rpms/selinux-policy/devel booleans-targeted.conf, 1.37, 1.38 policy-20071130.patch, 1.81, 1.82 selinux-policy.spec, 1.619, 1.620

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Thu Feb 28 04:36:31 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6297

Modified Files:
	booleans-targeted.conf policy-20071130.patch 
	selinux-policy.spec 
Log Message:
* Wed Feb 27 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-6
- Prepare policy for beta release
- Change some of the system domains back to unconfined
- Turn on some of the booleans



Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- booleans-targeted.conf	20 Feb 2008 22:44:00 -0000	1.37
+++ booleans-targeted.conf	28 Feb 2008 04:35:56 -0000	1.38
@@ -1,14 +1,14 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
-allow_execmem = false
+allow_execmem = true
 
 # Allow making a modified private filemapping executable (text relocation).
 # 
-allow_execmod = false
+allow_execmod = true
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = false
+allow_execstack = true
 
 # Allow ftpd to read cifs directories.
 # 
@@ -266,3 +266,11 @@
 # Allow qemu to connect fully to the network
 # 
 allow_qemu_full_network=true
+
+# Allow nsplugin execmem/execstack for bad plugins
+# 
+allow_nsplugin_execmem=true
+
+# Allow unconfined domain to transition to confined domain
+# 
+allow_unconfined_nsplugin_transition=true

policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -r1.81 -r1.82
--- policy-20071130.patch	28 Feb 2008 03:32:23 -0000	1.81
+++ policy-20071130.patch	28 Feb 2008 04:35:56 -0000	1.82
@@ -1363,6 +1363,17 @@
  	kudzu_domtrans(anaconda_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.3.1/policy/modules/admin/bootloader.te
+--- nsaserefpolicy/policy/modules/admin/bootloader.te	2007-12-19 05:32:18.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/bootloader.te	2008-02-27 23:26:17.000000000 -0500
+@@ -215,3 +215,7 @@
+ 	userdom_dontaudit_search_staff_home_dirs(bootloader_t)
+ 	userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+ ')
++
++optional_policy(`
++	unconfined_domain(bootloader_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.3.1/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2008-02-18 14:30:19.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/admin/consoletype.te	2008-02-26 08:29:22.000000000 -0500
@@ -22686,7 +22697,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-02-27 18:04:08.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-02-27 23:02:25.000000000 -0500
 @@ -15,6 +15,11 @@
  template(`xserver_common_domain_template',`
  	gen_require(`
@@ -23412,7 +23423,7 @@
 +		allow $3 xselection_type:x_selection *;
 +		allow $3 x_domain:x_cursor *;
 +		allow $3 { x_domain remote_xclient_t }:x_client *;
-+		allow $3 { x_domain x_server_domain }:x_device ~{ read };
++		allow $3 { x_domain x_server_domain }:x_device *;
 +		allow $3 xextension_type:x_extension *;
 +		allow $3 { x_domain x_server_domain }:x_resource *;
 +		allow $3 xevent_type:{ x_event x_synthetic_event } *;
@@ -23886,7 +23897,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-02-27 18:04:32.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-02-27 23:17:59.000000000 -0500
 @@ -16,21 +16,79 @@
  
  ## <desc>
@@ -24207,17 +24218,18 @@
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -343,8 +482,8 @@
+@@ -343,8 +482,9 @@
  ')
  
  optional_policy(`
 -	unconfined_domain(xdm_t)
++	unconfined_domain(xdm_xserver_t)
  	unconfined_domtrans(xdm_t)
 +	unconfined_signal(xdm_t)
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +519,7 @@
+@@ -380,7 +520,7 @@
  allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
  
@@ -24226,7 +24238,7 @@
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +531,15 @@
+@@ -392,6 +532,15 @@
  can_exec(xdm_xserver_t, xkb_var_lib_t)
  files_search_var_lib(xdm_xserver_t)
  
@@ -24242,7 +24254,7 @@
  # VNC v4 module in X server
  corenet_tcp_bind_vnc_port(xdm_xserver_t)
  
-@@ -404,9 +552,17 @@
+@@ -404,9 +553,17 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -24260,7 +24272,7 @@
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_xserver_t)
  	fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +576,22 @@
+@@ -420,6 +577,22 @@
  ')
  
  optional_policy(`
@@ -24283,7 +24295,7 @@
  	resmgr_stream_connect(xdm_t)
  ')
  
