rpms/selinux-policy/F-8 policy-20070703.patch, 1.168, 1.169 selinux-policy.spec, 1.602, 1.603
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jan 14 19:45:17 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13744
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Jan 14 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-76
- Fix filecontext for networkmanagerlog files
- Allow mount to read samba config
- Fix label of /var/lib/tftpboot
- Fix label of /usr/lib(64)?/xorg/modules/glesx.so
- Fix label on /etc/NetworkManager/dispatcher.d/*
- Allow httpd to send dbus messages
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.168
retrieving revision 1.169
diff -u -r1.168 -r1.169
--- policy-20070703.patch 13 Jan 2008 13:51:29 -0000 1.168
+++ policy-20070703.patch 14 Jan 2008 19:45:09 -0000 1.169
@@ -3987,7 +3987,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-01-07 11:08:45.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-01-14 14:12:06.000000000 -0500
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4008,7 +4008,15 @@
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
-@@ -108,7 +114,6 @@
+@@ -44,6 +50,7 @@
+ /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -108,7 +115,6 @@
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -4016,7 +4024,7 @@
#
# /usr
#
-@@ -126,10 +131,10 @@
+@@ -126,10 +132,10 @@
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -4029,7 +4037,7 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -163,9 +168,15 @@
+@@ -163,9 +169,15 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -4046,7 +4054,7 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
-@@ -180,6 +191,7 @@
+@@ -180,6 +192,7 @@
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
@@ -4054,7 +4062,7 @@
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +271,23 @@
+@@ -259,3 +272,23 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -8280,7 +8288,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-01-08 15:14:32.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-01-14 14:18:38.000000000 -0500
@@ -50,6 +50,12 @@
## </param>
#
@@ -8341,12 +8349,15 @@
class dbus send_msg;
')
-@@ -202,9 +224,16 @@
+@@ -201,10 +223,19 @@
+
# SE-DBus specific permissions
allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
-
-+ read_files_pattern($2,system_dbusd_var_lib_t,system_dbusd_var_lib_t)
++ allow $2 { system_dbusd_t $2 }:dbus send_msg;
+
++ read_files_pattern($2,system_dbusd_var_lib_t,system_dbusd_var_lib_t)
++ files_search_var_lib($2)
+
# For connecting to the bus
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
@@ -8358,7 +8369,7 @@
')
#######################################
-@@ -236,14 +265,16 @@
+@@ -236,14 +267,16 @@
class dbus send_msg;
')
@@ -8378,7 +8389,7 @@
')
########################################
-@@ -271,6 +302,60 @@
+@@ -271,6 +304,60 @@
allow $2 $1_dbusd_t:dbus send_msg;
')
@@ -8439,7 +8450,7 @@
########################################
## <summary>
## Read dbus configuration.
-@@ -286,6 +371,7 @@
+@@ -286,6 +373,7 @@
type dbusd_etc_t;
')
@@ -8447,7 +8458,7 @@
allow $1 dbusd_etc_t:file read_file_perms;
')
-@@ -346,3 +432,55 @@
+@@ -346,3 +434,55 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -10719,7 +10730,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2007-12-31 08:48:19.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2008-01-14 09:31:26.000000000 -0500
@@ -1,7 +1,9 @@
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -10729,7 +10740,7 @@
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+/var/log/wpa_supplicant.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
++/var/log/wpa_supplicant.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-12-31 08:56:04.000000000 -0500
@@ -12855,7 +12866,7 @@
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-01-08 13:38:54.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-01-14 10:34:31.000000000 -0500
@@ -332,6 +332,25 @@
########################################
@@ -13543,7 +13554,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-31 15:41:55.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-01-14 11:54:37.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -13580,7 +13591,7 @@
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -66,6 +72,8 @@
+@@ -66,10 +72,13 @@
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
@@ -13589,7 +13600,12 @@
term_dontaudit_use_console(sendmail_t)
# for piping mail to a command
-@@ -94,30 +102,34 @@
+ corecmd_exec_shell(sendmail_t)
++corecmd_exec_bin(sendmail_t)
+
+ domain_use_interactive_fds(sendmail_t)
+
+@@ -94,30 +103,34 @@
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
@@ -13630,7 +13646,7 @@
')
optional_policy(`
-@@ -131,28 +143,33 @@
+@@ -131,28 +144,33 @@
')
optional_policy(`
@@ -13908,6 +13924,17 @@
seutil_sigchld_newrole(soundd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.8/policy/modules/services/spamassassin.fc
+--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.fc 2008-01-14 11:58:07.000000000 -0500
+@@ -11,6 +11,7 @@
+
+ /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+ /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
++/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+ /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+ /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2008-01-04 09:49:16.000000000 -0500
@@ -14586,12 +14613,12 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.0.8/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/tftp.fc 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/tftp.fc 2008-01-14 12:49:42.000000000 -0500
@@ -4,3 +4,4 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
-+/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
++/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2007-12-02 21:15:34.000000000 -0500
@@ -17006,7 +17033,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-27 11:39:05.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-01-14 12:58:26.000000000 -0500
@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -17055,7 +17082,16 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -223,6 +232,7 @@
+@@ -142,6 +151,8 @@
+ /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -223,6 +234,7 @@
/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Flash plugin, Macromedia
@@ -17063,7 +17099,7 @@
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -236,6 +246,8 @@
+@@ -236,6 +248,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -17072,7 +17108,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +296,14 @@
+@@ -284,3 +298,14 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -18063,7 +18099,7 @@
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-12-31 11:02:48.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/mount.te 2008-01-14 10:34:46.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -18178,7 +18214,7 @@
')
optional_policy(`
-@@ -180,17 +195,17 @@
+@@ -180,17 +195,18 @@
')
')
@@ -18197,10 +18233,11 @@
optional_policy(`
- nscd_socket_use(mount_t)
+ samba_domtrans_smbmount(mount_t)
++ samba_read_config(mount_t)
')
########################################
-@@ -201,4 +216,29 @@
+@@ -201,4 +217,29 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -19710,7 +19747,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-01-08 15:13:25.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-01-14 09:59:37.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -19955,9 +19992,9 @@
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1_t)
+ tunable_policy(`allow_$1_exec_content', `
-+ can_exec($1_usertype,$1_home_t)
++ can_exec($1_usertype,$1_home_type)
+ ',`
-+ dontaudit $1_usertype $1_home_t:file execute;
++ dontaudit $1_usertype $1_home_type:file execute;
')
- tunable_policy(`use_samba_home_dirs',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.602
retrieving revision 1.603
diff -u -r1.602 -r1.603
--- selinux-policy.spec 13 Jan 2008 13:24:59 -0000 1.602
+++ selinux-policy.spec 14 Jan 2008 19:45:09 -0000 1.603
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 75%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,14 @@
%endif
%changelog
+* Mon Jan 14 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-76
+- Fix filecontext for networkmanagerlog files
+- Allow mount to read samba config
+- Fix label of /var/lib/tftpboot
+- Fix label of /usr/lib(64)?/xorg/modules/glesx.so
+- Fix label on /etc/NetworkManager/dispatcher.d/*
+- Allow httpd to send dbus messages
+
* Thu Jan 3 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-75
- Alow postgrey to read postfix_etc_t
- Lots of fixes to get javaplugin to run under xguest
More information about the fedora-extras-commits
mailing list