rpms/selinux-policy/devel modules-mls.conf, 1.29, 1.30 modules-targeted.conf, 1.76, 1.77 policy-20071130.patch, 1.25, 1.26 selinux-policy.spec, 1.579, 1.580
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Jan 3 22:13:46 UTC 2008
- Previous message (by thread): rpms/8Kingdoms/devel 8Kingdoms-1.1.0-crash.patch, NONE, 1.1 8Kingdoms-1.1.0-gcc43.patch, NONE, 1.1 8Kingdoms.spec, 1.1, 1.2
- Next message (by thread): rpms/seahorse/devel seahorse.spec,1.32,1.33 sources,1.10,1.11
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10915
Modified Files:
modules-mls.conf modules-targeted.conf policy-20071130.patch
selinux-policy.spec
Log Message:
* Wed Jan 2 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-8
- Change user and staff roles to work correctly with varied perms
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- modules-mls.conf 3 Dec 2007 01:16:38 -0000 1.29
+++ modules-mls.conf 3 Jan 2008 22:13:09 -0000 1.30
@@ -1059,3 +1059,31 @@
# Abstract Machine Test Utility (AMTU)
#
amtu = module
+
+# Layer: users
+# Module: staff
+#
+# Fully Privledged user. with su/sudo/newrole
+#
+staff = base
+
+# Layer: users
+# Module: user
+#
+# Fully Privledged user. without su/sudo/newrole
+#
+user = base
+
+# Layer: users
+# Module: secadm
+#
+# Root role used to manage selinux
+#
+secadm = module
+
+# Layer: users
+# Module: auditadm
+#
+# Root role used to manage audit system
+#
+auditadm = module
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- modules-targeted.conf 18 Dec 2007 19:58:20 -0000 1.76
+++ modules-targeted.conf 3 Jan 2008 22:13:09 -0000 1.77
@@ -747,6 +747,12 @@
#
mozilla = module
+# Layer: apps
+# Module: nsplugin
+#
+# Policy for nspluginwrapper
+#
+nsplugin = module
# Layer: apps
# Module: mplayer
@@ -755,6 +761,13 @@
#
mplayer = module
+# Layer: apps
+# Module: gpg
+#
+# Policy for Mozilla and related web browsers
+#
+gpg = module
+
# Layer: admin
# Module: mrtg
#
@@ -1572,3 +1585,17 @@
#
soundserver = module
+# Layer: users
+# Module: staff
+#
+# Minimally privs guest account on tty logins
+#
+staff = base
+
+# Layer: users
+# Module: user
+#
+# Minimally privs guest account on tty logins
+#
+user = base
+
policy-20071130.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.25 -r 1.26 policy-20071130.patch
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- policy-20071130.patch 31 Dec 2007 22:34:58 -0000 1.25
+++ policy-20071130.patch 3 Jan 2008 22:13:09 -0000 1.26
@@ -12,6 +12,22 @@
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.5/config/appconfig-mcs/root_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400
++++ serefpolicy-3.2.5/config/appconfig-mcs/root_default_contexts 2008-01-02 11:19:34.000000000 -0500
+@@ -1,11 +1,7 @@
+ system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+ system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+-
+ #
+ # Uncomment if you want to automatically login as sysadm_r
+ #
+-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
++system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.5/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/config/appconfig-mcs/seusers 2007-12-19 05:38:08.000000000 -0500
@@ -64,6 +80,22 @@
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+system_r:crond_t guest_r:guest_crond_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.2.5/config/appconfig-standard/root_default_contexts
+--- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2007-10-12 08:56:09.000000000 -0400
++++ serefpolicy-3.2.5/config/appconfig-standard/root_default_contexts 2008-01-02 11:20:32.000000000 -0500
+@@ -1,11 +1,7 @@
+ system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+ system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+-staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+-sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+-user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+-
+ #
+ # Uncomment if you want to automatically login as sysadm_r
+ #
+-#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
++system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.5/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/config/appconfig-standard/xguest_u_default_contexts 2007-12-19 05:38:08.000000000 -0500
@@ -925,7 +957,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2007-12-24 06:06:53.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2008-01-03 11:32:09.000000000 -0500
@@ -152,6 +152,24 @@
########################################
@@ -976,11 +1008,10 @@
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
-@@ -224,8 +260,29 @@
- type rpm_script_tmp_t;
+@@ -225,7 +261,29 @@
')
-- files_search_tmp($1)
+ files_search_tmp($1)
+ manage_dirs_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+ manage_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
@@ -1007,7 +1038,7 @@
')
########################################
-@@ -289,3 +346,137 @@
+@@ -289,3 +347,137 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1273,7 +1304,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/su.if 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-03 13:47:22.000000000 -0500
@@ -41,15 +41,13 @@
allow $2 $1_su_t:process signal;
@@ -1321,7 +1352,7 @@
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
- allow $2 $1_su_t:process sigchld;
-+ allow $2 $1_su_t:process { getsched signal };
