rpms/selinux-policy/devel policy-20071130.patch, 1.38, 1.39 selinux-policy.spec, 1.588, 1.589
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jan 22 19:46:57 UTC 2008
- Previous message (by thread): rpms/python-cheetah/F-7 .cvsignore, 1.5, 1.6 python-cheetah.spec, 1.9, 1.10 sources, 1.5, 1.6
- Next message (by thread): rpms/geda-gattrib/F-7 .cvsignore, 1.8, 1.9 geda-gattrib.spec, 1.10, 1.11 sources, 1.8, 1.9
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11228
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Jan 21 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-17
- Allow ptrace or user processes by users of same type
- Add boolean for transition to nsplugin
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- policy-20071130.patch 22 Jan 2008 17:35:34 -0000 1.38
+++ policy-20071130.patch 22 Jan 2008 19:46:50 -0000 1.39
@@ -2730,7 +2730,7 @@
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.5/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/java.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/java.if 2008-01-22 12:52:42.000000000 -0500
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -2824,7 +2824,7 @@
userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
userdom_manage_user_home_content_files($1,$1_javaplugin_t)
userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
-@@ -156,15 +162,63 @@
+@@ -156,15 +162,65 @@
')
optional_policy(`
@@ -2879,6 +2879,8 @@
+
+ allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
+
++ allow $2 $1_java_t:process { getattr ptrace signal_perms };
++
+ domtrans_pattern($2, java_exec_t, $1_java_t)
+
+ dev_read_urand($1_java_t)
@@ -2892,7 +2894,7 @@
')
')
-@@ -219,3 +273,67 @@
+@@ -219,3 +275,67 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
@@ -3019,7 +3021,7 @@
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.5/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/mono.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/mono.if 2008-01-22 12:53:01.000000000 -0500
@@ -18,3 +18,105 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
@@ -3116,7 +3118,7 @@
+ userdom_unpriv_usertype($1, $1_mono_t)
+
+ allow $1_mono_t self:process { execheap execmem };
-+ allow $2 $1_mono_t:process noatsecure;
++ allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
@@ -3740,8 +3742,8 @@
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-21 18:22:21.000000000 -0500
-@@ -0,0 +1,290 @@
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-22 13:24:31.000000000 -0500
+@@ -0,0 +1,330 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -3887,27 +3889,67 @@
+## </summary>
+## </param>
+#
-+template(`nsplugin_per_role_template',`
++template(`nsplugin_use',`
+ gen_require(`
+ type nsplugin_t;
+ type nsplugin_config_t;
+ type nsplugin_rw_t;
+ ')
-+ nsplugin_domtrans($2)
-+ role $3 types nsplugin_t;
++ nsplugin_domtrans($1)
+
-+ nsplugin_config_domtrans($2)
-+ role $3 types nsplugin_config_t;
++ nsplugin_config_domtrans($1)
+
-+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
-+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
-+ can_exec($2, nsplugin_rw_t)
++ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++ can_exec($1, nsplugin_rw_t)
+
++ allow nsplugin_t $1:udp_socket { read write };
+
-+ allow nsplugin_t $2:udp_socket { read write };
++ allow $1 nsplugin_t:process { getattr ptrace signal_perms };
++ allow $1 nsplugin_t:unix_stream_socket connectto;
++')
+
-+ allow $2 nsplugin_t:process { signal sigkill };
-+ allow $2 nsplugin_t:unix_stream_socket connectto;
++#######################################
++## <summary>
++## The per role template for the nsplugin module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for nsplugin web browser.
