rpms/selinux-policy/devel policy-20071130.patch, 1.76, 1.77 selinux-policy.spec, 1.616, 1.617
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Feb 26 19:25:08 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23003
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-3
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- policy-20071130.patch 26 Feb 2008 16:14:59 -0000 1.76
+++ policy-20071130.patch 26 Feb 2008 19:24:53 -0000 1.77
@@ -5996,7 +5996,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-02-26 13:48:22.000000000 -0500
@@ -7,11 +7,11 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -6032,7 +6032,19 @@
/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -127,6 +135,8 @@
+@@ -99,11 +107,6 @@
+ /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
+-ifdef(`distro_redhat',`
+-/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
+-/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
+-')
+-
+ #
+ # /sbin
+ #
+@@ -127,6 +130,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6041,7 +6053,7 @@
#
# /usr
#
-@@ -144,10 +154,7 @@
+@@ -144,10 +149,7 @@
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6053,7 +6065,7 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -178,6 +185,8 @@
+@@ -178,6 +180,8 @@
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6062,7 +6074,7 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -185,8 +194,12 @@
+@@ -185,8 +189,12 @@
/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6075,7 +6087,7 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +297,10 @@
+@@ -284,3 +292,10 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6088,7 +6100,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.3.1/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if 2008-02-26 11:58:10.000000000 -0500
@@ -875,6 +875,7 @@
read_lnk_files_pattern($1,bin_t,bin_t)
@@ -6199,7 +6211,7 @@
network_port(xen, tcp,8002,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.3.1/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-26 14:17:28.000000000 -0500
@@ -1,7 +1,7 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
@@ -6209,7 +6221,7 @@
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -12,32 +12,45 @@
+@@ -12,42 +12,58 @@
/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -6255,7 +6267,12 @@
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -48,6 +61,7 @@
+ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
++/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@@ -6263,7 +6280,7 @@
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
-@@ -69,9 +83,8 @@
+@@ -69,9 +85,8 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
@@ -6275,7 +6292,15 @@
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -98,13 +111,23 @@
+@@ -91,6 +106,7 @@
+
+ /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+
++/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
+
+@@ -98,13 +114,23 @@
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -6299,9 +6324,14 @@
/dev/pts(/.*)? <<none>>
+@@ -134,3 +160,4 @@
+ /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
+ /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-02-26 14:19:56.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -6476,7 +6506,7 @@
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3322,3 +3452,96 @@
+@@ -3322,3 +3452,150 @@
typeattribute $1 devices_unconfined_type;
')
@@ -6573,9 +6603,63 @@
+ rw_chr_files_pattern($1,device_t,autofs_device_t)
+')
+
++########################################
++## <summary>
++## Get the attributes of the network control device
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_getattr_netcontrol',`
++ gen_require(`
++ type device_t, netcontrol_device_t;
++ ')
++
++ getattr_chr_files_pattern($1,device_t,netcontrol_device_t)
++')
++
++########################################
++## <summary>
++## Read the network control identity.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_netcontrol',`
++ gen_require(`
++ type device_t, netcontrol_device_t;
++ ')
++
++ read_chr_files_pattern($1,device_t,netcontrol_device_t)
++')
++
++########################################
++## <summary>
++## Read and write the the network control device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_netcontrol',`
++ gen_require(`
++ type device_t, netcontrol_device_t;
++ ')
++
++ rw_chr_files_pattern($1,device_t,netcontrol_device_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.3.1/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-02-26 14:16:11.000000000 -0500
@@ -32,6 +32,12 @@
type apm_bios_t;
dev_node(apm_bios_t)
