rpms/selinux-policy/devel policy-20071130.patch, 1.56, 1.57 selinux-policy.spec, 1.604, 1.605
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Feb 11 22:53:33 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1531
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.7-3
- More fixes for polkit
policy-20071130.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.56 -r 1.57 policy-20071130.patch
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- policy-20071130.patch 6 Feb 2008 21:45:40 -0000 1.56
+++ policy-20071130.patch 11 Feb 2008 22:53:26 -0000 1.57
@@ -703,8 +703,9 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.7/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/admin/kismet.te 2008-02-06 11:02:29.000000000 -0500
-@@ -0,0 +1,58 @@
++++ serefpolicy-3.2.7/policy/modules/admin/kismet.te 2008-02-08 14:32:32.000000000 -0500
+@@ -0,0 +1,55 @@
++
+policy_module(kismet,1.0.0)
+
+########################################
@@ -717,7 +718,6 @@
+application_domain(kismet_t, kismet_exec_t)
+role system_r types kismet_t;
+
-+
+type kismet_var_run_t;
+files_pid_file(kismet_var_run_t)
+
@@ -732,8 +732,6 @@
+# kismet local policy
+#
+
-+## internal communication is often done using fifo and unix sockets.
-+#============= kismet_t ==============
+allow kismet_t self:capability { net_admin setuid setgid };
+
+corecmd_exec_bin(kismet_t)
@@ -750,7 +748,6 @@
+
+miscfiles_read_localization(kismet_t)
+
-+
+allow kismet_t kismet_var_run_t:file manage_file_perms;
+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir })
@@ -2137,7 +2134,7 @@
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.7/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/gpg.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/gpg.if 2008-02-11 14:15:31.000000000 -0500
@@ -38,6 +38,10 @@
gen_require(`
type gpg_exec_t, gpg_helper_exec_t;
@@ -2149,7 +2146,7 @@
')
########################################
-@@ -45,275 +49,51 @@
+@@ -45,275 +49,53 @@
# Declarations
#
@@ -2387,8 +2384,7 @@
- #
- # Pinentry local policy
- #
-+ userdom_use_user_terminals($1,gpg_agent_t)
-
+-
- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
- allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
-
@@ -2423,7 +2419,8 @@
- optional_policy(`
- xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
- ')
--
++ userdom_use_user_terminals($1,gpg_agent_t)
+
- ifdef(`TODO',`
- allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
-
@@ -2435,14 +2432,15 @@
- dontaudit $1_gpg_pinentry_t nfs_t:dir write;
- dontaudit $1_gpg_pinentry_t nfs_t:file write;
- ')
--
++ # communicate with the user
++ allow gpg_helper_t $2:fd use;
++ allow gpg_helper_t $2:fifo_file rw_fifo_file_perms;
+
- tunable_policy(`use_samba_home_dirs',`
- dontaudit $1_gpg_pinentry_t cifs_t:dir write;
- dontaudit $1_gpg_pinentry_t cifs_t:file write;
- ')
-+ # communicate with the user
-+ allow gpg_helper_t $2:fd use;
-+ allow gpg_helper_t $2:fifo_file write;
++ userdom_manage_user_home_content_files(user, gpg_helper_t)
- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
- ') dnl end TODO
@@ -2454,8 +2452,8 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.7/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/apps/gpg.te 2008-02-06 11:02:29.000000000 -0500
-@@ -7,15 +7,225 @@
++++ serefpolicy-3.2.7/policy/modules/apps/gpg.te 2008-02-11 14:16:30.000000000 -0500
