rpms/selinux-policy/F-9 policy-20071130.patch, 1.200, 1.201 selinux-policy.spec, 1.703, 1.704
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Aug 29 20:40:28 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15165
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Aug 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-87
- Allow crontab to work for unconfined users
- Allow courier_authdaemon_t to create sock_file in courier_spool directories
policy-20071130.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.200 -r 1.201 policy-20071130.patch
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.200
retrieving revision 1.201
diff -u -r1.200 -r1.201
--- policy-20071130.patch 12 Aug 2008 18:11:06 -0000 1.200
+++ policy-20071130.patch 29 Aug 2008 20:40:27 -0000 1.201
@@ -106,12 +106,14 @@
+system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/config/appconfig-mcs/guest_u_default_contexts 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.3.1/config/appconfig-mcs/guest_u_default_contexts 2008-08-13 13:50:55.000000000 -0400
+@@ -0,0 +1,6 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
++system_r:initrc_su_t:s0 guest_r:guest_t:s0
++guest_r:guest_t:s0 guest_r:guest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/config/appconfig-mcs/root_default_contexts 2008-07-15 14:02:51.000000000 -0400
@@ -128,10 +130,22 @@
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/staff_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/config/appconfig-mcs/staff_u_default_contexts 2008-08-13 13:50:13.000000000 -0400
+@@ -5,6 +5,8 @@
+ system_r:xdm_t:s0 staff_r:staff_t:s0
+ staff_r:staff_su_t:s0 staff_r:staff_t:s0
+ staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
++system_r:initrc_su_t:s0 staff_r:staff_t:s0
++staff_r:staff_t:s0 staff_r:staff_t:s0
+ sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+ sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/config/appconfig-mcs/unconfined_u_default_contexts 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,9 @@
++++ serefpolicy-3.3.1/config/appconfig-mcs/unconfined_u_default_contexts 2008-08-13 13:49:38.000000000 -0400
+@@ -0,0 +1,11 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0
+system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
@@ -140,7 +154,19 @@
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
++system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
++unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/user_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/config/appconfig-mcs/user_u_default_contexts 2008-08-13 13:52:58.000000000 -0400
+@@ -5,4 +5,5 @@
+ system_r:xdm_t:s0 user_r:user_t:s0
+ user_r:user_su_t:s0 user_r:user_t:s0
+ user_r:user_sudo_t:s0 user_r:user_t:s0
+-
++system_r:initrc_su_t:s0 user_r:user_t:s0
++user_r:user_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.3.1/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/config/appconfig-mcs/userhelper_context 2008-07-15 14:02:51.000000000 -0400
@@ -341,13 +367,15 @@
+event * system_u:object_r:default_xevent_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/config/appconfig-mcs/xguest_u_default_contexts 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,5 @@
++++ serefpolicy-3.3.1/config/appconfig-mcs/xguest_u_default_contexts 2008-08-13 13:50:37.000000000 -0400
+@@ -0,0 +1,7 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_crond_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
++system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
++xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.3.1/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/config/appconfig-mls/guest_u_default_contexts 2008-07-15 14:02:51.000000000 -0400
@@ -1718,19 +1746,17 @@
') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.3.1/policy/modules/admin/kismet.fc
--- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.fc 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,5 @@
-+
-+/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
-+/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.fc 2008-08-29 16:39:13.000000000 -0400
+@@ -0,0 +1,4 @@
++/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
++/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.3.1/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,275 @@
-+
-+## <summary>policy for kismet</summary>
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-08-29 16:38:53.000000000 -0400
+@@ -0,0 +1,252 @@
++## <summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary>
+
+########################################
+## <summary>
@@ -1744,13 +1770,42 @@
+#
+interface(`kismet_domtrans',`
+ gen_require(`
-+ type kismet_t;
-+ type kismet_exec_t;
++ type kismet_t, kismet_exec_t;
+ ')
+
-+ domtrans_pattern($1,kismet_exec_t,kismet_t)
++ domtrans_pattern($1, kismet_exec_t, kismet_t)
+')
+
++########################################
++## <summary>
++## Execute kismet in the kismet domain, and
++## allow the specified role the kismet domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the kismet domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the role's terminal.
++## </summary>
++## </param>
++#
++interface(`kismet_run',`
++ gen_require(`
++ type kismet_t;
++ ')
++
++ kismet_domtrans($1)
++ role $2 types kismet_t;
++ allow kismet_t $3:chr_file rw_term_perms;
++')
+
+########################################
+## <summary>
@@ -1767,8 +1822,8 @@
+ type kismet_var_run_t;
+ ')
+
-+ files_search_pids($1)
+ allow $1 kismet_var_run_t:file read_file_perms;
++ files_search_pids($1)
+')
+
+########################################
@@ -1781,17 +1836,15 @@
+## </summary>
+## </param>
+#
-+interface(`kismet_manage_var_run',`
++interface(`kismet_manage_pid_files',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
-+ manage_dirs_pattern($1,kismet_var_run_t,kismet_var_run_t)
-+ manage_files_pattern($1,kismet_var_run_t,kismet_var_run_t)
-+ manage_lnk_files_pattern($1,kismet_var_run_t,kismet_var_run_t)
++ allow $1 kismet_var_run_t:file manage_file_perms;
++ files_search_pids($1)
+')
+
-+
+########################################
+## <summary>
+## Search kismet lib directories.