@@ -6589,7 +6673,20 @@
type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)
-@@ -66,12 +72,25 @@
+@@ -49,6 +55,12 @@
+ type cpu_device_t;
+ dev_node(cpu_device_t)
+
++#
++# network control devices
++#
++type netcontrol_device_t;
++dev_node(netcontrol_device_t)
++
+ # for the IBM zSeries z90crypt hardware ssl accelorator
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+@@ -66,12 +78,25 @@
dev_node(framebuf_device_t)
#
@@ -9396,7 +9493,7 @@
+/etc/rc.d/init.d/canna -- gen_context(system_u:object_r:canna_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.3.1/policy/modules/services/canna.if
--- nsaserefpolicy/policy/modules/services/canna.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/canna.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/canna.if 2008-02-26 11:51:53.000000000 -0500
@@ -18,3 +18,74 @@
files_search_pids($1)
stream_connect_pattern($1,canna_var_run_t,canna_var_run_t,canna_t)
@@ -11210,9 +11307,22 @@
########################################
#
# Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.3.1/policy/modules/services/dbus.fc
+--- nsaserefpolicy/policy/modules/services/dbus.fc 2007-09-12 10:34:18.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dbus.fc 2008-02-26 11:48:35.000000000 -0500
+@@ -4,6 +4,9 @@
+ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+ /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+
++/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
++/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
++
+ /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+
+ /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-02-26 12:56:03.000000000 -0500
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -11266,6 +11376,16 @@
allow $1_dbusd_t $2:process sigkill;
allow $2 $1_dbusd_t:fd use;
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+@@ -115,8 +117,8 @@
+ kernel_read_kernel_sysctls($1_dbusd_t)
+
+ corecmd_list_bin($1_dbusd_t)
+- corecmd_read_bin_symlinks($1_dbusd_t)
+ corecmd_read_bin_files($1_dbusd_t)
++ corecmd_read_bin_symlinks($1_dbusd_t)
+ corecmd_read_bin_pipes($1_dbusd_t)
+ corecmd_read_bin_sockets($1_dbusd_t)
+
@@ -139,6 +141,7 @@
fs_getattr_romfs($1_dbusd_t)
@@ -11472,7 +11592,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-02-26 10:53:25.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-02-26 14:09:20.000000000 -0500
@@ -9,6 +9,7 @@
#
# Delcarations
@@ -11515,7 +11635,16 @@
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -65,6 +78,7 @@
+@@ -43,6 +56,8 @@
+ # Receive notifications of policy reloads and enforcing status changes.
+ allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+
++can_exec(system_dbusd_t,system_dbusd_exec_t)
++
+ allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
+ read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
+@@ -65,6 +80,7 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
@@ -11523,15 +11652,24 @@
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
-@@ -91,6 +105,7 @@
+@@ -81,7 +97,6 @@
+ corecmd_list_bin(system_dbusd_t)
+ corecmd_read_bin_pipes(system_dbusd_t)
+ corecmd_read_bin_sockets(system_dbusd_t)
+-corecmd_exec_bin(system_dbusd_t)
+
+ domain_use_interactive_fds(system_dbusd_t)
+
+@@ -91,6 +106,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
-+init_domtrans_script(system_dbusd_t)
++init_dbus_chat_script(system_dbusd_t)
++init_bin_domtrans_spec(system_dbusd_t)
libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +136,20 @@
+@@ -121,9 +138,20 @@
')
optional_policy(`
@@ -12300,24 +12438,21 @@
+/etc/rc.d/init.d/dovecot -- gen_context(system_u:object_r:dovecot_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.3.1/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dovecot.if 2008-02-26 10:29:56.000000000 -0500
-@@ -21,14 +21,53 @@
++++ serefpolicy-3.3.1/policy/modules/services/dovecot.if 2008-02-26 13:09:21.000000000 -0500
+@@ -21,7 +21,46 @@
########################################
## <summary>
-## Do not audit attempts to delete dovecot lib files.
+## Connect to dovecot auth unix domain stream socket.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
++## </param>
+## <rolecap/>
- #
++#
+interface(`dovecot_auth_stream_connect',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
@@ -12346,19 +12481,12 @@
+ domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t)
+')
+
-+########################################
-+### <summary>
-+### Do not audit attempts to delete dovecot lib files.
-+### </summary>
-+### <param name="domain">
-+### <summary>
-+### Domain to not audit.