++ allow $2 $1_su_t:process { getsched signal sigchld };
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
@@ -1344,7 +1375,7 @@
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
-@@ -226,6 +224,7 @@
+@@ -226,12 +224,14 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
@@ -1352,7 +1383,15 @@
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
-@@ -295,13 +294,7 @@
+
+- userdom_use_user_terminals($1,$1_su_t)
++ userdom_search_sysadm_home_dirs($1_su_t)
+ userdom_search_user_home_dirs($1,$1_su_t)
++ userdom_use_user_terminals($1,$1_su_t)
+
+ ifdef(`distro_rhel4',`
+ domain_role_change_exemption($1_su_t)
+@@ -295,13 +295,7 @@
xserver_domtrans_user_xauth($1, $1_su_t)
')
@@ -1959,13 +1998,564 @@
+files_tmp_file(user_gconf_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.5/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2007-12-19 05:38:08.000000000 -0500
-@@ -1,4 +1,4 @@
++++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2008-01-03 16:26:50.000000000 -0500
+@@ -1,6 +1,6 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0)
- /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+-/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
++/usr/bin/gpg2? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+ /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
+ /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.5/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-03 17:11:22.000000000 -0500
+@@ -38,6 +38,10 @@
+ gen_require(`
+ type gpg_exec_t, gpg_helper_exec_t;
+ type gpg_agent_exec_t, pinentry_exec_t;
++ type gpg_t, gpg_helper_t;
++ type gpg_agent_t, gpg_pinentry_t;
++ type user_gpg_agent_tmp_t;
++ type user_gpg_secret_t;
+ ')
+
+ ########################################
+@@ -45,275 +49,51 @@
+ # Declarations
+ #
+
+- type $1_gpg_t;
+- application_domain($1_gpg_t,gpg_exec_t)
+- role $3 types $1_gpg_t;
+-
+- type $1_gpg_agent_t;
+- application_domain($1_gpg_agent_t,gpg_agent_exec_t)
+- role $3 types $1_gpg_agent_t;
+-
+- type $1_gpg_agent_tmp_t;
+- files_tmp_file($1_gpg_agent_tmp_t)
+-
+- type $1_gpg_secret_t;
+- userdom_user_home_content($1,$1_gpg_secret_t)
+-
+- type $1_gpg_helper_t;
+- application_domain($1_gpg_helper_t,gpg_helper_exec_t)
+- role $3 types $1_gpg_helper_t;
+-
+- type $1_gpg_pinentry_t;
+- application_domain($1_gpg_pinentry_t,pinentry_exec_t)
+- role $3 types $1_gpg_pinentry_t;
++ typealias gpg_t alias $1_gpg_t;
++ role $3 types gpg_t;
+
+- ########################################
+- #
+- # GPG local policy
+- #
+-
+- allow $1_gpg_t self:capability { ipc_lock setuid };
+- allow { $2 $1_gpg_t } $1_gpg_t:process signal;
+- # setrlimit is for ulimit -c 0
+- allow $1_gpg_t self:process { setrlimit setcap setpgid };
+-
+- allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
[...3922 lines suppressed...]
++## <summary>Policy for auditadm user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.te serefpolicy-3.2.5/policy/modules/users/auditadm.te
+--- nsaserefpolicy/policy/modules/users/auditadm.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/auditadm.te 2008-01-02 11:38:04.000000000 -0500
+@@ -0,0 +1,25 @@
++policy_module(auditadm,1.0.1)
++gen_require(`
++ role staff_r;
++')
++
++userdom_unpriv_user_template(auditadm)
++
++userdom_role_change_template(staff, auditadm)
++
++allow auditadm_t self:capability { dac_read_search dac_override };
++seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
++domain_kill_all_domains(auditadm_t)
++seutil_read_bin_policy(auditadm_t)
++corecmd_exec_shell(auditadm_t)
++logging_send_syslog_msg(auditadm_t)
++logging_read_generic_logs(auditadm_t)
++logging_manage_audit_log(auditadm_t)
++logging_manage_audit_config(auditadm_t)
++logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
++logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
++userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
++
++optional_policy(`
++ dmesg_exec(auditadm_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.5/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/guest.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17680,6 +19478,143 @@
+++ serefpolicy-3.2.5/policy/modules/users/metadata.xml 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+<summary>Policy modules for users</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.fc serefpolicy-3.2.5/policy/modules/users/secadm.fc
+--- nsaserefpolicy/policy/modules/users/secadm.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/secadm.fc 2008-01-02 11:40:47.000000000 -0500
+@@ -0,0 +1 @@
++# No secadm file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.if serefpolicy-3.2.5/policy/modules/users/secadm.if
+--- nsaserefpolicy/policy/modules/users/secadm.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/secadm.if 2008-01-02 11:40:35.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for secadm user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.te serefpolicy-3.2.5/policy/modules/users/secadm.te
+--- nsaserefpolicy/policy/modules/users/secadm.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/secadm.te 2008-01-02 14:52:04.000000000 -0500
+@@ -0,0 +1,39 @@
++policy_module(secadm,1.0.1)
++gen_require(`
++ role staff_r;
++')
++
++userdom_unpriv_user_template(secadm)
++userdom_role_change_template(staff, secadm)
++
++allow secadm_t self:capability { dac_read_search dac_override };
++corecmd_exec_shell(secadm_t)