++## </p>
++## <p>
++## This template is invoked automatically for each user, and
++## generally does not need to be invoked directly
++## by policy writers.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++#
++template(`nsplugin_per_role_template',`
++ gen_require(`
++ type nsplugin_t;
++ type nsplugin_config_t;
++ type nsplugin_rw_t;
++ ')
++ nsplugin_use($2)
++ role $3 types nsplugin_t;
++ role $3 types nsplugin_config_t;
+')
+
+########################################
@@ -9201,7 +9243,7 @@
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-21 14:38:27.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-22 12:53:47.000000000 -0500
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -9231,9 +9273,12 @@
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
-@@ -104,8 +110,7 @@
+@@ -102,10 +108,9 @@
+ files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
+
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
- allow $2 $1_dbusd_t:process { sigkill signal };
+- allow $2 $1_dbusd_t:process { sigkill signal };
++ allow $2 $1_dbusd_t:process { getattr ptrace signal_perms };
- # cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $2)
@@ -20511,7 +20556,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-22 12:59:23.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -20960,7 +21005,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-22 14:45:36.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -23052,8 +23097,18 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-18 12:40:46.000000000 -0500
-@@ -9,32 +9,48 @@
++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-22 13:25:12.000000000 -0500
+@@ -6,35 +6,58 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Transition to confined nsplugin domains from unconfined user
++## </p>
++## </desc>
++gen_tunable(allow_unconfined_nsplugin_transition,false)
++
# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
@@ -23106,7 +23161,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,7 +58,10 @@
+@@ -42,7 +65,10 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -23117,9 +23172,24 @@
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -51,13 +70,13 @@
+@@ -50,14 +76,28 @@
+
userdom_priveleged_home_dir_manager(unconfined_t)
++
++optional_policy(`
++ gen_require(`
++ type nsplugin_t;
++ type nsplugin_config_t;
++ ')
++ role unconfined_r types nsplugin_t;
++ role unconfined_r types nsplugin_config_t;
++ tunable_policy(`allow_unconfined_nsplugin_transition', `
++
++ nsplugin_use(unconfined_t)
++ ')
++')
++
optional_policy(`
- ada_domtrans(unconfined_t)
+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -23133,7 +23203,7 @@
unconfined_domain(httpd_unconfined_script_t)
')
-@@ -69,11 +88,11 @@
+@@ -69,11 +109,11 @@
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
@@ -23150,7 +23220,7 @@
optional_policy(`
init_dbus_chat_script(unconfined_t)
-@@ -107,6 +126,10 @@
+@@ -107,6 +147,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -23161,7 +23231,7 @@
')
optional_policy(`
-@@ -118,11 +141,7 @@
+@@ -118,11 +162,7 @@
')
optional_policy(`
@@ -23174,7 +23244,7 @@
')
optional_policy(`
-@@ -134,14 +153,6 @@
+@@ -134,14 +174,6 @@
')
optional_policy(`
@@ -23189,7 +23259,7 @@
oddjob_domtrans_mkhomedir(unconfined_t)
')
-@@ -154,38 +165,27 @@
+@@ -154,38 +186,27 @@
')
optional_policy(`
@@ -23234,16 +23304,15 @@
')
optional_policy(`
-@@ -205,11 +205,30 @@
+@@ -205,11 +226,30 @@
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- ')
-
- optional_policy(`
-- xserver_domtrans_xdm_xserver(unconfined_t)
++')
++
++optional_policy(`
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
@@ -23255,9 +23324,10 @@
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- xserver_domtrans_xdm_xserver(unconfined_t)
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+')
+
@@ -23267,7 +23337,7 @@
')
########################################
-@@ -219,14 +238,34 @@
+@@ -219,14 +259,34 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -23287,7 +23357,7 @@
- ')
+optional_policy(`
+ avahi_dbus_chat(unconfined_execmem_t)
-+')
+ ')
+
+optional_policy(`
+ hal_dbus_chat(unconfined_execmem_t)
@@ -23295,7 +23365,7 @@
+
+optional_policy(`
+ xserver_xdm_rw_shm(unconfined_execmem_t)
- ')
++')
+
+########################################
+#
