rpms/selinux-policy/devel modules-targeted.conf, 1.93, 1.94 policy-20080710.patch, 1.20, 1.21 selinux-policy.spec, 1.699, 1.700
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Aug 29 18:59:29 UTC 2008
- Previous message (by thread): rpms/kdeedu/F-9 kdeedu.spec,1.106,1.107 sources,1.50,1.51
- Next message (by thread): rpms/kdegames/F-9 kdegames.spec, 1.91, 1.92 sources, 1.54, 1.55 kdegames-4.1.0-fix-bovo.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28185
Modified Files:
modules-targeted.conf policy-20080710.patch
selinux-policy.spec
Log Message:
* Tue Aug 26 2008 Dan Walsh <dwalsh at redhat.com> 3.5.5-2
- Update to upstream
- Fix crontab use by unconfined user
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.93
retrieving revision 1.94
diff -u -r1.93 -r1.94
--- modules-targeted.conf 11 Aug 2008 21:19:25 -0000 1.93
+++ modules-targeted.conf 29 Aug 2008 18:58:58 -0000 1.94
@@ -1681,4 +1681,4 @@
#
# Snort network intrusion detection system
#
-snort = base
+snort = module
policy-20080710.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.20 -r 1.21 policy-20080710.patch
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- policy-20080710.patch 26 Aug 2008 14:46:43 -0000 1.20
+++ policy-20080710.patch 29 Aug 2008 18:58:58 -0000 1.21
@@ -8170,8 +8170,8 @@
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.5/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/roles/staff.te 2008-08-25 10:50:15.000000000 -0400
-@@ -8,18 +8,34 @@
++++ serefpolicy-3.5.5/policy/modules/roles/staff.te 2008-08-28 09:46:16.000000000 -0400
+@@ -8,23 +8,50 @@
role staff_r;
@@ -8192,10 +8192,6 @@
')
optional_policy(`
-+ cron_per_role_template(staff, staff_t, staff_r)
-+')
-+
-+optional_policy(`
+ logadm_role_change_template(staff)
+')
+
@@ -8207,7 +8203,12 @@
secadm_role_change_template(staff)
')
-@@ -28,3 +44,14 @@
+ optional_policy(`
++ ssh_per_role_template(staff, staff_t, staff_r)
++')
++
++optional_policy(`
+ sysadm_role_change_template(staff)
sysadm_dontaudit_use_terms(staff_t)
')
@@ -9639,7 +9640,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.5/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/apache.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/apache.if 2008-08-29 14:16:41.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -10129,7 +10130,7 @@
')
########################################
-@@ -1098,3 +1071,144 @@
+@@ -1098,3 +1071,178 @@
allow httpd_t $1:process signal;
')
@@ -10274,9 +10275,43 @@
+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+')
+')
++
++########################################
++## <summary>
++## Mark content as being readable by standard apache processes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`apache_ro_content',`
++ gen_require(`
++ attribute httpd_ro_content;
++ ')
++ typeattribute $1 httpd_ro_content;
++')
++
++########################################
++## <summary>
++## Mark content as being read/write by standard apache processes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`apache_rw_content',`
++ gen_require(`
++ attribute httpd_rw_content;
++ ')
++ typeattribute $1 httpd_rw_content;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/apache.te 2008-08-26 10:08:47.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/apache.te 2008-08-29 14:24:52.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10322,7 +10357,7 @@
## </p>
## </desc>
gen_tunable(httpd_can_network_connect, false)
-@@ -109,14 +125,33 @@
+@@ -109,14 +125,35 @@
## </desc>
gen_tunable(httpd_unified, false)
@@ -10347,6 +10382,8 @@
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
++attribute httpd_ro_content;
++attribute httpd_rw_content;
attribute httpdcontent;
-attribute httpd_user_content_type;
@@ -10358,7 +10395,7 @@
# user script domains
attribute httpd_script_domains;
-@@ -147,6 +182,9 @@
+@@ -147,6 +184,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
@@ -10368,17 +10405,17 @@
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -180,6 +218,9 @@
+@@ -180,6 +220,9 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
-+typeattribute httpd_sys_content_t httpdcontent; # customizable
-+typeattribute httpd_sys_content_rw_t httpdcontent; # customizable
++typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
++typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -202,12 +243,16 @@
+@@ -202,12 +245,16 @@
prelink_object_file(httpd_modules_t)
')
@@ -10396,7 +10433,7 @@
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +294,7 @@
+@@ -249,6 +296,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -10404,7 +10441,20 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +335,7 @@
+@@ -260,9 +308,9 @@
+
+ allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
+-allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
++allow httpd_t httpd_ro_content:dir list_dir_perms;
++read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
++read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
+
+ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+@@ -289,6 +337,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -10412,7 +10462,7 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -312,12 +359,11 @@
+@@ -312,12 +361,11 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -10427,7 +10477,7 @@
domain_use_interactive_fds(httpd_t)
[...1977 lines suppressed...]
