rpms/selinux-policy/devel policy-20071130.patch, 1.39, 1.40 selinux-policy.spec, 1.589, 1.590
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Jan 23 18:24:17 UTC 2008
- Previous message (by thread): rpms/perl-Text-Autoformat/devel perl-Text-Autoformat.spec,1.9,1.10
- Next message (by thread): rpms/krb5/devel krb5-1.6.2-key_exp.patch, 1.2, 1.3 krb5-trunk-kpasswd_tcp.patch, 1.1, 1.2 krb5-trunk-seqnum.patch, 1.1, 1.2 krb5.spec, 1.151, 1.152
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23151
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Wed Jan 23 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-18
- Allow pam_selinux_permit to kill all processes
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- policy-20071130.patch 22 Jan 2008 19:46:50 -0000 1.39
+++ policy-20071130.patch 23 Jan 2008 18:24:11 -0000 1.40
@@ -3742,8 +3742,8 @@
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-22 13:24:31.000000000 -0500
-@@ -0,0 +1,330 @@
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-23 11:19:15.000000000 -0500
+@@ -0,0 +1,332 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -3895,18 +3895,20 @@
+ type nsplugin_config_t;
+ type nsplugin_rw_t;
+ ')
-+ nsplugin_domtrans($1)
++ nsplugin_domtrans($2)
+
-+ nsplugin_config_domtrans($1)
++ nsplugin_config_domtrans($2)
+
-+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+ can_exec($1, nsplugin_rw_t)
++ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
++ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
++ can_exec($2, nsplugin_rw_t)
+
-+ allow nsplugin_t $1:udp_socket { read write };
++ allow nsplugin_t $2:udp_socket { read write };
++ allow nsplugin_t $2:tcp_socket { read write };
+
-+ allow $1 nsplugin_t:process { getattr ptrace signal_perms };
-+ allow $1 nsplugin_t:unix_stream_socket connectto;
++ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
++ allow $2 nsplugin_t:unix_stream_socket connectto;
++ userdom_use_user_terminals($1, $2)
+')
+
+#######################################
@@ -3947,7 +3949,7 @@
+ type nsplugin_config_t;
+ type nsplugin_rw_t;
+ ')
-+ nsplugin_use($2)
++ nsplugin_use($1, $2)
+ role $3 types nsplugin_t;
+ role $3 types nsplugin_config_t;
+')
@@ -4076,8 +4078,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-21 18:20:27.000000000 -0500
-@@ -0,0 +1,100 @@
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-23 11:16:36.000000000 -0500
+@@ -0,0 +1,105 @@
+policy_module(nsplugin,1.0.0)
+
+########################################
@@ -4120,6 +4122,7 @@
+files_read_etc_files(nsplugin_t)
+
+fs_list_inotifyfs(nsplugin_t)
++fs_rw_tmpfs_files(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
@@ -4151,6 +4154,8 @@
+## internal communication is often done using fifo and unix sockets.
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched getsched };
++allow nsplugin_t self:sem rw_sem_perms;
++allow nsplugin_t self:shm rw_shm_perms;
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
@@ -4174,10 +4179,12 @@
+libs_use_shared_libs(nsplugin_config_t)
+
+miscfiles_read_localization(nsplugin_config_t)
++miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_dontaudit_search_all_users_home_content(nsplugin_config_t)
+
+nsplugin_domtrans(nsplugin_config_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2008-01-18 12:40:46.000000000 -0500
@@ -20403,7 +20410,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-21 14:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-23 09:15:22.000000000 -0500
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
@@ -20421,10 +20428,14 @@
')
domain_type($1)
-@@ -177,12 +178,23 @@
+@@ -177,12 +178,27 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
++ # Needed for pam_selinux_permit to cleanup properly
++ domain_read_all_domains_state($1)
++ domain_kill_all_domains($1)
++
+ # pam_keyring
+ allow $1 self:capability ipc_lock;
+ allow $1 self:process setkeycreate;
@@ -20445,7 +20456,7 @@
# for SSP/ProPolice
dev_read_urand($1)
# for fingerprint readers
-@@ -221,11 +233,35 @@
+@@ -221,11 +237,35 @@
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
@@ -20482,7 +20493,7 @@
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -342,6 +378,8 @@
+@@ -342,6 +382,8 @@
optional_policy(`
kerberos_use($1)
@@ -20491,7 +20502,7 @@
')
optional_policy(`
-@@ -356,6 +394,7 @@
+@@ -356,6 +398,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -20499,7 +20510,7 @@
')
########################################
-@@ -369,12 +408,12 @@