++domain_obj_id_change_exemption(secadm_t)
++mls_process_read_up(secadm_t)
++mls_file_read_all_levels(secadm_t)
++mls_file_write_all_levels(secadm_t)
++mls_file_upgrade(secadm_t)
++mls_file_downgrade(secadm_t)
++auth_relabel_all_files_except_shadow(secadm_t)
++dev_relabel_all_dev_nodes(secadm_t)
++auth_relabel_shadow(secadm_t)
++init_exec(secadm_t)
++logging_read_audit_log(secadm_t)
++logging_read_generic_logs(secadm_t)
++logging_read_audit_config(secadm_t)
++userdom_dontaudit_append_staff_home_content_files(secadm_t)
++userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
++
++userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
++
++optional_policy(`
++ aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
++')
++
++optional_policy(`
++ netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
++')
++
++optional_policy(`
++ dmesg_exec(secadm_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.fc serefpolicy-3.2.5/policy/modules/users/staff.fc
+--- nsaserefpolicy/policy/modules/users/staff.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/staff.fc 2008-01-02 11:12:56.000000000 -0500
+@@ -0,0 +1 @@
++# No staff file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.if serefpolicy-3.2.5/policy/modules/users/staff.if
+--- nsaserefpolicy/policy/modules/users/staff.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/staff.if 2008-01-02 11:13:02.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for staff user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
+--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-03 17:06:13.000000000 -0500
+@@ -0,0 +1,31 @@
++policy_module(staff,1.0.1)
++userdom_unpriv_user_template(staff)
++
++# only staff_r can change to sysadm_r
++userdom_role_change_template(staff, sysadm)
++userdom_dontaudit_use_sysadm_terms(staff_t)
++
++optional_policy(`
++ xserver_per_role_template(staff, staff_t, staff_r)
++')
++
++sudo_per_role_template(staff, staff_t, staff_r)
++seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
++
++optional_policy(`
++ java_per_role_template(staff, staff_t, staff_r)
++')
++
++optional_policy(`
++ mono_per_role_template(staff, staff_t, staff_r)
++')
++
++optional_policy(`
++ gpg_per_role_template(staff, staff_usertype, staff_r)
++')
++
++optional_policy(`
++ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
++ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.5/policy/modules/users/user.fc
+--- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/user.fc 2008-01-02 11:13:33.000000000 -0500
+@@ -0,0 +1 @@
++# No user file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if serefpolicy-3.2.5/policy/modules/users/user.if
+--- nsaserefpolicy/policy/modules/users/user.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/user.if 2008-01-02 11:13:21.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for user user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.2.5/policy/modules/users/user.te
+--- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/user.te 2008-01-03 13:17:42.000000000 -0500
+@@ -0,0 +1,25 @@
++policy_module(user,1.0.1)
++userdom_unpriv_user_template(user)
++
++optional_policy(`
++ java_per_role_template(user, user_t, user_r)
++')
++
++optional_policy(`
++ mono_per_role_template(user, user_t, user_r)
++')
++
++optional_policy(`
++ xserver_per_role_template(user, user_t, user_r)
++')
++
++optional_policy(`
++ gpg_per_role_template(user, user_usertype, user_r)
++')
++
++optional_policy(`
++ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
++ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.5/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/webadm.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17692,7 +19627,7 @@
+## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.5/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/users/webadm.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/webadm.te 2008-01-02 11:22:34.000000000 -0500
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
@@ -17732,10 +19667,10 @@
+apache_admin(webadm_t, webadm_r, { webadm_devpts_t webadm_tty_device_t })
+
+gen_require(`
-+ type gadmin_t;
++ type staff_t;
+')
-+allow gadmin_t webadm_t:process transition;
-+allow webadm_t gadmin_t:dir getattr;
++allow staff_t webadm_t:process transition;
++allow webadm_t staff_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.5/policy/modules/users/xguest.fc
--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/xguest.fc 2007-12-19 05:38:09.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.579
retrieving revision 1.580
diff -u -r1.579 -r1.580
--- selinux-policy.spec 31 Dec 2007 21:06:02 -0000 1.579
+++ selinux-policy.spec 3 Jan 2008 22:13:09 -0000 1.580
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,9 @@
%endif
%changelog
+* Wed Jan 2 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-8
+- Change user and staff roles to work correctly with varied perms
+
* Mon Dec 31 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-7
- Fix munin log,
- Eliminate duplicate mozilla file context
- Previous message (by thread): rpms/8Kingdoms/devel 8Kingdoms-1.1.0-crash.patch, NONE, 1.1 8Kingdoms-1.1.0-gcc43.patch, NONE, 1.1 8Kingdoms.spec, 1.1, 1.2
- Next message (by thread): rpms/seahorse/devel seahorse.spec,1.32,1.33 sources,1.10,1.11
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list