rpms/selinux-policy/devel booleans-targeted.conf, 1.36, 1.37 policy-20071130.patch, 1.71, 1.72
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Feb 20 22:46:31 UTC 2008
- Previous message (by thread): rpms/dbxml/devel dbxml-standalone-build.patch,1.2,1.3
- Next message (by thread): rpms/kernel/devel linux-2.6-blkcipher-depend-on-chainiv.patch, NONE, 1.1 linux-2.6-lguest-bonghits.patch, NONE, 1.1 linux-2.6-ppc-use-libgcc.patch, NONE, 1.1 patch-2.6.25-rc2-git4.bz2.sign, NONE, 1.1 .cvsignore, 1.765, 1.766 config-generic, 1.73, 1.74 config-x86-generic, 1.29, 1.30 config-x86_64-generic, 1.26, 1.27 kernel.spec, 1.440, 1.441 sources, 1.725, 1.726 upstream, 1.647, 1.648 linux-2.6-netdev-smc91c92_cs-fix-station-addr.patch, 1.1, NONE patch-2.6.25-rc2-git2.bz2.sign, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15566
Modified Files:
booleans-targeted.conf policy-20071130.patch
Log Message:
* Wed Feb 20 2008 Dan Walsh <dwalsh at redhat.com> 3.2.9-1
- Fixes from yum-cron
- Update to latest upstream
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- booleans-targeted.conf 28 Jan 2008 16:48:49 -0000 1.36
+++ booleans-targeted.conf 20 Feb 2008 22:44:00 -0000 1.37
@@ -262,3 +262,7 @@
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile=true
+
+# Allow qemu to connect fully to the network
+#
+allow_qemu_full_network=true
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -r1.71 -r1.72
--- policy-20071130.patch 20 Feb 2008 22:12:36 -0000 1.71
+++ policy-20071130.patch 20 Feb 2008 22:44:00 -0000 1.72
@@ -1976,7 +1976,7 @@
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.9/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.9/policy/modules/apps/gpg.if 2008-02-20 14:28:23.000000000 -0500
++++ serefpolicy-3.2.9/policy/modules/apps/gpg.if 2008-02-20 17:37:31.000000000 -0500
@@ -38,6 +38,10 @@
gen_require(`
type gpg_exec_t, gpg_helper_exec_t;
@@ -1988,7 +1988,7 @@
')
########################################
-@@ -45,275 +49,53 @@
+@@ -45,275 +49,56 @@
# Declarations
#
@@ -2174,6 +2174,9 @@
- manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
- manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+ allow $2 gpg_t:process signal_perms;
++ # Thunderbird leaks descriptors
++ dontaudit gpg_t $2:tcp_socket rw_socket_perms;
++ dontaudit gpg_t $2:udp_socket rw_socket_perms;
- # allow gpg to connect to the gpg agent
- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
@@ -2294,8 +2297,8 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.9/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/apps/gpg.te 2008-02-20 14:28:23.000000000 -0500
-@@ -7,15 +7,232 @@
++++ serefpolicy-3.2.9/policy/modules/apps/gpg.te 2008-02-20 17:36:41.000000000 -0500
+@@ -7,15 +7,228 @@
#
# Type for gpg or pgp executables.
@@ -2373,6 +2376,8 @@
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
++auth_use_nsswitch(gpg_t)
++
+libs_use_shared_libs(gpg_t)
+libs_use_ld_so(gpg_t)
+
@@ -2380,12 +2385,6 @@
+
+logging_send_syslog_msg(gpg_t)
+
-+sysnet_read_config(gpg_t)
-+
-+optional_policy(`
-+ nis_use_ypbind(gpg_t)
-+')
-+
+########################################
+#
+# GPG helper local policy
@@ -4848,7 +4847,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in 2008-02-20 14:28:23.000000000 -0500
++++ serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in 2008-02-20 17:15:58.000000000 -0500
@@ -82,6 +82,7 @@
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@@ -4865,7 +4864,15 @@
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -122,6 +124,8 @@
+@@ -109,6 +111,7 @@
+ network_port(ircd, tcp,6667,s0)
+ network_port(isakmp, udp,500,s0)
+ network_port(iscsi, tcp,3260,s0)
++network_port(isns, tcp,3205,s0, udp,3205,s0)
+ network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+ network_port(jabber_interserver, tcp,5269,s0)
+ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+@@ -122,6 +125,8 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -4874,7 +4881,7 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -133,10 +137,12 @@
+@@ -133,10 +138,12 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
@@ -4887,7 +4894,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -148,7 +154,7 @@
+@@ -148,7 +155,7 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -4896,7 +4903,7 @@
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
-@@ -170,7 +176,11 @@
+@@ -170,7 +177,11 @@
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -20054,7 +20061,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.9/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 16:57:35.000000000 -0500
++++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 17:25:10.000000000 -0500
@@ -31,12 +31,15 @@
type squid_var_run_t;
files_pid_file(squid_var_run_t)
@@ -22960,6 +22967,17 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.2.9/policy/modules/system/iscsi.te
+--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500
++++ serefpolicy-3.2.9/policy/modules/system/iscsi.te 2008-02-20 17:17:56.000000000 -0500
+@@ -63,6 +63,7 @@
+ corenet_tcp_sendrecv_all_ports(iscsid_t)
+ corenet_tcp_connect_http_port(iscsid_t)
+ corenet_tcp_connect_iscsi_port(iscsid_t)
++corenet_tcp_connect_isns_port(iscsid_t)
+
+ dev_rw_sysfs(iscsid_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.9/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.9/policy/modules/system/libraries.fc 2008-02-20 14:28:23.000000000 -0500
@@ -24318,10 +24336,17 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.9/policy/modules/system/qemu.te
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 17:01:56.000000000 -0500
-@@ -0,0 +1,40 @@
++++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 17:27:29.000000000 -0500
+@@ -0,0 +1,47 @@
+policy_module(qemu,1.0.0)
+
++## <desc>
++## <p>
++## Allow qemu to connect fully to the network
++## </p>
++## </desc>
++gen_tunable(allow_qemu_full_network,false)
++
+########################################
+#
+# Declarations
@@ -24340,7 +24365,7 @@
+# qemu local policy
+#
+
-+tunable_policy(`qemu_full_network',`
++tunable_policy(`allow_qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+ corenet_udp_sendrecv_all_if(qemu_t)
+ corenet_udp_sendrecv_all_nodes(qemu_t)
- Previous message (by thread): rpms/dbxml/devel dbxml-standalone-build.patch,1.2,1.3
- Next message (by thread): rpms/kernel/devel linux-2.6-blkcipher-depend-on-chainiv.patch, NONE, 1.1 linux-2.6-lguest-bonghits.patch, NONE, 1.1 linux-2.6-ppc-use-libgcc.patch, NONE, 1.1 patch-2.6.25-rc2-git4.bz2.sign, NONE, 1.1 .cvsignore, 1.765, 1.766 config-generic, 1.73, 1.74 config-x86-generic, 1.29, 1.30 config-x86_64-generic, 1.26, 1.27 kernel.spec, 1.440, 1.441 sources, 1.725, 1.726 upstream, 1.647, 1.648 linux-2.6-netdev-smc91c92_cs-fix-station-addr.patch, 1.1, NONE patch-2.6.25-rc2-git2.bz2.sign, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list