-@@ -429,47 +601,125 @@
+@@ -429,47 +602,125 @@
  ')
  
  optional_policy(`
@@ -24924,7 +24936,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.3.1/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2008-02-18 14:30:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/fstools.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/fstools.te	2008-02-27 23:25:29.000000000 -0500
 @@ -97,6 +97,10 @@
  fs_getattr_tmpfs_dirs(fsadm_t)
  fs_read_tmpfs_symlinks(fsadm_t)
@@ -24936,13 +24948,16 @@
  mls_file_read_all_levels(fsadm_t)
  mls_file_write_all_levels(fsadm_t)
  
-@@ -184,4 +188,6 @@
+@@ -184,4 +188,9 @@
  
  optional_policy(`
  	xen_append_log(fsadm_t)
 +	xen_rw_image_files(fsadm_t)
- ')
++')
 +
++optional_policy(`
++	unconfined_domain(fsadm_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.3.1/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2008-02-18 14:30:18.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/hostname.te	2008-02-26 08:29:22.000000000 -0500
@@ -26117,7 +26132,7 @@
 +#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/lvm.te	2008-02-27 23:23:39.000000000 -0500
 @@ -44,9 +44,9 @@
  # Cluster LVM daemon local policy
  #
@@ -26248,7 +26263,7 @@
  ifdef(`distro_redhat',`
  	# this is from the initrd:
  	files_rw_isid_type_dirs(lvm_t)
-@@ -289,5 +310,14 @@
+@@ -289,5 +310,18 @@
  ')
  
  optional_policy(`
@@ -26260,6 +26275,10 @@
  ')
 +
 +optional_policy(`
++	unconfined_domain(lvm_t)
++')
++
++optional_policy(`
 +	xen_append_log(lvm_t)
 +	xen_dontaudit_rw_unix_stream_sockets(lvm_t)
 +')
@@ -27818,7 +27837,7 @@
  	xen_append_log(ifconfig_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.3.1/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/udev.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/udev.te	2008-02-27 23:28:08.000000000 -0500
 @@ -83,6 +83,7 @@
  kernel_rw_unix_dgram_sockets(udev_t)
  kernel_dgram_send(udev_t)
@@ -27864,6 +27883,16 @@
  	consoletype_exec(udev_t)
  ')
  
+@@ -240,5 +244,9 @@
+ ')
+ 
+ optional_policy(`
++	unconfined_domain(udev_t)
++')
++
++optional_policy(`
+ 	xserver_read_xdm_pid(udev_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2007-12-12 11:35:28.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc	2008-02-26 08:29:22.000000000 -0500
@@ -32047,7 +32076,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/xen.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/xen.te	2008-02-27 23:16:46.000000000 -0500
 @@ -6,6 +6,13 @@
  # Declarations
  #
@@ -32211,7 +32240,7 @@
  init_rw_script_stream_sockets(xm_t)
  init_use_fds(xm_t)
  
-@@ -363,6 +375,19 @@
+@@ -363,6 +375,23 @@
  
  sysnet_read_config(xm_t)
  
@@ -32231,6 +32260,10 @@
 +	fs_manage_nfs_files(xend_t)
 +	fs_read_nfs_symlinks(xend_t)
 +')
++
++optional_policy(`
++	unconfined_domain(xend_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.3.1/policy/modules/users/auditadm.fc
 --- nsaserefpolicy/policy/modules/users/auditadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/users/auditadm.fc	2008-02-26 08:29:22.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.619
retrieving revision 1.620
diff -u -r1.619 -r1.620
--- selinux-policy.spec	28 Feb 2008 03:32:23 -0000	1.619
+++ selinux-policy.spec	28 Feb 2008 04:35:56 -0000	1.620
@@ -388,6 +388,11 @@
 %endif
 
 %changelog
+* Wed Feb 27 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-6
+- Prepare policy for beta release
+- Change some of the system domains back to unconfined
+- Turn on some of the booleans
+
 * Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-5
 - Allow nsplugin_config execstack/execmem
 - Allow nsplugin_t to read alsa config
@@ -396,7 +401,6 @@
 * Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-4
 - Add cyphesis policy
 
-
 * Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-2
 - Fix Makefile.devel to build mls modules
 - Fix qemu to be more specific on labeling

More information about the fedora-extras-commits mailing list