+@@ -369,12 +412,12 @@
## </param>
## <param name="role">
## <summary>
@@ -20514,7 +20525,7 @@
## </summary>
## </param>
#
-@@ -386,6 +425,7 @@
+@@ -386,6 +429,7 @@
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -20522,7 +20533,7 @@
')
########################################
-@@ -1457,6 +1497,7 @@
+@@ -1457,6 +1501,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -20530,7 +20541,7 @@
')
')
-@@ -1491,3 +1532,23 @@
+@@ -1491,3 +1536,23 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -23097,8 +23108,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-22 13:25:12.000000000 -0500
-@@ -6,35 +6,58 @@
++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-23 13:13:29.000000000 -0500
+@@ -6,35 +6,59 @@
# Declarations
#
@@ -23116,7 +23127,8 @@
-userdom_manage_home_template(unconfined)
-userdom_manage_tmp_template(unconfined)
-userdom_manage_tmpfs_template(unconfined)
-+userdom_unpriv_user_template(unconfined)
++userdom_restricted_user_template(unconfined)
++userdom_common_user_template(unconfined)
+userdom_xwindows_client_template(unconfined)
type unconfined_exec_t;
@@ -23161,7 +23173,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,7 +65,10 @@
+@@ -42,7 +66,10 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -23172,12 +23184,11 @@
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -50,14 +76,28 @@
-
+@@ -51,13 +78,25 @@
userdom_priveleged_home_dir_manager(unconfined_t)
-+
-+optional_policy(`
+ optional_policy(`
+- ada_domtrans(unconfined_t)
+ gen_require(`
+ type nsplugin_t;
+ type nsplugin_config_t;
@@ -23185,13 +23196,11 @@
+ role unconfined_r types nsplugin_t;
+ role unconfined_r types nsplugin_config_t;
+ tunable_policy(`allow_unconfined_nsplugin_transition', `
-+
-+ nsplugin_use(unconfined_t)
++ nsplugin_use(unconfined, unconfined_t)
+ ')
+')
+
- optional_policy(`
-- ada_domtrans(unconfined_t)
++optional_policy(`
+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
@@ -23203,7 +23212,7 @@
unconfined_domain(httpd_unconfined_script_t)
')
-@@ -69,11 +109,11 @@
+@@ -69,11 +108,11 @@
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
@@ -23220,7 +23229,7 @@
optional_policy(`
init_dbus_chat_script(unconfined_t)
-@@ -107,6 +147,10 @@
+@@ -107,6 +146,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -23231,7 +23240,7 @@
')
optional_policy(`
-@@ -118,11 +162,7 @@
+@@ -118,11 +161,7 @@
')
optional_policy(`
@@ -23244,7 +23253,7 @@
')
optional_policy(`
-@@ -134,14 +174,6 @@
+@@ -134,14 +173,6 @@
')
optional_policy(`
@@ -23259,7 +23268,7 @@
oddjob_domtrans_mkhomedir(unconfined_t)
')
-@@ -154,38 +186,27 @@
+@@ -154,38 +185,27 @@
')
optional_policy(`
@@ -23304,7 +23313,7 @@
')
optional_policy(`
-@@ -205,11 +226,30 @@
+@@ -205,11 +225,30 @@
')
optional_policy(`
@@ -23337,7 +23346,7 @@
')
########################################
-@@ -219,14 +259,34 @@
+@@ -219,14 +258,34 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -23392,7 +23401,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-22 14:46:10.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-23 13:14:20.000000000 -0500
@@ -29,9 +29,14 @@
')
@@ -24102,7 +24111,7 @@
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1025,16 +1004,32 @@
+@@ -1025,16 +1004,29 @@
#
# privileged home directory writers
@@ -24135,13 +24144,10 @@
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
+
-+ optional_policy(`
-+ nsplugin_per_role_template($1, $1_usertype, $1_r)
-+ ')
')
#######################################
-@@ -1062,6 +1057,13 @@
+@@ -1062,6 +1054,13 @@
userdom_restricted_user_template($1)
@@ -24155,7 +24161,7 @@
userdom_xwindows_client_template($1)
##############################
-@@ -1070,14 +1072,14 @@
+@@ -1070,14 +1069,14 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -24175,7 +24181,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1085,33 +1087,14 @@
+@@ -1085,32 +1084,17 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -24197,25 +24203,25 @@
-
- optional_policy(`
- java_per_role_template($1, $1_t, $1_r)
-- ')
--
-- optional_policy(`
-- mono_per_role_template($1, $1_t, $1_r)
+ alsa_read_rw_config($1_usertype)
')
- optional_policy(`
-- setroubleshoot_dontaudit_stream_connect($1_t)
+- mono_per_role_template($1, $1_t, $1_r)
- ')
+ # Broken Cover up bugzilla #345921 Should be removed when this is fixed
+ corenet_tcp_connect_soundd_port($1_t)
+ corenet_tcp_sendrecv_soundd_port($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_lo_node($1_t)
+
+ optional_policy(`
