rpms/selinux-policy/F-8 policy-20070703.patch, 1.185, 1.186 selinux-policy.spec, 1.612, 1.613
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Feb 19 20:54:05 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28680
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Feb 18 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-87
- Allow apmd to talk to consolekit via dbus
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.185
retrieving revision 1.186
diff -u -r1.185 -r1.186
--- policy-20070703.patch 15 Feb 2008 21:41:20 -0000 1.185
+++ policy-20070703.patch 19 Feb 2008 20:53:54 -0000 1.186
@@ -3998,7 +3998,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-02-12 12:56:42.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-02-19 09:59:23.000000000 -0500
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4047,7 +4047,7 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -163,9 +166,15 @@
+@@ -163,9 +166,16 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -4056,6 +4056,7 @@
+/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4064,7 +4065,7 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
-@@ -180,6 +189,7 @@
+@@ -180,6 +190,7 @@
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
@@ -4072,7 +4073,7 @@
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +269,23 @@
+@@ -259,3 +270,23 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7072,6 +7073,20 @@
optional_policy(`
hostname_exec(apcupsd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.0.8/policy/modules/services/apm.te
+--- nsaserefpolicy/policy/modules/services/apm.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apm.te 2008-02-18 12:10:38.000000000 -0500
+@@ -190,6 +190,10 @@
+ dbus_stub(apmd_t)
+
+ optional_policy(`
++ consolekit_dbus_chat(apmd_t)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat(apmd_t)
+ ')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.0.8/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/asterisk.te 2008-01-17 09:03:07.000000000 -0500
@@ -7160,7 +7175,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/automount.te 2008-01-17 13:10:56.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/automount.te 2008-02-18 10:02:58.000000000 -0500
@@ -52,7 +52,8 @@
files_root_filetrans(automount_t,automount_tmp_t,dir)
@@ -7187,7 +7202,7 @@
dev_read_urand(automount_t)
domain_use_interactive_fds(automount_t)
-@@ -125,6 +128,8 @@
+@@ -125,8 +128,12 @@
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
@@ -7195,8 +7210,12 @@
+
term_dontaudit_getattr_pty_dirs(automount_t)
++auth_use_nsswitch(automount_t)
++
libs_use_ld_so(automount_t)
-@@ -147,10 +152,6 @@
+ libs_use_shared_libs(automount_t)
+
+@@ -147,10 +154,6 @@
userdom_dontaudit_search_sysadm_home_dirs(automount_t)
optional_policy(`
@@ -7207,12 +7226,12 @@
bind_search_cache(automount_t)
')
-@@ -173,6 +174,11 @@
+@@ -173,6 +176,11 @@
')
optional_policy(`
+ samba_read_config(automount_t)
-+ samba_read_var_files(automount_t)
++ samba_manage_var_files(automount_t)
+')
+
+optional_policy(`
@@ -8206,7 +8225,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2008-02-12 13:39:28.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2008-02-19 10:02:47.000000000 -0500
@@ -8,24 +8,28 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -8250,13 +8269,15 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -51,4 +55,5 @@
+@@ -51,4 +55,7 @@
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.0.8/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cups.if 2008-01-30 11:15:10.000000000 -0500
@@ -8678,7 +8699,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-02-15 15:41:49.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-02-19 15:50:26.000000000 -0500
@@ -50,6 +50,12 @@
## </param>
#
@@ -8731,7 +8752,7 @@
libs_use_ld_so($1_dbusd_t)
libs_use_shared_libs($1_dbusd_t)
-@@ -193,18 +214,23 @@
+@@ -193,18 +214,24 @@
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t;
@@ -8742,6 +8763,7 @@
- type $1_dbusd_system_t;
- type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
+ allow $2 { system_dbusd_t $2 }:dbus send_msg;
++ allow system_dbusd_t $2:dbus send_msg;
- # SE-DBus specific permissions
- allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@@ -8759,7 +8781,7 @@
')
#######################################
-@@ -236,14 +262,16 @@
+@@ -236,14 +263,16 @@
class dbus send_msg;
')
@@ -8779,7 +8801,7 @@
')
########################################
-@@ -271,6 +299,60 @@
+@@ -271,6 +300,60 @@
allow $2 $1_dbusd_t:dbus send_msg;
')