+@@ -7,15 +7,232 @@
#
# Type for gpg or pgp executables.
@@ -2551,6 +2549,8 @@
+# GPG helper local policy
+#
+
++allow gpg_helper_t self:process getsched;
++
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
@@ -2575,17 +2575,15 @@
+corenet_udp_bind_all_nodes(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
-+dev_read_urand(gpg_helper_t)
-+
+files_read_etc_files(gpg_helper_t)
-+# for nscd
-+files_dontaudit_search_var(gpg_helper_t)
++
++fs_list_inotifyfs(gpg_helper_t)
++
++auth_use_nsswitch(gpg_helper_t)
+
+libs_use_ld_so(gpg_helper_t)
+libs_use_shared_libs(gpg_helper_t)
+
-+sysnet_read_config(gpg_helper_t)
-+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
@@ -2616,8 +2614,15 @@
+manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+
+# allow gpg to connect to the gpg agent
++manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
++manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
++manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
++
+stream_connect_pattern(gpg_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t,gpg_agent_t)
+
++manage_dirs_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
++manage_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
++manage_sock_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, user_gpg_agent_tmp_t, { file sock_file dir })
+
+corecmd_search_bin(gpg_agent_t)
@@ -2762,7 +2767,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.7/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/apps/java.fc 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/java.fc 2008-02-11 14:02:02.000000000 -0500
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -2771,7 +2776,7 @@
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,11 @@
+@@ -20,5 +21,13 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -2783,7 +2788,9 @@
+/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
-+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib64/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.7/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400
@@ -3801,7 +3808,7 @@
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.7/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-08 14:05:36.000000000 -0500
@@ -0,0 +1,337 @@
+
+## <summary>policy for nsplugin</summary>
@@ -4142,8 +4149,9 @@
[...2357 lines suppressed...]
logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal)
-@@ -224,6 +190,10 @@
+@@ -224,6 +191,10 @@
')
optional_policy(`
@@ -28445,7 +28800,7 @@
apache_run_helper(sysadm_t, sysadm_r, admin_terminal)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
-@@ -279,14 +249,6 @@
+@@ -279,14 +250,6 @@
')
optional_policy(`
@@ -28460,7 +28815,7 @@
cron_admin_template(sysadm, sysadm_t, sysadm_r)
')
-@@ -302,12 +264,9 @@
+@@ -302,12 +265,9 @@
optional_policy(`
dmesg_exec(sysadm_t)
@@ -28474,7 +28829,7 @@
optional_policy(`
dmidecode_run(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -352,6 +311,10 @@
+@@ -352,6 +312,10 @@
')
optional_policy(`
@@ -28485,7 +28840,7 @@
lvm_run(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -387,6 +350,10 @@
+@@ -387,6 +351,10 @@
')
optional_policy(`
@@ -28496,7 +28851,7 @@
netutils_run(sysadm_t, sysadm_r, admin_terminal)
netutils_run_ping(sysadm_t, sysadm_r, admin_terminal)
netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal)
-@@ -436,15 +403,19 @@
+@@ -436,15 +404,19 @@
optional_policy(`
samba_run_net(sysadm_t, sysadm_r, admin_terminal)
@@ -28517,7 +28872,7 @@
', `
userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -487,3 +458,8 @@
+@@ -487,3 +459,13 @@
optional_policy(`
yam_run(sysadm_t, sysadm_r, admin_terminal)
')
@@ -28526,6 +28881,11 @@
+ term_use_console(userdomain)
+')
+
++# Allow unpriv users to read system state of unpriv processes
++read_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process)
++read_lnk_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process)
++allow unpriv_userdomain unpriv_process:process getattr;
++dontaudit unpriv_userdomain unpriv_process:process ptrace;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.7/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/system/virt.fc 2008-02-06 11:02:30.000000000 -0500
