rpms/selinux-policy/devel policy-20071130.patch, 1.54, 1.55 selinux-policy.spec, 1.602, 1.603

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Feb 5 21:25:17 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19683

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Tue Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.6-7
- Fixes for staff_t


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- policy-20071130.patch	5 Feb 2008 18:31:25 -0000	1.54
+++ policy-20071130.patch	5 Feb 2008 21:25:09 -0000	1.55
@@ -381,6 +381,16 @@
  	logrotate_dontaudit_use_fds(consoletype_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-3.2.6/policy/modules/admin/firstboot.if
+--- nsaserefpolicy/policy/modules/admin/firstboot.if	2007-04-10 12:52:58.000000000 -0400
++++ serefpolicy-3.2.6/policy/modules/admin/firstboot.if	2008-02-05 15:40:19.000000000 -0500
+@@ -141,4 +141,6 @@
+ 	')
+ 
+ 	dontaudit $1 firstboot_t:fifo_file { read write };
++	dontaudit $1 firstboot_t:unix_stream_socket { read write };
++
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.6/policy/modules/admin/firstboot.te
 --- nsaserefpolicy/policy/modules/admin/firstboot.te	2007-12-19 05:32:18.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/admin/firstboot.te	2008-02-01 16:01:42.000000000 -0500
@@ -4754,7 +4764,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc	2008-02-04 11:10:30.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc	2008-02-05 14:59:46.000000000 -0500
 @@ -7,11 +7,11 @@
  /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4777,7 +4787,20 @@
  /etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/ppp/ip-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -127,6 +129,8 @@
+@@ -67,6 +69,12 @@
+ 
+ /etc/security/namespace.init    --      gen_context(system_u:object_r:bin_t,s0)
+ 
++
++/etc/sysconfig/crond		-- gen_context(system_u:object_r:bin_t,s0)
++/etc/sysconfig/init		-- gen_context(system_u:object_r:bin_t,s0)
++/etc/sysconfig/libvirtd		-- gen_context(system_u:object_r:bin_t,s0)
++/etc/sysconfig/netconsole	-- gen_context(system_u:object_r:bin_t,s0)
++/etc/sysconfig/readonly-root 	-- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/network-scripts/ifup-.*	-l gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -127,6 +135,8 @@
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -4786,7 +4809,7 @@
  #
  # /usr
  #
-@@ -147,7 +151,7 @@
+@@ -147,7 +157,7 @@
  /usr/lib(64)?/cups/backend(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/cups/daemon(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
@@ -4795,7 +4818,7 @@
  
  /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -186,7 +190,10 @@
+@@ -186,7 +196,10 @@
  /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
  /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
  
@@ -4806,7 +4829,7 @@
  
  /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +291,7 @@
+@@ -284,3 +297,7 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -4827,7 +4850,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in	2008-02-02 10:38:16.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in	2008-02-05 14:00:55.000000000 -0500
 @@ -82,6 +82,7 @@
  network_port(clockspeed, udp,4041,s0)
  network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@@ -4853,7 +4876,7 @@
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
  portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
  network_port(nessus, tcp,1241,s0)
-@@ -133,6 +137,7 @@
+@@ -133,10 +137,12 @@
  network_port(pegasus_http, tcp,5988,s0)
  network_port(pegasus_https, tcp,5989,s0)
  network_port(postfix_policyd, tcp,10031,s0)
@@ -4861,7 +4884,12 @@
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postgresql, tcp,5432,s0)
-@@ -148,7 +153,7 @@
+ network_port(postgrey, tcp,60000,s0)
++network_port(prelude, tcp,4690,s0, udp,4690,s0)
+ network_port(printer, tcp,515,s0)
+ network_port(ptal, tcp,5703,s0)
+ network_port(pxe, udp,4011,s0)
+@@ -148,7 +154,7 @@
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
  network_port(rlogind, tcp,513,s0)
  network_port(rndc, tcp,953,s0)
@@ -4870,7 +4898,7 @@
  network_port(rsh, tcp,514,s0)
  network_port(rsync, tcp,873,s0, udp,873,s0)
  network_port(rwho, udp,513,s0)
-@@ -171,6 +176,8 @@
+@@ -171,6 +177,8 @@
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
  network_port(vnc, tcp,5900,s0)
@@ -15915,8 +15943,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.6/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/prelude.te	2008-02-01 16:01:42.000000000 -0500
-@@ -0,0 +1,114 @@
++++ serefpolicy-3.2.6/policy/modules/services/prelude.te	2008-02-05 14:42:50.000000000 -0500
+@@ -0,0 +1,117 @@
 +policy_module(prelude,1.0.0)
 +
 +########################################
@@ -15957,6 +15985,8 @@
 +# Init script handling
 +domain_use_interactive_fds(prelude_t)
 +
++allow prelude_t self:capability sys_tty_config;
++
 +## internal communication is often done using fifo and unix sockets.
 +allow prelude_t self:fifo_file rw_file_perms;
 +allow prelude_t self:unix_stream_socket create_stream_socket_perms;
@@ -15967,6 +15997,7 @@
 +dev_read_rand(prelude_t)
 +dev_read_urand(prelude_t)
 +
++manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
 +manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
 +files_pid_filetrans(prelude_t, prelude_var_run_t, file)
 +
@@ -15994,7 +16025,7 @@
 +corenet_tcp_sendrecv_all_if(prelude_t)
 +corenet_tcp_sendrecv_all_nodes(prelude_t)
 +corenet_tcp_bind_all_nodes(prelude_t)
-+#corenet_tcp_bind_generic_port(prelude_t)
++corenet_tcp_bind_prelude_port(prelude_t)
 +
 +corecmd_search_bin(prelude_t)
 +
@@ -17709,7 +17740,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.6/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/samba.te	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/samba.te	2008-02-05 14:45:20.000000000 -0500
 @@ -26,28 +26,28 @@
  