@@ -8840,7 +8862,7 @@
########################################
## <summary>
## Read dbus configuration.
-@@ -286,6 +368,7 @@
+@@ -286,6 +369,7 @@
type dbusd_etc_t;
')
@@ -8848,7 +8870,7 @@
allow $1 dbusd_etc_t:file read_file_perms;
')
-@@ -346,3 +429,55 @@
+@@ -346,3 +430,57 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -8902,11 +8924,13 @@
+
+ domtrans_pattern(system_dbusd_t,$2,$1)
+
++ dbus_system_bus_client_template($1,$1)
++ dbus_connect_system_bus($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2008-02-19 15:28:48.000000000 -0500
@@ -23,6 +23,9 @@
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
@@ -8926,7 +8950,15 @@
manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
-@@ -116,9 +121,18 @@
+@@ -60,6 +65,7 @@
+
+ fs_getattr_all_fs(system_dbusd_t)
+ fs_search_auto_mountpoints(system_dbusd_t)
++fs_list_inotifyfs(system_dbusd_t)
+
+ selinux_get_fs_mount(system_dbusd_t)
+ selinux_validate_context(system_dbusd_t)
+@@ -116,9 +122,18 @@
')
optional_policy(`
@@ -10387,8 +10419,17 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.0.8/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/lpd.fc 2008-01-17 09:03:07.000000000 -0500
-@@ -29,3 +29,4 @@
++++ serefpolicy-3.0.8/policy/modules/services/lpd.fc 2008-02-19 10:01:56.000000000 -0500
+@@ -22,6 +22,8 @@
+ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
+ /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
++/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
++
+ /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
+
+ #
+@@ -29,3 +31,4 @@
#
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
@@ -11223,7 +11264,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.0.8/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/nagios.fc 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/nagios.fc 2008-02-19 15:22:33.000000000 -0500
@@ -4,13 +4,15 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
@@ -11231,7 +11272,7 @@
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
@@ -11418,7 +11459,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-02-14 15:07:55.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-02-19 15:28:14.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.7.1)
@@ -15597,7 +15638,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/squid.te 2008-01-25 09:45:37.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/squid.te 2008-02-15 16:43:23.000000000 -0500
@@ -36,7 +36,7 @@
# Local policy
#
@@ -15690,7 +15731,7 @@
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+ squid_read_config(httpd_squid_script_t)
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
-+ sysnet_read_config(httpd_squid_script_t)
++ sysnet_dns_name_resolve(httpd_squid_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+')
@@ -16070,7 +16111,7 @@
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2008-02-15 16:45:51.000000000 -0500
@@ -16,6 +16,17 @@
type tftpdir_t;
files_type(tftpdir_t)
@@ -16089,14 +16130,7 @@
########################################
#
# Local policy
-@@ -26,12 +37,17 @@
- allow tftpd_t self:udp_socket create_socket_perms;
- allow tftpd_t self:unix_dgram_socket create_socket_perms;
- allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-+allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
- dontaudit tftpd_t self:capability sys_tty_config;
-
- allow tftpd_t tftpdir_t:dir { getattr read search };
+@@ -32,6 +43,10 @@
allow tftpd_t tftpdir_t:file { read getattr };
allow tftpd_t tftpdir_t:lnk_file { getattr read };
@@ -16107,16 +16141,41 @@
manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
-@@ -72,6 +88,10 @@
+@@ -64,6 +79,8 @@
+ files_read_var_symlinks(tftpd_t)
+ files_search_var(tftpd_t)
+
++auth_use_nsswitch(tftpd_t)
++
+ libs_use_ld_so(tftpd_t)
+ libs_use_shared_libs(tftpd_t)
+
+@@ -72,8 +89,9 @@
miscfiles_read_localization(tftpd_t)
miscfiles_read_public_files(tftpd_t)
+-sysnet_read_config(tftpd_t)
+-sysnet_use_ldap(tftpd_t)
+tunable_policy(`allow_tftp_anon_write',`
+ miscfiles_manage_public_files(tftpd_t)
+')
-+
- sysnet_read_config(tftpd_t)
- sysnet_use_ldap(tftpd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
+ userdom_dontaudit_use_sysadm_ttys(tftpd_t)
+@@ -84,14 +102,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(tftpd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(tftpd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(tftpd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.0.8/policy/modules/services/ucspitcp.if
--- nsaserefpolicy/policy/modules/services/ucspitcp.if 2007-10-22 13:21:36.000000000 -0400
@@ -17074,7 +17133,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-01-31 13:45:27.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-02-19 15:36:07.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -17250,7 +17309,7 @@
+ type system_chkpwd_t, chkpwd_exec_t, shadow_t;
+ ')
+
-+ corecmd_search_sbin($1)
++ corecmd_search_bin($1)
+ domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
+ dontaudit $1 shadow_t:file { getattr read };
+ auth_domtrans_upd_passwd($1)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.612
retrieving revision 1.613
diff -u -r1.612 -r1.613
--- selinux-policy.spec 15 Feb 2008 21:41:20 -0000 1.612
+++ selinux-policy.spec 19 Feb 2008 20:53:54 -0000 1.613
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 86%{?dist}
+Release: 87%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
%endif
%changelog
+* Mon Feb 18 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-87
+- Allow apmd to talk to consolekit via dbus
+
* Fri Feb 15 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-86
- Add prelude/audisp policy
More information about the fedora-extras-commits
mailing list