rpms/selinux-policy/devel policy-20081111.patch, 1.7, 1.8 selinux-policy.spec, 1.750, 1.751
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Dec 4 20:36:56 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8139
Modified Files:
policy-20081111.patch selinux-policy.spec
Log Message:
* Thu Dec 4 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-6
- Allow iptables to talk to terminals
policy-20081111.patch:
Index: policy-20081111.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20081111.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-20081111.patch 4 Dec 2008 18:47:26 -0000 1.7
+++ policy-20081111.patch 4 Dec 2008 20:36:25 -0000 1.8
@@ -21556,7 +21556,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-03 09:10:20.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-04 14:13:34.000000000 -0500
@@ -43,6 +43,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -21601,13 +21601,14 @@
init_rw_utmp($1)
-@@ -100,8 +117,39 @@
+@@ -100,8 +117,40 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
+ userdom_set_rlimitnh($1)
+ userdom_read_user_home_content_symlinks($1)
+ userdom_delete_user_tmp_files($1)
++ userdom_search_admin_dir($1)
+
+ optional_policy(`
+ dbus_system_bus_client($1)
@@ -21641,7 +21642,7 @@
')
')
-@@ -207,19 +255,16 @@
+@@ -207,19 +256,16 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -21666,7 +21667,7 @@
')
optional_policy(`
-@@ -230,6 +275,29 @@
+@@ -230,6 +276,29 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -21696,7 +21697,7 @@
')
########################################
-@@ -254,6 +322,7 @@
+@@ -254,6 +323,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -21704,7 +21705,7 @@
')
########################################
-@@ -1031,6 +1100,32 @@
+@@ -1031,6 +1101,32 @@
########################################
## <summary>
@@ -21737,7 +21738,7 @@
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1297,6 +1392,10 @@
+@@ -1297,6 +1393,10 @@
')
optional_policy(`
@@ -21748,7 +21749,7 @@
nis_use_ypbind($1)
')
-@@ -1307,6 +1406,7 @@
+@@ -1307,6 +1407,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -21756,7 +21757,7 @@
')
')
-@@ -1341,3 +1441,61 @@
+@@ -1341,3 +1442,61 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -25462,7 +25463,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 13:27:59.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 14:28:00.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -25714,10 +25715,12 @@
- gen_require(`
- type $1_t;
- ')
--
++interface(`userdom_basic_networking',`
+
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
@@ -25729,9 +25732,7 @@
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
-
+-
- corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
@@ -25848,26 +25849,26 @@
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
--
-- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
-- corenet_udp_bind_all_nodes($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- corecmd_exec_bin($1_t)
+ corenet_udp_bind_all_nodes($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
+- corenet_udp_bind_all_nodes($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+-
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -26066,16 +26067,16 @@
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
+ postgresql_stream_connect($1_usertype)
-+ ')
')
-+
-+ optional_policy(`
-+ # to allow monitoring of pcmcia status
-+ pcmcia_read_pid($1_usertype)
')
optional_policy(`
- resmgr_stream_connect($1_t)
++ # to allow monitoring of pcmcia status
++ pcmcia_read_pid($1_usertype)
++ ')
++
++ optional_policy(`
+ pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype)
')
@@ -26111,19 +26112,19 @@
- userdom_manage_home_role($1_r, $1_t)
+ userdom_change_password_template($1)
-+
-+ userdom_manage_home_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++ userdom_manage_home_role($1_r, $1_usertype)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
-+ gen_tunable(allow_$1_exec_content, true)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_change_password_template($1)
++ gen_tunable(allow_$1_exec_content, true)
++
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -26288,11 +26289,11 @@
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
-+
-+ xserver_role($1_r, $1_t)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
++ xserver_role($1_r, $1_t)
++
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -26759,7 +26760,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3172,245 @@
+@@ -2981,3 +3172,262 @@
allow $1 userdomain:dbus send_msg;
')
@@ -26931,6 +26932,23 @@
+
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+')
++########################################
++## <summary>
++## dontaudit list /root
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_list_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:dir list_dir_perms;
++')
+
+########################################
+## <summary>
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.750
retrieving revision 1.751
diff -u -r1.750 -r1.751
--- selinux-policy.spec 4 Dec 2008 18:45:06 -0000 1.750
+++ selinux-policy.spec 4 Dec 2008 20:36:26 -0000 1.751
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.1
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
%endif
%changelog
+* Thu Dec 4 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-6
+- Allow iptables to talk to terminals
+
* Thu Dec 4 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-5
- Allow iptables to talk to terminals
More information about the fedora-extras-commits
mailing list