rpms/selinux-policy/F-8 policy-20070703.patch, 1.185, 1.186 selinux-policy.spec, 1.612, 1.613

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Feb 19 20:54:05 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28680

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Mon Feb 18 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-87
- Allow apmd to talk to consolekit via dbus


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.185
retrieving revision 1.186
diff -u -r1.185 -r1.186
--- policy-20070703.patch	15 Feb 2008 21:41:20 -0000	1.185
+++ policy-20070703.patch	19 Feb 2008 20:53:54 -0000	1.186
@@ -3998,7 +3998,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2008-02-12 12:56:42.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2008-02-19 09:59:23.000000000 -0500
 @@ -7,6 +7,7 @@
  /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4047,7 +4047,7 @@
  
  /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -163,9 +166,15 @@
+@@ -163,9 +166,16 @@
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
  /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
@@ -4056,6 +4056,7 @@
 +/usr/local/Brother(/.*)?/lpd(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/local/Printer/[^/]*/cupswrapper(/.*)?      gen_context(system_u:object_r:bin_t,s0)
 +/usr/local/Printer/[^/]*/lpd(/.*)?      	gen_context(system_u:object_r:bin_t,s0)
++/usr/local/linuxprinter/filters(/.*)?   	gen_context(system_u:object_r:bin_t,s0)
  
 +/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4064,7 +4065,7 @@
  
  /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -180,6 +189,7 @@
+@@ -180,6 +190,7 @@
  /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  
  /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
@@ -4072,7 +4073,7 @@
  
  ifdef(`distro_gentoo', `
  /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +269,23 @@
+@@ -259,3 +270,23 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -7072,6 +7073,20 @@
  optional_policy(`
  	hostname_exec(apcupsd_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.0.8/policy/modules/services/apm.te
+--- nsaserefpolicy/policy/modules/services/apm.te	2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apm.te	2008-02-18 12:10:38.000000000 -0500
+@@ -190,6 +190,10 @@
+ 	dbus_stub(apmd_t)
+ 
+ 	optional_policy(`
++		consolekit_dbus_chat(apmd_t)
++	')
++
++	optional_policy(`
+ 		networkmanager_dbus_chat(apmd_t)
+ 	')
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.0.8/policy/modules/services/asterisk.te
 --- nsaserefpolicy/policy/modules/services/asterisk.te	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/asterisk.te	2008-01-17 09:03:07.000000000 -0500
@@ -7160,7 +7175,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/automount.te	2008-01-17 13:10:56.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/automount.te	2008-02-18 10:02:58.000000000 -0500
 @@ -52,7 +52,8 @@
  files_root_filetrans(automount_t,automount_tmp_t,dir)
  
@@ -7187,7 +7202,7 @@
  dev_read_urand(automount_t)
  
  domain_use_interactive_fds(automount_t)
-@@ -125,6 +128,8 @@
+@@ -125,8 +128,12 @@
  fs_mount_autofs(automount_t)
  fs_manage_autofs_symlinks(automount_t)
  
@@ -7195,8 +7210,12 @@
 +
  term_dontaudit_getattr_pty_dirs(automount_t)
  
++auth_use_nsswitch(automount_t)
++
  libs_use_ld_so(automount_t)
-@@ -147,10 +152,6 @@
+ libs_use_shared_libs(automount_t)
+ 
+@@ -147,10 +154,6 @@
  userdom_dontaudit_search_sysadm_home_dirs(automount_t)
  
  optional_policy(`
@@ -7207,12 +7226,12 @@
  	bind_search_cache(automount_t)
  ')
  
-@@ -173,6 +174,11 @@
+@@ -173,6 +176,11 @@
  ')
  
  optional_policy(`
 +	samba_read_config(automount_t)
-+	samba_read_var_files(automount_t)
++	samba_manage_var_files(automount_t)
 +')
 +
 +optional_policy(`
@@ -8206,7 +8225,7 @@
 -') dnl end TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.fc	2008-02-12 13:39:28.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/cups.fc	2008-02-19 10:02:47.000000000 -0500
 @@ -8,24 +8,28 @@
  /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -8250,13 +8269,15 @@
  
