if 2008-08-11 16:39:48.000000000 -0400
-@@ -142,3 +142,21 @@
++++ serefpolicy-3.5.4/policy/modules/system/fstools.if 2008-08-11 17:51:55.000000000 -0400
+@@ -71,6 +71,24 @@
- allow $1 swapfile_t:file getattr;
- ')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+## Send signal to fsadm process
+## </summary>
+## <param name="domain">
@@ -29009,6 +28928,12 @@
+
+ allow $1 fsadm_t:process signal;
+')
++
++########################################
++## <summary>
+ ## Read fstools unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.5.4/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.4/policy/modules/system/fstools.te 2008-08-11 16:39:48.000000000 -0400
- Previous message (by thread): rpms/iproute/F-8 iproute2-2.6.25-aead.patch, NONE, 1.1 iproute2-2.6.25-segfault.patch, NONE, 1.1 iproute2-movelib.patch, NONE, 1.1 .cvsignore, 1.22, 1.23 iproute-ip-man.patch, 1.1, 1.2 iproute.spec, 1.71, 1.72 iproute2-2.6.9-kernel.patch, 1.1, 1.2 iproute2-ss050901-opt_flags.patch, 1.3, 1.4 sources, 1.22, 1.23
- Next message (by thread): rpms/qgis/devel qgis.spec,1.24,1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list