rpms/selinux-policy/devel booleans-targeted.conf, 1.37, 1.38 policy-20071130.patch, 1.81, 1.82 selinux-policy.spec, 1.619, 1.620
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Feb 28 04:36:31 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6297
Modified Files:
booleans-targeted.conf policy-20071130.patch
selinux-policy.spec
Log Message:
* Wed Feb 27 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-6
- Prepare policy for beta release
- Change some of the system domains back to unconfined
- Turn on some of the booleans
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- booleans-targeted.conf 20 Feb 2008 22:44:00 -0000 1.37
+++ booleans-targeted.conf 28 Feb 2008 04:35:56 -0000 1.38
@@ -1,14 +1,14 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
-allow_execmem = false
+allow_execmem = true
# Allow making a modified private filemapping executable (text relocation).
#
-allow_execmod = false
+allow_execmod = true
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = false
+allow_execstack = true
# Allow ftpd to read cifs directories.
#
@@ -266,3 +266,11 @@
# Allow qemu to connect fully to the network
#
allow_qemu_full_network=true
+
+# Allow nsplugin execmem/execstack for bad plugins
+#
+allow_nsplugin_execmem=true
+
+# Allow unconfined domain to transition to confined domain
+#
+allow_unconfined_nsplugin_transition=true
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -r1.81 -r1.82
--- policy-20071130.patch 28 Feb 2008 03:32:23 -0000 1.81
+++ policy-20071130.patch 28 Feb 2008 04:35:56 -0000 1.82
@@ -1363,6 +1363,17 @@
kudzu_domtrans(anaconda_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.3.1/policy/modules/admin/bootloader.te
+--- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-12-19 05:32:18.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/bootloader.te 2008-02-27 23:26:17.000000000 -0500
+@@ -215,3 +215,7 @@
+ userdom_dontaudit_search_staff_home_dirs(bootloader_t)
+ userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(bootloader_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.3.1/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-02-18 14:30:19.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/consoletype.te 2008-02-26 08:29:22.000000000 -0500
@@ -22686,7 +22697,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 18:04:08.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 23:02:25.000000000 -0500
@@ -15,6 +15,11 @@
template(`xserver_common_domain_template',`
gen_require(`
@@ -23412,7 +23423,7 @@
+ allow $3 xselection_type:x_selection *;
+ allow $3 x_domain:x_cursor *;
+ allow $3 { x_domain remote_xclient_t }:x_client *;
-+ allow $3 { x_domain x_server_domain }:x_device ~{ read };
++ allow $3 { x_domain x_server_domain }:x_device *;
+ allow $3 xextension_type:x_extension *;
+ allow $3 { x_domain x_server_domain }:x_resource *;
+ allow $3 xevent_type:{ x_event x_synthetic_event } *;
@@ -23886,7 +23897,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 18:04:32.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 23:17:59.000000000 -0500
@@ -16,21 +16,79 @@
## <desc>
@@ -24207,17 +24218,18 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +482,8 @@
+@@ -343,8 +482,9 @@
')
optional_policy(`
- unconfined_domain(xdm_t)
++ unconfined_domain(xdm_xserver_t)
unconfined_domtrans(xdm_t)
+ unconfined_signal(xdm_t)
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +519,7 @@
+@@ -380,7 +520,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -24226,7 +24238,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +531,15 @@
+@@ -392,6 +532,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -24242,7 +24254,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +552,17 @@
+@@ -404,9 +553,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -24260,7 +24272,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +576,22 @@
+@@ -420,6 +577,22 @@
')
optional_policy(`
@@ -24283,7 +24295,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +601,125 @@
+@@ -429,47 +602,125 @@
')
optional_policy(`
@@ -24924,7 +24936,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.3.1/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2008-02-18 14:30:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-02-27 23:25:29.000000000 -0500
@@ -97,6 +97,10 @@
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -24936,13 +24948,16 @@
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
-@@ -184,4 +188,6 @@
+@@ -184,4 +188,9 @@
optional_policy(`
xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
- ')
++')
+
++optional_policy(`
++ unconfined_domain(fsadm_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.3.1/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2008-02-18 14:30:18.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/hostname.te 2008-02-26 08:29:22.000000000 -0500
@@ -26117,7 +26132,7 @@
+#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-27 23:23:39.000000000 -0500
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
@@ -26248,7 +26263,7 @@
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
-@@ -289,5 +310,14 @@
+@@ -289,5 +310,18 @@
')
optional_policy(`
@@ -26260,6 +26275,10 @@
')
+
+optional_policy(`
++ unconfined_domain(lvm_t)
++')
++
++optional_policy(`
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
@@ -27818,7 +27837,7 @@
xen_append_log(ifconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.3.1/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/udev.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/udev.te 2008-02-27 23:28:08.000000000 -0500
@@ -83,6 +83,7 @@
kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
@@ -27864,6 +27883,16 @@
consoletype_exec(udev_t)
')
+@@ -240,5 +244,9 @@
+ ')
+
+ optional_policy(`
++ unconfined_domain(udev_t)
++')
++
++optional_policy(`
+ xserver_read_xdm_pid(udev_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-02-26 08:29:22.000000000 -0500
@@ -32047,7 +32076,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-02-27 23:16:46.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -32211,7 +32240,7 @@
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
-@@ -363,6 +375,19 @@
+@@ -363,6 +375,23 @@
sysnet_read_config(xm_t)
@@ -32231,6 +32260,10 @@
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
+')
++
++optional_policy(`
++ unconfined_domain(xend_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.3.1/policy/modules/users/auditadm.fc
--- nsaserefpolicy/policy/modules/users/auditadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/users/auditadm.fc 2008-02-26 08:29:22.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.619
retrieving revision 1.620
diff -u -r1.619 -r1.620
--- selinux-policy.spec 28 Feb 2008 03:32:23 -0000 1.619
+++ selinux-policy.spec 28 Feb 2008 04:35:56 -0000 1.620
@@ -388,6 +388,11 @@
%endif
%changelog
+* Wed Feb 27 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-6
+- Prepare policy for beta release
+- Change some of the system domains back to unconfined
+- Turn on some of the booleans
+
* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-5
- Allow nsplugin_config execstack/execmem
- Allow nsplugin_t to read alsa config
@@ -396,7 +401,6 @@
* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-4
- Add cyphesis policy
-
* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-2
- Fix Makefile.devel to build mls modules
- Fix qemu to be more specific on labeling
More information about the fedora-extras-commits
mailing list