  /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -51,4 +55,5 @@
+@@ -51,4 +55,7 @@
  /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  
 -/var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
 +/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/usr/local/Printer/[^/]*/inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.0.8/policy/modules/services/cups.if
 --- nsaserefpolicy/policy/modules/services/cups.if	2007-10-22 13:21:36.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/cups.if	2008-01-30 11:15:10.000000000 -0500
@@ -8678,7 +8699,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if	2008-02-15 15:41:49.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if	2008-02-19 15:50:26.000000000 -0500
 @@ -50,6 +50,12 @@
  ## </param>
  #
@@ -8731,7 +8752,7 @@
  
  	libs_use_ld_so($1_dbusd_t)
  	libs_use_shared_libs($1_dbusd_t)
-@@ -193,18 +214,23 @@
+@@ -193,18 +214,24 @@
  	gen_require(`
  		type system_dbusd_t, system_dbusd_t;
  		type system_dbusd_var_run_t;
@@ -8742,6 +8763,7 @@
 -	type $1_dbusd_system_t;
 -	type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
 +	allow $2 { system_dbusd_t $2 }:dbus send_msg;
++	allow system_dbusd_t $2:dbus send_msg;
  
 -	# SE-DBus specific permissions
 -	allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@@ -8759,7 +8781,7 @@
  ')
  
  #######################################
-@@ -236,14 +262,16 @@
+@@ -236,14 +263,16 @@
  		class dbus send_msg;
  	')
  
@@ -8779,7 +8801,7 @@
  ')
  
  ########################################
-@@ -271,6 +299,60 @@
+@@ -271,6 +300,60 @@
  	allow $2 $1_dbusd_t:dbus send_msg;
  ')
  
@@ -8840,7 +8862,7 @@
  ########################################
  ## <summary>
  ##	Read dbus configuration.
-@@ -286,6 +368,7 @@
+@@ -286,6 +369,7 @@
  		type dbusd_etc_t;
  	')
  
@@ -8848,7 +8870,7 @@
  	allow $1 dbusd_etc_t:file read_file_perms;
  ')
  
-@@ -346,3 +429,55 @@
+@@ -346,3 +430,57 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -8902,11 +8924,13 @@
 +
 +	domtrans_pattern(system_dbusd_t,$2,$1)
 +
++	dbus_system_bus_client_template($1,$1)
++	dbus_connect_system_bus($1)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.te	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dbus.te	2008-02-19 15:28:48.000000000 -0500
 @@ -23,6 +23,9 @@
  type system_dbusd_var_run_t;
  files_pid_file(system_dbusd_var_run_t)
@@ -8926,7 +8950,15 @@
  manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
  manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
  files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
-@@ -116,9 +121,18 @@
+@@ -60,6 +65,7 @@
+ 
+ fs_getattr_all_fs(system_dbusd_t)
+ fs_search_auto_mountpoints(system_dbusd_t)
++fs_list_inotifyfs(system_dbusd_t)
+ 
+ selinux_get_fs_mount(system_dbusd_t)
+ selinux_validate_context(system_dbusd_t)
+@@ -116,9 +122,18 @@
  ')
  
  optional_policy(`
@@ -10387,8 +10419,17 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.0.8/policy/modules/services/lpd.fc
 --- nsaserefpolicy/policy/modules/services/lpd.fc	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/lpd.fc	2008-01-17 09:03:07.000000000 -0500
-@@ -29,3 +29,4 @@
++++ serefpolicy-3.0.8/policy/modules/services/lpd.fc	2008-02-19 10:01:56.000000000 -0500
+@@ -22,6 +22,8 @@
+ /usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+ /usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+ 
++/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
++
+ /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
+ 
+ #
+@@ -29,3 +31,4 @@
  #
  /var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
  /var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)
@@ -11223,7 +11264,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.0.8/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/nagios.fc	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/nagios.fc	2008-02-19 15:22:33.000000000 -0500
 @@ -4,13 +4,15 @@
  /usr/bin/nagios			--	gen_context(system_u:object_r:nagios_exec_t,s0)
  /usr/bin/nrpe			--	gen_context(system_u:object_r:nrpe_exec_t,s0)
@@ -11231,7 +11272,7 @@
 -/usr/lib(64)?/cgi-bin/netsaint/.+ --	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
 -/usr/lib(64)?/nagios/cgi/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
 +/usr/lib(64)?/cgi-bin/netsaint(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib(64)?/nagios/cgi(/.*)?		gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib(64)?/nagios/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
  