@@ -23322,8 +23392,8 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-21 17:18:31.000000000 -0500
-@@ -29,8 +29,9 @@
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-22 14:46:10.000000000 -0500
+@@ -29,9 +29,14 @@
')
attribute $1_file_type;
@@ -23332,9 +23402,14 @@
- type $1_t, userdomain;
+ type $1_t, userdomain, $1_usertype;
domain_type($1_t)
++ ifdef(`targeted_policy',`
++ # ignore user componant labeling on homedir entry
++ domain_obj_id_change_exemption($1_t)
++ ')
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -45,66 +46,71 @@
+ domain_user_exemption_target($1_t)
+@@ -45,66 +50,71 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@@ -23434,9 +23509,6 @@
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_exec_ld_so($1_t)
--
-- miscfiles_read_localization($1_t)
-- miscfiles_read_certs($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_non_security_files($1_usertype)
@@ -23453,13 +23525,16 @@
+ libs_use_shared_libs($1_usertype)
+ libs_exec_ld_so($1_usertype)
+- miscfiles_read_localization($1_t)
+- miscfiles_read_certs($1_t)
+-
- sysnet_read_config($1_t)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_certs($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -115,6 +121,10 @@
+@@ -115,6 +125,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -23470,7 +23545,7 @@
')
#######################################
-@@ -141,33 +151,13 @@
+@@ -141,33 +155,13 @@
#
template(`userdom_ro_home_template',`
gen_require(`
@@ -23509,7 +23584,7 @@
##############################
#
-@@ -175,13 +165,13 @@
+@@ -175,13 +169,13 @@
#
# read-only home directory
@@ -23530,7 +23605,7 @@
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
-@@ -231,30 +221,14 @@
+@@ -231,30 +225,14 @@
#
template(`userdom_manage_home_template',`
gen_require(`
@@ -23567,7 +23642,7 @@
##############################
#
-@@ -262,43 +236,44 @@
+@@ -262,43 +240,44 @@
#
# full control of the home directory
@@ -23640,7 +23715,7 @@
')
')
-@@ -316,14 +291,20 @@
+@@ -316,14 +295,20 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
@@ -23666,7 +23741,7 @@
')
')
-@@ -341,11 +322,10 @@
+@@ -341,11 +326,10 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -23682,7 +23757,7 @@
')
#######################################
-@@ -369,18 +349,18 @@
+@@ -369,18 +353,18 @@
#
template(`userdom_manage_tmp_template',`
gen_require(`
@@ -23711,7 +23786,7 @@
')
#######################################
-@@ -396,7 +376,13 @@
+@@ -396,7 +380,13 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
@@ -23726,7 +23801,7 @@
')
#######################################
-@@ -510,10 +496,6 @@
+@@ -510,10 +500,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@@ -23737,7 +23812,7 @@
corecmd_exec_bin($1_t)
')
-@@ -531,9 +513,6 @@
+@@ -531,9 +517,6 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
@@ -23747,7 +23822,7 @@
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
-@@ -548,10 +527,6 @@
+@@ -548,10 +531,6 @@
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
@@ -23758,7 +23833,7 @@
')
#######################################
-@@ -568,30 +543,29 @@
+@@ -568,30 +547,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -23805,7 +23880,7 @@
')
#######################################
-@@ -717,6 +691,12 @@
+@@ -717,6 +695,12 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
@@ -23818,7 +23893,7 @@
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
-@@ -728,11 +708,11 @@
+@@ -728,11 +712,11 @@
# for eject
storage_getattr_fixed_disk_dev($1_t)
@@ -23831,7 +23906,7 @@
init_read_utmp($1_t)
-@@ -758,10 +738,6 @@
+@@ -758,10 +742,6 @@
dev_read_mouse($1_t)
')
@@ -23842,7 +23917,7 @@
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -783,20 +759,20 @@
+@@ -783,20 +763,20 @@
')
optional_policy(`
@@ -23868,7 +23943,7 @@
')
')
-@@ -824,11 +800,18 @@
+@@ -824,11 +804,18 @@
mta_rw_spool($1_t)
')
@@ -23891,7 +23966,7 @@
')
optional_policy(`
-@@ -842,13 +825,6 @@
+@@ -842,13 +829,6 @@
')
optional_policy(`
@@ -23905,7 +23980,7 @@
resmgr_stream_connect($1_t)
')
-@@ -889,6 +865,8 @@
+@@ -889,6 +869,8 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -23914,7 +23989,7 @@
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -917,26 +895,26 @@
+@@ -917,26 +899,26 @@
allow $1_t self:context contains;
@@ -23955,7 +24030,7 @@
auth_dontaudit_write_login_records($1_t)
