rpms/selinux-policy/devel policy-20071130.patch,1.70,1.71
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Feb 20 22:12:49 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14962
Modified Files:
policy-20071130.patch
Log Message:
* Wed Feb 20 2008 Dan Walsh <dwalsh at redhat.com> 3.2.9-1
- Fixes from yum-cron
- Update to latest upstream
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- policy-20071130.patch 20 Feb 2008 22:05:55 -0000 1.70
+++ policy-20071130.patch 20 Feb 2008 22:12:36 -0000 1.71
@@ -15292,7 +15292,7 @@
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.9/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/services/postfix.if 2008-02-20 14:28:23.000000000 -0500
++++ serefpolicy-3.2.9/policy/modules/services/postfix.if 2008-02-20 17:00:40.000000000 -0500
@@ -206,9 +206,8 @@
type postfix_etc_t;
')
@@ -20054,7 +20054,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.9/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 14:28:23.000000000 -0500
++++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 16:57:35.000000000 -0500
@@ -31,12 +31,15 @@
type squid_var_run_t;
files_pid_file(squid_var_run_t)
@@ -20300,7 +20300,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.9/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/services/ssh.te 2008-02-20 14:28:23.000000000 -0500
++++ serefpolicy-3.2.9/policy/modules/services/ssh.te 2008-02-20 17:08:49.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -20323,18 +20323,19 @@
#################################
#
# sshd local policy
-@@ -80,6 +86,10 @@
+@@ -80,6 +86,11 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+userdom_read_all_users_home_dirs_symlinks(sshd_t)
+userdom_read_all_users_home_content_files(sshd_t)
+userdom_read_all_users_home_content_symlinks(sshd_t)
++userdom_read_unpriv_users_home_content_files(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -101,6 +111,10 @@
+@@ -101,6 +112,10 @@
')
optional_policy(`
@@ -20345,7 +20346,7 @@
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -119,7 +133,11 @@
+@@ -119,7 +134,11 @@
')
optional_policy(`
@@ -24023,8 +24024,8 @@
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.2.9/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/system/qemu.if 2008-02-20 14:28:23.000000000 -0500
-@@ -0,0 +1,218 @@
++++ serefpolicy-3.2.9/policy/modules/system/qemu.if 2008-02-20 17:01:42.000000000 -0500
+@@ -0,0 +1,290 @@
+
+## <summary>policy for qemu</summary>
+
@@ -24243,83 +24244,111 @@
+ allow qemu_unconfined_t $3:chr_file rw_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.9/policy/modules/system/qemu.te
---- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 14:28:23.000000000 -0500
-@@ -0,0 +1,83 @@
-+policy_module(qemu,1.0.0)
+
+########################################
++## <summary>
++## Creates types and rules for a basic
++## qemu process domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
+#
-+# Declarations
-+#
++template(`qemu_domain_template',`
+
-+type qemu_t;
-+type qemu_exec_t;
-+application_domain(qemu_t, qemu_exec_t)
-+role system_r types qemu_t;
++ type $1_t;
++ domain_type($1_t)
+
-+type qemu_unconfined_t;
-+domain_type(qemu_unconfined_t)
++ domain_use_interactive_fds($1_t)
+
-+########################################
-+#
-+# qemu local policy
-+#
++ allow $1_t self:process { execstack execmem signal getsched };
++ allow $1_t self:tcp_socket create_stream_socket_perms;
+
-+# Init script handling
-+domain_use_interactive_fds(qemu_t)
++ ## internal communication is often done using fifo and unix sockets.
++ allow $1_t self:fifo_file rw_file_perms;
++ allow $1_t self:unix_stream_socket create_stream_socket_perms;
++ allow $1_t self:shm create_shm_perms;
+
-+allow qemu_t self:process { execstack execmem signal getsched };
-+allow qemu_t self:tcp_socket create_stream_socket_perms;
++ corenet_all_recvfrom_unlabeled($1_t)
++ corenet_all_recvfrom_netlabel($1_t)
++ corenet_tcp_sendrecv_all_if($1_t)
++ corenet_tcp_sendrecv_all_nodes($1_t)
++ corenet_tcp_sendrecv_all_ports($1_t)
++ corenet_tcp_bind_all_nodes($1_t)
++ corenet_tcp_bind_vnc_port($1_t)
++ corenet_rw_tun_tap_dev($1_t)
+
-+## internal communication is often done using fifo and unix sockets.