-+### </summary>
-+### </param>
-+##
- interface(`dovecot_dontaudit_unlink_lib_files',`
- gen_require(`
- type dovecot_var_lib_t;
++#######################################
++## <summary>
++## Do not audit attempts to d`elete dovecot lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -36,3 +75,89 @@
dontaudit $1 dovecot_var_lib_t:file unlink;
@@ -15398,11 +15526,12 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-02-26 08:29:22.000000000 -0500
-@@ -1,7 +1,9 @@
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-02-26 14:08:24.000000000 -0500
+@@ -1,7 +1,10 @@
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
@@ -24225,7 +24354,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-02-26 13:19:58.000000000 -0500
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
@@ -24271,7 +24400,7 @@
# for SSP/ProPolice
dev_read_urand($1)
# for fingerprint readers
-@@ -226,6 +242,31 @@
+@@ -226,6 +242,33 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -24288,6 +24417,8 @@
+ ')
+
+ optional_policy(`
++ corecmd_exec_bin($1)
++ storage_getattr_fixed_disk_dev($1)
+ mount_domtrans($1)
+ ')
+
@@ -24303,7 +24434,7 @@
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -342,6 +383,8 @@
+@@ -342,6 +385,8 @@
optional_policy(`
kerberos_use($1)
@@ -24312,7 +24443,7 @@
')
optional_policy(`
-@@ -356,6 +399,28 @@
+@@ -356,6 +401,28 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -24341,7 +24472,7 @@
')
########################################
-@@ -369,12 +434,12 @@
+@@ -369,12 +436,12 @@
## </param>
## <param name="role">
## <summary>
@@ -24356,7 +24487,7 @@
## </summary>
## </param>
#
-@@ -386,6 +451,7 @@
+@@ -386,6 +453,7 @@
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -24364,7 +24495,7 @@
')
########################################
-@@ -1457,6 +1523,7 @@
+@@ -1457,6 +1525,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -24372,7 +24503,7 @@
')
')
-@@ -1491,3 +1558,23 @@
+@@ -1491,3 +1560,23 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -24554,7 +24685,7 @@
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-02-26 10:48:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-02-26 14:08:51.000000000 -0500
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
@@ -24607,26 +24738,23 @@
')
')
-@@ -567,18 +575,46 @@
+@@ -567,23 +575,70 @@
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute initscript;
- ')
-
- files_list_etc($1)
-- domtrans_pattern($1,initrc_exec_t,initrc_t)
++ ')
++
++ files_list_etc($1)
+ domtrans_pattern($1,initscript,initrc_t)
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
++
++ ifdef(`enable_mcs',`
+ range_transition $1 initscript:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ ')
++
++ ifdef(`enable_mls',`
+ range_transition $1 initscript:process s0 - mls_systemhigh;
+ ')
+')
@@ -24644,21 +24772,48 @@
+interface(`init_script_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
-+
-+ files_list_etc($1)
+ ')
+
+ files_list_etc($1)
+- domtrans_pattern($1,initrc_exec_t,initrc_t)
+ domtrans_pattern($1,$2,initrc_t)
-+
-+ ifdef(`enable_mcs',`
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 $2:process s0;
-+ ')
-+
-+ ifdef(`enable_mls',`
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 $2:process s0 - mls_systemhigh;
')
')
-@@ -609,11 +645,11 @@
+ ########################################
+ ## <summary>
++## Execute a file in a bin directory
++## in the initrc_t domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_bin_domtrans_spec',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ corecmd_bin_domtrans($1, initrc_t)
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -609,11 +664,11 @@
# cjp: added for gentoo integrated run_init
interface(`init_script_file_domtrans',`
gen_require(`
@@ -24672,7 +24827,7 @@
')
########################################
-@@ -684,11 +720,11 @@
+@@ -684,11 +739,11 @@
#
interface(`init_getattr_script_files',`
gen_require(`
@@ -24686,7 +24841,7 @@
')
########################################
-@@ -703,11 +739,11 @@
+@@ -703,11 +758,11 @@
#
interface(`init_exec_script_files',`
gen_require(`
@@ -24700,7 +24855,7 @@
')
########################################
-@@ -931,6 +967,7 @@
+@@ -931,6 +986,7 @@
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
@@ -24708,7 +24863,7 @@
########################################
## <summary>
## Send messages to init scripts over dbus.
-@@ -1030,11 +1067,11 @@
+@@ -1030,11 +1086,11 @@
#
interface(`init_read_script_files',`
gen_require(`
@@ -24722,7 +24877,7 @@
')
########################################
-@@ -1097,6 +1134,25 @@
+@@ -1097,6 +1153,25 @@
########################################
## <summary>
@@ -24748,7 +24903,7 @@
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1252,7 +1308,7 @@
+@@ -1252,7 +1327,7 @@
type initrc_var_run_t;
')
@@ -24757,7 +24912,7 @@
')
########################################
-@@ -1273,3 +1329,112 @@
+@@ -1273,3 +1348,114 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
@@ -24870,6 +25025,8 @@
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-02-26 10:49:22.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.616
retrieving revision 1.617
diff -u -r1.616 -r1.617
--- selinux-policy.spec 26 Feb 2008 16:15:00 -0000 1.616
+++ selinux-policy.spec 26 Feb 2008 19:24:53 -0000 1.617
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -388,8 +388,12 @@
%endif
%changelog
+* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-3
+
* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-2
--
+- Fix Makefile.devel to build mls modules
+- Fix qemu to be more specific on labeling
+
* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-1
- Update to upstream fixes
More information about the fedora-extras-commits
mailing list