-@@ -944,43 +922,43 @@
+@@ -944,43 +926,43 @@
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
@@ -24017,7 +24092,7 @@
')
')
-@@ -1014,9 +992,6 @@
+@@ -1014,9 +996,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -24027,7 +24102,7 @@
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1025,16 +1000,32 @@
+@@ -1025,16 +1004,32 @@
#
# privileged home directory writers
@@ -24066,7 +24141,7 @@
')
#######################################
-@@ -1062,6 +1053,13 @@
+@@ -1062,6 +1057,13 @@
userdom_restricted_user_template($1)
@@ -24080,7 +24155,7 @@
userdom_xwindows_client_template($1)
##############################
-@@ -1070,14 +1068,14 @@
+@@ -1070,14 +1072,14 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -24100,7 +24175,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1085,33 +1083,14 @@
+@@ -1085,33 +1087,14 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -24122,14 +24197,14 @@
-
- optional_policy(`
- java_per_role_template($1, $1_t, $1_r)
+- ')
+-
+- optional_policy(`
+- mono_per_role_template($1, $1_t, $1_r)
+ alsa_read_rw_config($1_usertype)
')
- optional_policy(`
-- mono_per_role_template($1, $1_t, $1_r)
-- ')
--
-- optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
- ')
+ # Broken Cover up bugzilla #345921 Should be removed when this is fixed
@@ -24140,7 +24215,7 @@
')
#######################################
-@@ -1121,10 +1100,10 @@
+@@ -1121,10 +1104,10 @@
## </summary>
## <desc>
## <p>
@@ -24155,7 +24230,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1187,22 +1166,17 @@
+@@ -1187,22 +1170,17 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -24180,7 +24255,7 @@
')
#######################################
-@@ -1278,8 +1252,6 @@
+@@ -1278,8 +1256,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -24189,7 +24264,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1416,6 +1388,7 @@
+@@ -1416,6 +1392,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -24197,7 +24272,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1781,10 +1754,14 @@
+@@ -1781,10 +1758,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -24213,7 +24288,7 @@
')
########################################
-@@ -1880,11 +1857,11 @@
+@@ -1880,11 +1861,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -24227,7 +24302,7 @@
')
########################################
-@@ -1914,11 +1891,11 @@
+@@ -1914,11 +1895,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -24241,7 +24316,7 @@
')
########################################
-@@ -1962,12 +1939,12 @@
+@@ -1962,12 +1943,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -24257,7 +24332,7 @@
')
########################################
-@@ -1997,10 +1974,10 @@
+@@ -1997,10 +1978,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -24270,7 +24345,7 @@
')
########################################
-@@ -2032,11 +2009,47 @@
+@@ -2032,11 +2013,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -24320,7 +24395,7 @@
')
########################################
-@@ -2068,10 +2081,10 @@
+@@ -2068,10 +2085,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -24333,7 +24408,7 @@
')
########################################
-@@ -2101,11 +2114,11 @@
+@@ -2101,11 +2118,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -24347,7 +24422,7 @@
')
########################################
-@@ -2135,11 +2148,11 @@
+@@ -2135,11 +2152,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -24362,7 +24437,7 @@
')
########################################
-@@ -2169,10 +2182,10 @@
+@@ -2169,10 +2186,10 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -24375,7 +24450,7 @@
')
########################################
-@@ -2202,11 +2215,11 @@
+@@ -2202,11 +2219,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -24389,7 +24464,7 @@
')
########################################
-@@ -2236,11 +2249,11 @@
+@@ -2236,11 +2253,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -24403,7 +24478,7 @@
')
########################################
-@@ -2270,10 +2283,10 @@
+@@ -2270,10 +2287,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -24416,7 +24491,7 @@
')
########################################
-@@ -2305,12 +2318,12 @@
+@@ -2305,12 +2322,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -24432,7 +24507,7 @@
')
########################################
-@@ -2342,10 +2355,10 @@