  ## <desc>
@@ -22082,7 +22113,7 @@
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.6/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/authlogin.if	2008-02-02 00:19:44.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/authlogin.if	2008-02-05 13:32:05.000000000 -0500
 @@ -99,7 +99,7 @@
  template(`authlogin_per_role_template',`
  
@@ -22191,7 +22222,7 @@
 +		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 +	')
 +
-+	corecmd_search_sbin($1)
++	corecmd_search_bin($1)
 +	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
 +	dontaudit $1 shadow_t:file { getattr read };
 +	auth_domtrans_upd_passwd($1)
@@ -23131,7 +23162,7 @@
 +/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.6/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/logging.if	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/logging.if	2008-02-05 14:03:48.000000000 -0500
 @@ -213,12 +213,7 @@
  ## </param>
  #
@@ -23227,7 +23258,7 @@
  ')
  
  ########################################
-@@ -804,3 +800,125 @@
+@@ -804,3 +800,127 @@
  	logging_admin_audit($1, $2, $3)
  	logging_admin_syslog($1, $2, $3)
  ')
@@ -23333,6 +23364,8 @@
 +	role system_r types $1;
 +
 +	domtrans_pattern(audisp_t,$2,$1)
++
++	allow audisp_t $2:file getattr;
 +')
 +
 +########################################
@@ -25276,7 +25309,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.6/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/unconfined.te	2008-02-05 09:47:51.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/unconfined.te	2008-02-05 13:44:43.000000000 -0500
 @@ -6,35 +6,59 @@
  # Declarations
  #
@@ -25397,10 +25430,14 @@
  
  optional_policy(`
  	init_dbus_chat_script(unconfined_t)
-@@ -101,12 +140,20 @@
+@@ -101,12 +140,24 @@
  	')
  
  	optional_policy(`
++		gnomeclock_dbus_chat(unconfined_t)
++	')
++
++	optional_policy(`
 +		kerneloops_dbus_chat(unconfined_t)
 +	')
 +
@@ -25418,7 +25455,7 @@
  ')
  
  optional_policy(`
-@@ -118,11 +165,7 @@
+@@ -118,11 +169,7 @@
  ')
  
  optional_policy(`
@@ -25431,7 +25468,7 @@
  ')
  
  optional_policy(`
-@@ -134,14 +177,6 @@
+@@ -134,14 +181,6 @@
  ')
  
  optional_policy(`
@@ -25446,27 +25483,27 @@
  	oddjob_domtrans_mkhomedir(unconfined_t)
  ')
  
-@@ -154,38 +189,32 @@
+@@ -154,38 +193,32 @@
  ')
  
  optional_policy(`
 -	postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 -	# cjp: this should probably be removed:
 -	postfix_domtrans_master(unconfined_t)
+-')
+-
+-
+-optional_policy(`
+-	pyzor_per_role_template(unconfined)
 +	qemu_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  ')
  
- 
- optional_policy(`
--	pyzor_per_role_template(unconfined)
--')
--
 -optional_policy(`
 -	# cjp: this should probably be removed:
 -	rpc_domtrans_nfsd(unconfined_t)
 -')
--
--optional_policy(`
+ 
+ optional_policy(`
  	rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	# Allow SELinux aware applications to request rpm_script execution
 +	rpm_transition_script(unconfined_t)
@@ -25492,7 +25529,7 @@
  ')
  
  optional_policy(`
-@@ -205,11 +234,30 @@
+@@ -205,11 +238,30 @@
  ')
  
  optional_policy(`
@@ -25506,10 +25543,9 @@
 +
 +optional_policy(`
 +	mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- ')
- 
- optional_policy(`
--	xserver_domtrans_xdm_xserver(unconfined_t)
++')
++
++optional_policy(`
 +	mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
 +	unconfined_domain(unconfined_mozilla_t)
 +	allow unconfined_mozilla_t self:process { execstack execmem };
@@ -25517,15 +25553,16 @@
 +
 +optional_policy(`
 +	kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	xserver_domtrans_xdm_xserver(unconfined_t)
 +	xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	xserver_xdm_rw_shm(unconfined_t)
  ')
  
  ########################################
-@@ -219,14 +267,34 @@
+@@ -219,14 +271,34 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
@@ -25545,11 +25582,11 @@
 -	')
 +optional_policy(`
 +	avahi_dbus_chat(unconfined_execmem_t)
- ')
++')
 +
 +optional_policy(`
 +	hal_dbus_chat(unconfined_execmem_t)
-+')
+ ')
 +
 +optional_policy(`
 +	xserver_xdm_rw_shm(unconfined_execmem_t)
@@ -28122,7 +28159,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.6/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/userdomain.te	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/userdomain.te	2008-02-05 13:44:01.000000000 -0500
 @@ -2,12 +2,7 @@
  policy_module(userdomain,2.5.0)
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.602
retrieving revision 1.603
diff -u -r1.602 -r1.603
--- selinux-policy.spec	5 Feb 2008 18:25:42 -0000	1.602
+++ selinux-policy.spec	5 Feb 2008 21:25:09 -0000	1.603
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.6
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
 %endif
 
 %changelog
+* Tue Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.6-7
+- Fixes for staff_t
+
 * Tue Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.6-6
 - Add policy for kerneloops
 - Add policy for gnomeclock

More information about the fedora-extras-commits mailing list