  /var/log/nagios(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
  /var/log/netsaint(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
@@ -11418,7 +11459,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-02-14 15:07:55.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-02-19 15:28:14.000000000 -0500
 @@ -1,5 +1,5 @@
  
 -policy_module(networkmanager,1.7.1)
@@ -15597,7 +15638,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/squid.te	2008-01-25 09:45:37.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/squid.te	2008-02-15 16:43:23.000000000 -0500
 @@ -36,7 +36,7 @@
  # Local policy
  #
@@ -15690,7 +15731,7 @@
 +	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
 +	squid_read_config(httpd_squid_script_t)
 +	allow httpd_squid_script_t self:tcp_socket create_socket_perms;
-+	sysnet_read_config(httpd_squid_script_t)
++	sysnet_dns_name_resolve(httpd_squid_script_t)
 +	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
 +	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
 +')
@@ -16070,7 +16111,7 @@
 +/var/lib/tftpboot(/.*)?		gen_context(system_u:object_r:tftpdir_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te
 --- nsaserefpolicy/policy/modules/services/tftp.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/tftp.te	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/tftp.te	2008-02-15 16:45:51.000000000 -0500
 @@ -16,6 +16,17 @@
  type tftpdir_t;
  files_type(tftpdir_t)
@@ -16089,14 +16130,7 @@
  ########################################
  #
  # Local policy
-@@ -26,12 +37,17 @@
- allow tftpd_t self:udp_socket create_socket_perms;
- allow tftpd_t self:unix_dgram_socket create_socket_perms;
- allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-+allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
- dontaudit tftpd_t self:capability sys_tty_config;
- 
- allow tftpd_t tftpdir_t:dir { getattr read search };
+@@ -32,6 +43,10 @@
  allow tftpd_t tftpdir_t:file { read getattr };
  allow tftpd_t tftpdir_t:lnk_file { getattr read };
  
@@ -16107,16 +16141,41 @@
  manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
  files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
  
-@@ -72,6 +88,10 @@
+@@ -64,6 +79,8 @@
+ files_read_var_symlinks(tftpd_t)
+ files_search_var(tftpd_t)
+ 
++auth_use_nsswitch(tftpd_t)
++
+ libs_use_ld_so(tftpd_t)
+ libs_use_shared_libs(tftpd_t)
+ 
+@@ -72,8 +89,9 @@
  miscfiles_read_localization(tftpd_t)
  miscfiles_read_public_files(tftpd_t)
  
+-sysnet_read_config(tftpd_t)
+-sysnet_use_ldap(tftpd_t)
 +tunable_policy(`allow_tftp_anon_write',`
 +	miscfiles_manage_public_files(tftpd_t)
 +') 
-+
- sysnet_read_config(tftpd_t)
- sysnet_use_ldap(tftpd_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
+ userdom_dontaudit_use_sysadm_ttys(tftpd_t)
+@@ -84,14 +102,6 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(tftpd_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(tftpd_t)
+-')
+-
+-optional_policy(`
+         seutil_sigchld_newrole(tftpd_t)
+ ')
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.0.8/policy/modules/services/ucspitcp.if
 --- nsaserefpolicy/policy/modules/services/ucspitcp.if	2007-10-22 13:21:36.000000000 -0400
@@ -17074,7 +17133,7 @@
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2008-01-31 13:45:27.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2008-02-19 15:36:07.000000000 -0500
 @@ -26,7 +26,8 @@
  	type $1_chkpwd_t, can_read_shadow_passwords;
  	application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -17250,7 +17309,7 @@
 +		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 +	')
 +
-+	corecmd_search_sbin($1)
++	corecmd_search_bin($1)
 +	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
 +	dontaudit $1 shadow_t:file { getattr read };
 +	auth_domtrans_upd_passwd($1)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.612
retrieving revision 1.613
diff -u -r1.612 -r1.613
--- selinux-policy.spec	15 Feb 2008 21:41:20 -0000	1.612
+++ selinux-policy.spec	19 Feb 2008 20:53:54 -0000	1.613
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 86%{?dist}
+Release: 87%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
 %endif
 
 %changelog
+* Mon Feb 18 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-87
+- Allow apmd to talk to consolekit via dbus
+
 * Fri Feb 15 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-86
 - Add prelude/audisp policy

More information about the fedora-extras-commits mailing list