+@@ -2342,10 +2359,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -24445,7 +24520,7 @@
')
########################################
-@@ -2377,12 +2390,12 @@
+@@ -2377,12 +2394,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -24461,7 +24536,7 @@
')
########################################
-@@ -2414,12 +2427,12 @@
+@@ -2414,12 +2431,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -24477,7 +24552,7 @@
')
########################################
-@@ -2451,12 +2464,12 @@
+@@ -2451,12 +2468,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -24493,7 +24568,7 @@
')
########################################
-@@ -2501,11 +2514,11 @@
+@@ -2501,11 +2518,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -24507,7 +24582,7 @@
')
########################################
-@@ -2550,11 +2563,11 @@
+@@ -2550,11 +2567,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -24521,7 +24596,7 @@
')
########################################
-@@ -2594,11 +2607,11 @@
+@@ -2594,11 +2611,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -24535,7 +24610,7 @@
')
########################################
-@@ -2628,11 +2641,11 @@
+@@ -2628,11 +2645,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -24549,7 +24624,7 @@
')
########################################
-@@ -2662,11 +2675,11 @@
+@@ -2662,11 +2679,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -24563,7 +24638,7 @@
')
########################################
-@@ -2698,10 +2711,10 @@
+@@ -2698,10 +2715,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -24576,7 +24651,7 @@
')
########################################
-@@ -2733,10 +2746,10 @@
+@@ -2733,10 +2750,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -24589,7 +24664,7 @@
')
########################################
-@@ -2766,12 +2779,12 @@
+@@ -2766,12 +2783,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -24605,7 +24680,7 @@
')
########################################
-@@ -2803,10 +2816,10 @@
+@@ -2803,10 +2820,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -24618,7 +24693,7 @@
')
########################################
-@@ -2838,10 +2851,48 @@
+@@ -2838,10 +2855,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -24669,7 +24744,7 @@
')
########################################
-@@ -2871,12 +2922,12 @@
+@@ -2871,12 +2926,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -24685,7 +24760,7 @@
')
########################################
-@@ -2908,10 +2959,10 @@
+@@ -2908,10 +2963,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -24698,7 +24773,7 @@
')
########################################
-@@ -2943,12 +2994,12 @@
+@@ -2943,12 +2998,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -24714,7 +24789,7 @@
')
########################################
-@@ -2980,11 +3031,11 @@
+@@ -2980,11 +3035,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -24728,7 +24803,7 @@
')
########################################
-@@ -3016,11 +3067,11 @@
+@@ -3016,11 +3071,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -24742,7 +24817,7 @@
')
########################################
-@@ -3052,11 +3103,11 @@
+@@ -3052,11 +3107,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -24756,7 +24831,7 @@
')
########################################
-@@ -3088,11 +3139,11 @@
+@@ -3088,11 +3143,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -24770,7 +24845,7 @@
')
########################################
-@@ -3124,11 +3175,11 @@
+@@ -3124,11 +3179,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -24784,7 +24859,7 @@
')
########################################
-@@ -3173,10 +3224,10 @@
+@@ -3173,10 +3228,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -24797,7 +24872,7 @@
files_search_tmp($2)
')
-@@ -3217,10 +3268,10 @@
+@@ -3217,10 +3272,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -24810,7 +24885,7 @@
')
########################################
-@@ -3248,6 +3299,42 @@
+@@ -3248,6 +3303,42 @@
## </summary>
## </param>
#
@@ -24853,7 +24928,7 @@
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4225,11 +4312,11 @@
+@@ -4225,11 +4316,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -24867,7 +24942,7 @@
')
########################################
-@@ -4245,10 +4332,10 @@
+@@ -4245,10 +4336,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -24880,7 +24955,7 @@
')
