rpms/selinux-policy/devel policy-20071130.patch,1.34,1.35
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Jan 17 13:50:20 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12698
Modified Files:
policy-20071130.patch
Log Message:
* Tue Jan 15 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-13
- Allow setroubleshoot to read policy config and send audit messages
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- policy-20071130.patch 15 Jan 2008 20:43:04 -0000 1.34
+++ policy-20071130.patch 17 Jan 2008 13:50:17 -0000 1.35
@@ -4561,7 +4561,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-14 13:32:12.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-16 16:09:12.000000000 -0500
@@ -82,6 +82,7 @@
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@@ -6549,7 +6549,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.5/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2008-01-16 16:21:23.000000000 -0500
@@ -36,6 +36,7 @@
domain_read_all_domains_state(consolekit_t)
@@ -6575,7 +6575,7 @@
optional_policy(`
dbus_system_bus_client_template(consolekit, consolekit_t)
dbus_connect_system_bus(consolekit_t)
-@@ -67,3 +76,8 @@
+@@ -67,3 +76,13 @@
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
')
@@ -6583,6 +6583,11 @@
+optional_policy(`
+ #reading .Xauthity
+ unconfined_ptrace(consolekit_t)
++ unconfined_stream_connect(consolekit_t)
++')
++
++optional_policy(`
++ userdom_read_user_tmp_files(consolekit_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.5/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
@@ -9158,7 +9163,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-11 14:28:19.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-16 06:23:08.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -9237,7 +9242,7 @@
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,11 +158,30 @@
+@@ -136,11 +158,33 @@
')
optional_policy(`
@@ -9253,6 +9258,9 @@
')
-# should break this up among sections:
++init_stream_connect_script(mailserver_delivery)
++init_rw_script_stream_sockets(mailserver_delivery)
++
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mailserver_delivery)
+ fs_manage_cifs_files(mailserver_delivery)
@@ -9269,7 +9277,7 @@
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +195,4 @@
+@@ -154,3 +198,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -9289,8 +9297,16 @@
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500
-@@ -37,14 +37,18 @@
++++ serefpolicy-3.2.5/policy/modules/services/munin.te 2008-01-16 16:05:13.000000000 -0500
+@@ -30,21 +30,25 @@
+ # Local policy
+ #
+
+-allow munin_t self:capability { setgid setuid };
++allow munin_t self:capability { dac_override setgid setuid };
+ dontaudit munin_t self:capability sys_tty_config;
+ allow munin_t self:process { getsched setsched signal_perms };
+ allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
allow munin_t self:tcp_socket create_stream_socket_perms;
allow munin_t self:udp_socket create_socket_perms;
@@ -10813,7 +10829,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-08 11:05:41.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-16 15:49:34.000000000 -0500
@@ -102,6 +102,10 @@
')
@@ -10825,7 +10841,15 @@
munin_dontaudit_search_lib(procmail_t)
')
-@@ -129,7 +133,9 @@
+@@ -116,6 +120,7 @@
+
+ optional_policy(`
+ pyzor_domtrans(procmail_t)
++ pyzor_signal(procmail_t)
+ ')
+
+ optional_policy(`
+@@ -129,7 +134,9 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
@@ -10851,7 +10875,7 @@
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.5/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2008-01-16 15:43:01.000000000 -0500
@@ -25,16 +25,18 @@
#
template(`pyzor_per_role_template',`
@@ -14931,7 +14955,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.5/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/system/init.if 2007-12-20 08:48:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/init.if 2008-01-16 06:20:54.000000000 -0500
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
@@ -15408,7 +15432,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2008-01-14 12:58:45.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2008-01-16 15:54:07.000000000 -0500
@@ -133,6 +133,7 @@
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15417,7 +15441,15 @@
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -183,6 +184,7 @@
+@@ -165,6 +166,7 @@
+ # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
+ /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -183,6 +185,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15425,7 +15457,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -242,7 +244,7 @@
+@@ -242,7 +245,7 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15434,7 +15466,7 @@
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -292,6 +294,8 @@
+@@ -292,6 +295,8 @@
#
# /var
#
@@ -15443,11 +15475,12 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -304,3 +308,4 @@
+@@ -304,3 +309,5 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
++/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2008-01-02 15:02:58.000000000 -0500
@@ -16013,7 +16046,7 @@
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-14 10:34:15.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-16 10:54:21.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -16092,7 +16125,15 @@
auth_use_nsswitch(mount_t)
-@@ -161,6 +168,8 @@
+@@ -119,6 +126,7 @@
+ seutil_read_config(mount_t)
+
+ userdom_use_all_users_fds(mount_t)
++userdom_read_sysadm_home_content_files(mount_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+@@ -161,6 +169,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -16101,7 +16142,7 @@
')
optional_policy(`
-@@ -175,6 +184,11 @@
+@@ -175,6 +185,11 @@
')
')
@@ -16113,7 +16154,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -182,6 +196,7 @@
+@@ -182,6 +197,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -16121,7 +16162,7 @@
')
########################################
-@@ -192,4 +207,26 @@
+@@ -192,4 +208,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -16992,7 +17033,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.5/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.fc 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/unconfined.fc 2008-01-17 08:46:28.000000000 -0500
@@ -10,7 +10,11 @@
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -17274,7 +17315,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-11 15:57:35.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-17 08:47:06.000000000 -0500
@@ -9,32 +9,48 @@
# usage in this module of types created by these
# calls is not correct, however we dont currently
@@ -17489,7 +17530,7 @@
')
########################################
-@@ -219,14 +238,32 @@
+@@ -219,14 +238,34 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -17527,6 +17568,8 @@
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
++# Allow SELinux aware applications to request rpm_script execution
++rpm_transition_script(unconfined_notrans_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.5/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17542,7 +17585,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-15 11:58:29.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-16 16:19:31.000000000 -0500
@@ -29,8 +29,9 @@
')
More information about the fedora-extras-commits
mailing list