gen_require(`
@@ -34134,7 +34384,7 @@
')
########################################
-@@ -2832,12 +2873,12 @@
+@@ -2832,12 +2874,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -34150,7 +34400,7 @@
')
########################################
-@@ -2869,10 +2910,10 @@
+@@ -2869,10 +2911,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -34163,7 +34413,7 @@
')
########################################
-@@ -2904,12 +2945,12 @@
+@@ -2904,12 +2946,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -34179,7 +34429,7 @@
')
########################################
-@@ -2941,11 +2982,11 @@
+@@ -2941,11 +2983,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -34193,7 +34443,7 @@
')
########################################
-@@ -2977,11 +3018,11 @@
+@@ -2977,11 +3019,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -34207,7 +34457,7 @@
')
########################################
-@@ -3013,11 +3054,11 @@
+@@ -3013,11 +3055,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -34221,7 +34471,7 @@
')
########################################
-@@ -3049,11 +3090,11 @@
+@@ -3049,11 +3091,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -34235,7 +34485,7 @@
')
########################################
-@@ -3085,11 +3126,11 @@
+@@ -3085,11 +3127,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -34249,7 +34499,7 @@
')
########################################
-@@ -3134,10 +3175,10 @@
+@@ -3134,10 +3176,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -34262,7 +34512,7 @@
files_search_tmp($2)
')
-@@ -3178,19 +3219,19 @@
+@@ -3178,19 +3220,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -34286,7 +34536,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -4616,11 +4657,11 @@
+@@ -4616,11 +4658,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -34300,7 +34550,7 @@
')
########################################
-@@ -4640,6 +4681,14 @@
+@@ -4640,6 +4682,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -34315,7 +34565,7 @@
')
########################################
-@@ -4677,6 +4726,8 @@
+@@ -4677,6 +4727,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -34324,7 +34574,7 @@
')
########################################
-@@ -4721,6 +4772,25 @@
+@@ -4721,6 +4773,25 @@
########################################
## <summary>
@@ -34350,7 +34600,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4946,7 +5016,7 @@
+@@ -4946,7 +5017,7 @@
########################################
## <summary>
@@ -34359,7 +34609,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5318,6 +5388,42 @@
+@@ -5318,6 +5389,42 @@
########################################
## <summary>
@@ -34402,7 +34652,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5368,7 +5474,7 @@
+@@ -5368,7 +5475,7 @@
attribute userdomain;
')
@@ -34411,7 +34661,7 @@
kernel_search_proc($1)
')
-@@ -5483,7 +5589,7 @@
+@@ -5483,7 +5590,7 @@
########################################
## <summary>
@@ -34420,15 +34670,14 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5491,10 +5597,46 @@
+@@ -5491,7 +5598,43 @@
## </summary>
## </param>
#
-interface(`userdom_dbus_send_all_users',`
+interface(`userdom_manage_all_users_keys',`
- gen_require(`
- attribute userdomain;
-- class dbus send_msg;
++ gen_require(`
++ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
@@ -34463,13 +34712,10 @@
+## </param>
+#
+interface(`userdom_dbus_send_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ class dbus send_msg;
- ')
-
- allow $1 userdomain:dbus send_msg;
-@@ -5513,3 +5655,506 @@
+ gen_require(`
+ attribute userdomain;
+ class dbus send_msg;
+@@ -5513,3 +5656,506 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.699
retrieving revision 1.700
diff -u -r1.699 -r1.700
--- selinux-policy.spec 26 Aug 2008 14:13:27 -0000 1.699
+++ selinux-policy.spec 29 Aug 2008 18:58:58 -0000 1.700
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.5
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -380,6 +380,10 @@
%endif
%changelog
+* Tue Aug 26 2008 Dan Walsh <dwalsh at redhat.com> 3.5.5-2
+- Update to upstream
+- Fix crontab use by unconfined user
+
* Tue Aug 12 2008 Dan Walsh <dwalsh at redhat.com> 3.5.4-2
- Allow ifconfig_t to read dhcpc_state_t
- Previous message (by thread): rpms/kdeedu/F-9 kdeedu.spec,1.106,1.107 sources,1.50,1.51
- Next message (by thread): rpms/kdegames/F-9 kdegames.spec, 1.91, 1.92 sources, 1.54, 1.55 kdegames-4.1.0-fix-bovo.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list