########################################
-@@ -4264,11 +4351,11 @@
+@@ -4264,11 +4355,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -24894,7 +24969,7 @@
')
########################################
-@@ -4283,16 +4370,16 @@
+@@ -4283,16 +4374,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -24914,7 +24989,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4301,12 +4388,27 @@
+@@ -4301,12 +4392,27 @@
## </summary>
## </param>
#
@@ -24945,7 +25020,7 @@
')
########################################
-@@ -4321,13 +4423,13 @@
+@@ -4321,13 +4427,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -24963,7 +25038,7 @@
')
########################################
-@@ -4525,10 +4627,10 @@
+@@ -4525,10 +4631,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -24976,7 +25051,7 @@
')
########################################
-@@ -4545,10 +4647,10 @@
+@@ -4545,10 +4651,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -24989,7 +25064,7 @@
')
########################################
-@@ -4563,10 +4665,10 @@
+@@ -4563,10 +4669,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -25002,7 +25077,7 @@
')
########################################
-@@ -4582,10 +4684,10 @@
+@@ -4582,10 +4688,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -25015,7 +25090,7 @@
')
########################################
-@@ -4600,10 +4702,10 @@
+@@ -4600,10 +4706,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -25028,7 +25103,7 @@
')
########################################
-@@ -4619,10 +4721,10 @@
+@@ -4619,10 +4725,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -25041,7 +25116,7 @@
')
########################################
-@@ -4638,12 +4740,11 @@
+@@ -4638,12 +4744,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -25057,7 +25132,7 @@
')
########################################
-@@ -4670,10 +4771,10 @@
+@@ -4670,10 +4775,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -25070,7 +25145,7 @@
')
########################################
-@@ -4688,10 +4789,10 @@
+@@ -4688,10 +4793,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -25083,7 +25158,7 @@
')
########################################
-@@ -4706,13 +4807,13 @@
+@@ -4706,13 +4811,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -25101,7 +25176,7 @@
')
########################################
-@@ -4748,11 +4849,49 @@
+@@ -4748,11 +4853,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -25152,7 +25227,7 @@
')
########################################
-@@ -4772,6 +4911,14 @@
+@@ -4772,6 +4915,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -25167,7 +25242,7 @@
')
########################################
-@@ -5109,7 +5256,7 @@
+@@ -5109,7 +5260,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -25176,7 +25251,7 @@
')
files_search_home($1)
-@@ -5298,6 +5445,49 @@
+@@ -5298,6 +5449,49 @@
########################################
## <summary>
@@ -25226,7 +25301,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5503,6 +5693,42 @@
+@@ -5503,6 +5697,42 @@
########################################
## <summary>
@@ -25269,7 +25344,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5668,6 +5894,42 @@
+@@ -5668,6 +5898,42 @@
########################################
## <summary>
@@ -25312,7 +25387,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5698,3 +5960,277 @@
+@@ -5698,3 +5964,277 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.588
retrieving revision 1.589
diff -u -r1.588 -r1.589
--- selinux-policy.spec 22 Jan 2008 17:35:34 -0000 1.588
+++ selinux-policy.spec 22 Jan 2008 19:46:50 -0000 1.589
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 16%{?dist}
+Release: 17%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,10 @@
%endif
%changelog
+* Mon Jan 21 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-17
+- Allow ptrace or user processes by users of same type
+- Add boolean for transition to nsplugin
+
* Mon Jan 21 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-16
- Allow nsplugin sys_nice, getsched, setsched
- Previous message (by thread): rpms/python-cheetah/F-7 .cvsignore, 1.5, 1.6 python-cheetah.spec, 1.9, 1.10 sources, 1.5, 1.6
- Next message (by thread): rpms/geda-gattrib/F-7 .cvsignore, 1.8, 1.9 geda-gattrib.spec, 1.10, 1.11 sources, 1.8, 1.9
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list