@@ -28873,8 +29233,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.7/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/virt.te 2008-02-06 11:02:30.000000000 -0500
-@@ -0,0 +1,137 @@
++++ serefpolicy-3.2.7/policy/modules/system/virt.te 2008-02-07 11:31:40.000000000 -0500
+@@ -0,0 +1,158 @@
+
+policy_module(virt,1.0.0)
+
@@ -28963,12 +29323,18 @@
+corenet_tcp_sendrecv_all_nodes(virtd_t)
+corenet_tcp_sendrecv_all_ports(virtd_t)
+corenet_tcp_bind_all_nodes(virtd_t)
++corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_vnc_port(virtd_t)
++corenet_tcp_connect_vnc_port(virtd_t)
++corenet_tcp_connect_soundd_port(virtd_t)
+corenet_rw_tun_tap_dev(virtd_t)
+
++dev_read_sysfs(virtd_t)
++
+kernel_read_system_state(virtd_t)
+kernel_read_network_state(virtd_t)
+kernel_rw_net_sysctls(virtd_t)
++kernel_write_xen_state(virtd_t)
+
+# Init script handling
+domain_use_interactive_fds(virtd_t)
@@ -28981,6 +29347,7 @@
+libs_use_shared_libs(virtd_t)
+
+miscfiles_read_localization(virtd_t)
++miscfiles_read_certs(virtd_t)
+
+auth_use_nsswitch(virtd_t)
+
@@ -28991,10 +29358,14 @@
+')
+
+optional_policy(`
-+ qemu_domtrans(virtd_t)
-+ qemu_read_state(virtd_t)
-+ qemu_signal(virtd_t)
-+ qemu_sigkill(virtd_t)
++ dbus_system_bus_client_template(virtd,virtd_t)
++ optional_policy(`
++ avahi_dbus_chat(virtd_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat(virtd_t)
++ ')
+')
+
+optional_policy(`
@@ -29007,15 +29378,41 @@
+')
+
+optional_policy(`
-+ dbus_system_bus_client_template(virtd,virtd_t)
-+ optional_policy(`
-+ avahi_dbus_chat(virtd_t)
-+ ')
++ qemu_domtrans(virtd_t)
++ qemu_read_state(virtd_t)
++ qemu_signal(virtd_t)
++ qemu_sigkill(virtd_t)
+')
++
++optional_policy(`
++ sasl_connect(virtd_t)
++')
++
++optional_policy(`
++ xen_stream_connect(virtd_t)
++ xen_stream_connect_xenstore(virtd_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.7/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/system/xen.if 2008-02-06 11:02:30.000000000 -0500
-@@ -191,3 +191,24 @@
++++ serefpolicy-3.2.7/policy/modules/system/xen.if 2008-02-07 11:26:47.000000000 -0500
+@@ -167,11 +167,14 @@
+ #
+ interface(`xen_stream_connect',`
+ gen_require(`
+- type xend_t, xend_var_run_t;
++ type xend_t, xend_var_run_t, xend_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t)
++
++ files_search_var_lib($1)
++ stream_connect_pattern($1,xend_var_lib_t,xend_var_lib_t,xend_t)
+ ')
+
+ ########################################
+@@ -191,3 +194,24 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
@@ -29395,8 +29792,8 @@
+## <summary>Policy for staff user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.7/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-06 15:11:44.000000000 -0500
-@@ -0,0 +1,65 @@
++++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-08 14:13:09.000000000 -0500
+@@ -0,0 +1,60 @@
+policy_module(staff,1.0.1)
+userdom_unpriv_user_template(staff)
+
@@ -29455,11 +29852,6 @@
+')
+
+optional_policy(`
-+ polkit_run_grant(staff_t, staff_r, { staff_devpts_t staff_tty_device_t })
-+ polkit_read_lib(staff_t)
-+')
-+
-+optional_policy(`
+ xserver_per_role_template(staff, staff_t, staff_r)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.7/policy/modules/users/user.fc
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.604
retrieving revision 1.605
diff -u -r1.604 -r1.605
--- selinux-policy.spec 6 Feb 2008 21:45:40 -0000 1.604
+++ selinux-policy.spec 11 Feb 2008 22:53:26 -0000 1.605
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.7
-Release: 1%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,13 @@
%endif
%changelog
+* Thu Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.7-3
+- More fixes for polkit
+
+* Thu Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.7-2
+- Eliminate transition from unconfined_t to qemu by default
+- Fixes for gpg
+
* Tue Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.7-1
- Update to upstream
More information about the fedora-extras-commits
mailing list