@@ -1847,8 +1900,7 @@
+ type kismet_var_lib_t;
+ ')
+
-+ allow $1 kismet_var_lib_t:file manage_file_perms;
-+ allow $1 kismet_var_lib_t:dir rw_dir_perms;
++ manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+ files_search_var_lib($1)
[...2009 lines suppressed...]
gen_tunable(samba_share_nfs,false)
@@ -24518,7 +25250,17 @@
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -790,3 +867,40 @@
+@@ -784,9 +861,49 @@
+ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+ allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+- unconfined_domain(samba_unconfined_script_t)
++
++ optional_policy(`
++ unconfined_domain(samba_unconfined_script_t)
++ ')
+
+ tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -25525,7 +26267,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.3.1/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/snort.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/snort.te 2008-08-29 14:41:05.000000000 -0400
@@ -8,10 +8,13 @@
type snort_t;
@@ -25567,7 +26309,7 @@
userdom_dontaudit_search_sysadm_home_dirs(snort_t)
optional_policy(`
-+ prelude_rw_spool(snort_t)
++ prelude_manage_spool(snort_t)
+')
+
+optional_policy(`
@@ -26341,7 +27083,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-08-14 12:48:08.000000000 -0400
@@ -21,8 +21,10 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -26420,7 +27162,7 @@
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -149,11 +172,31 @@
+@@ -149,11 +172,36 @@
userdom_search_unpriv_users_home_dirs(spamd_t)
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
@@ -26436,6 +27178,11 @@
+ evolution_home_filetrans(user,spamd_t,spamd_tmp_t,{ file sock_file })
+')
+
++optional_policy(`
++ exim_manage_spool_dirs(spamd_t)
++ exim_manage_spool_files(spamd_t)
++')
++
+tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(user,spamd_t)
+ userdom_manage_user_home_content_files(user,spamd_t)
@@ -26452,7 +27199,7 @@
fs_manage_cifs_files(spamd_t)
')
-@@ -171,6 +214,7 @@
+@@ -171,6 +219,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -26460,7 +27207,7 @@
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -198,6 +242,11 @@
+@@ -198,6 +247,11 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -26472,7 +27219,7 @@
')
optional_policy(`
-@@ -212,3 +261,216 @@
+@@ -212,3 +266,216 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -27641,7 +28388,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-07-29 15:14:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-08-12 17:02:07.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -31314,12 +32061,14 @@
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-07-15 14:02:52.000000000 -0400
-@@ -29,7 +29,7 @@
++++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-08-29 15:31:37.000000000 -0400
+@@ -28,8 +28,8 @@
+ # iscsid local policy
#
- allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
+-allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process { setrlimit setsched };
++allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_nice sys_resource };
+allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file { read write };
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -31602,7 +32351,7 @@
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-08-29 16:21:41.000000000 -0400
@@ -213,12 +213,7 @@
## </param>
#
@@ -31698,7 +32447,7 @@
')
########################################
-@@ -804,3 +838,129 @@
+@@ -804,3 +838,128 @@
logging_admin_audit($1, $2, $3)
logging_admin_syslog($1, $2, $3)
')
@@ -31804,8 +32553,7 @@
+ role system_r types $1;
+
+ domtrans_pattern(audisp_t,$2,$1)
-+ allow $1 audisp_t:process signal;
-+
++ allow audisp_t $1:process { sigkill sigstop signull signal }
+ allow audisp_t $2:file getattr;
+ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
@@ -34821,7 +35569,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-07-29 16:49:30.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-08-12 17:31:13.000000000 -0400
@@ -6,35 +6,72 @@
# Declarations
#
@@ -35116,7 +35864,7 @@
')
########################################
-@@ -219,14 +281,36 @@
+@@ -219,14 +281,38 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -35140,11 +35888,11 @@
+
+optional_policy(`
+ hal_dbus_chat(unconfined_execmem_t)
- ')
++')
+
+optional_policy(`
+ xserver_xdm_rw_shm(unconfined_execmem_t)
-+')
+ ')
+
+########################################
+#
@@ -35158,6 +35906,8 @@
+rpm_transition_script(unconfined_notrans_t)
+domain_ptrace_all_domains(unconfined_notrans_t)
+
++allow unconfined_t self:process transition;
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.3.1/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.fc 2008-07-15 14:02:52.000000000 -0400
@@ -39820,7 +40570,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.3.1/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-08-29 16:21:06.000000000 -0400
@@ -315,3 +315,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.703
retrieving revision 1.704
diff -u -r1.703 -r1.704
--- selinux-policy.spec 12 Aug 2008 18:11:06 -0000 1.703
+++ selinux-policy.spec 29 Aug 2008 20:40:28 -0000 1.704
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 85%{?dist}
+Release: 87%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,13 @@
%endif
%changelog
+* Tue Aug 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-87
+- Allow crontab to work for unconfined users
+- Allow courier_authdaemon_t to create sock_file in courier_spool directories
+
+* Thu Aug 14 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-86
+- Allow prewika to write log files
+
* Wed Aug 6 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-85
- Allow clamscan to connect to the clamd_port over tcp
More information about the fedora-extras-commits
mailing list