-+allow qemu_t self:fifo_file rw_file_perms;
-+allow qemu_t self:unix_stream_socket create_stream_socket_perms;
-+allow qemu_t self:shm create_shm_perms;
++ kernel_read_system_state($1_t)
+
-+corenet_all_recvfrom_unlabeled(qemu_t)
-+corenet_all_recvfrom_netlabel(qemu_t)
-+corenet_tcp_sendrecv_all_if(qemu_t)
-+corenet_tcp_sendrecv_all_nodes(qemu_t)
-+corenet_tcp_sendrecv_all_ports(qemu_t)
-+corenet_tcp_bind_all_nodes(qemu_t)
-+corenet_tcp_bind_vnc_port(qemu_t)
-+corenet_rw_tun_tap_dev(qemu_t)
++ dev_rw_kvm($1_t)
+
-+kernel_read_system_state(qemu_t)
++ files_read_etc_files($1_t)
++ files_read_usr_files($1_t)
++ files_read_var_files($1_t)
++ files_search_all($1_t)
+
-+dev_rw_kvm(qemu_t)
++ fs_rw_anon_inodefs_files($1_t)
++ fs_rw_tmpfs_files($1_t)
+
-+files_read_etc_files(qemu_t)
-+files_read_usr_files(qemu_t)
-+files_read_var_files(qemu_t)
-+files_search_all(qemu_t)
++ storage_raw_write_removable_device($1_t)
++ storage_raw_read_removable_device($1_t)
+
-+fs_rw_anon_inodefs_files(qemu_t)
-+fs_rw_tmpfs_files(qemu_t)
++ term_use_ptmx($1_t)
++ term_getattr_pty_fs($1_t)
++ term_use_generic_ptys($1_t)
+
-+storage_raw_write_removable_device(qemu_t)
-+storage_raw_read_removable_device(qemu_t)
++ libs_use_ld_so($1_t)
++ libs_use_shared_libs($1_t)
+
-+term_use_ptmx(qemu_t)
-+term_getattr_pty_fs(qemu_t)
-+term_use_generic_ptys(qemu_t)
++ miscfiles_read_localization($1_t)
+
-+libs_use_ld_so(qemu_t)
-+libs_use_shared_libs(qemu_t)
++ sysnet_read_config($1_t)
+
-+miscfiles_read_localization(qemu_t)
++ virt_manage_image($1_t)
++ virt_read_config($1_t)
+
-+sysnet_read_config(qemu_t)
++ optional_policy(`
++ xserver_stream_connect_xdm_xserver($1_t)
++ xserver_read_xdm_tmp_files($1_t)
++ xserver_xdm_rw_shm($1_t)
++ ')
++')
+
-+virt_manage_image(qemu_t)
-+virt_read_config(qemu_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.9/policy/modules/system/qemu.te
+--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 17:01:56.000000000 -0500
+@@ -0,0 +1,40 @@
++policy_module(qemu,1.0.0)
+
-+optional_policy(`
-+ xserver_stream_connect_xdm_xserver(qemu_t)
-+ xserver_read_xdm_tmp_files(qemu_t)
-+ xserver_xdm_rw_shm(qemu_t)
++########################################
++#
++# Declarations
++#
++
++qemu_domain_template(qemu)
++type qemu_exec_t;
++application_domain(qemu_t, qemu_exec_t)
++role system_r types qemu_t;
++
++type qemu_unconfined_t;
++domain_type(qemu_unconfined_t)
++
++########################################
++#
++# qemu local policy
++#
++
++tunable_policy(`qemu_full_network',`
++ allow qemu_t self:udp_socket create_socket_perms;
++ corenet_udp_sendrecv_all_if(qemu_t)
++ corenet_udp_sendrecv_all_nodes(qemu_t)
++ corenet_udp_sendrecv_all_ports(qemu_t)
++ corenet_udp_bind_all_nodes(qemu_t)
++ corenet_udp_bind_all_ports(qemu_t)
++ corenet_tcp_bind_all_ports(qemu_t)
++ corenet_tcp_connect_all_ports(qemu_t)
+')
+
+########################################
@@ -24330,6 +24359,7 @@
+unconfined_domain_noaudit(qemu_unconfined_t)
+allow qemu_unconfined_t self:process { execstack execmem };
+
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.9/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.9/policy/modules/system/raid.te 2008-02-20 14:28:23.000000000 -0500
@@ -25815,7 +25845,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.9/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/system/userdomain.if 2008-02-20 14:28:23.000000000 -0500
++++ serefpolicy-3.2.9/policy/modules/system/userdomain.if 2008-02-20 15:39:23.000000000 -0500
@@ -29,9 +29,14 @@
')
@@ -25864,7 +25894,7 @@
-
- dev_dontaudit_getattr_all_blk_files($1_t)
- dev_dontaudit_getattr_all_chr_files($1_t)
-+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
++ allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+ allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_t:key { create view read write search link setattr };
+
More information about the fedora-extras-commits
mailing list