+- setroubleshoot_dontaudit_stream_connect($1_t)
++ nsplugin_per_role_template($1, $1_usertype, $1_r)
+ ')
')
- #######################################
-@@ -1121,10 +1104,10 @@
+@@ -1121,10 +1105,10 @@
## </summary>
## <desc>
## <p>
@@ -24230,7 +24236,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1187,22 +1170,17 @@
+@@ -1187,12 +1171,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -24245,17 +24251,16 @@
')
# Run pppd in pppd_t by default for user
- optional_policy(`
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+@@ -1201,7 +1184,7 @@
')
--
-- optional_policy(`
+
+ optional_policy(`
- setroubleshoot_stream_connect($1_t)
-- ')
++ nsplugin_per_role_template($1, $1_usertype, $1_r)
+ ')
')
- #######################################
-@@ -1278,8 +1256,6 @@
+@@ -1278,8 +1261,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -24264,7 +24269,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1416,6 +1392,7 @@
+@@ -1416,6 +1397,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -24272,7 +24277,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1781,10 +1758,14 @@
+@@ -1781,10 +1763,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -24288,7 +24293,7 @@
')
########################################
-@@ -1880,11 +1861,11 @@
+@@ -1880,11 +1866,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -24302,7 +24307,7 @@
')
########################################
-@@ -1914,11 +1895,11 @@
+@@ -1914,11 +1900,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -24316,7 +24321,7 @@
')
########################################
-@@ -1962,12 +1943,12 @@
+@@ -1962,12 +1948,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -24332,7 +24337,7 @@
')
########################################
-@@ -1997,10 +1978,10 @@
+@@ -1997,10 +1983,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -24345,7 +24350,7 @@
')
########################################
-@@ -2032,11 +2013,47 @@
+@@ -2032,11 +2018,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -24395,7 +24400,7 @@
')
########################################
-@@ -2068,10 +2085,10 @@
+@@ -2068,10 +2090,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -24408,7 +24413,7 @@
')
########################################
-@@ -2101,11 +2118,11 @@
+@@ -2101,11 +2123,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -24422,7 +24427,7 @@
')
########################################
-@@ -2135,11 +2152,11 @@
+@@ -2135,11 +2157,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -24437,7 +24442,7 @@
')
########################################
-@@ -2169,10 +2186,10 @@
+@@ -2169,10 +2191,10 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -24450,7 +24455,7 @@
')
########################################
-@@ -2202,11 +2219,11 @@
+@@ -2202,11 +2224,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -24464,7 +24469,7 @@
')
########################################
-@@ -2236,11 +2253,11 @@
+@@ -2236,11 +2258,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -24478,7 +24483,7 @@
')
########################################
-@@ -2270,10 +2287,10 @@
+@@ -2270,10 +2292,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -24491,7 +24496,7 @@
')
########################################
-@@ -2305,12 +2322,12 @@
+@@ -2305,12 +2327,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -24507,7 +24512,7 @@
')
########################################
-@@ -2342,10 +2359,10 @@
+@@ -2342,10 +2364,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -24520,7 +24525,7 @@
')
########################################
-@@ -2377,12 +2394,12 @@
+@@ -2377,12 +2399,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -24536,7 +24541,7 @@
')
########################################
-@@ -2414,12 +2431,12 @@
+@@ -2414,12 +2436,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -24552,7 +24557,7 @@
')
########################################
-@@ -2451,12 +2468,12 @@
+@@ -2451,12 +2473,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -24568,7 +24573,7 @@
')
########################################
-@@ -2501,11 +2518,11 @@
+@@ -2501,11 +2523,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -24582,7 +24587,7 @@
')
########################################
-@@ -2550,11 +2567,11 @@
+@@ -2550,11 +2572,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -24596,7 +24601,7 @@
')
########################################
-@@ -2594,11 +2611,11 @@
+@@ -2594,11 +2616,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -24610,7 +24615,7 @@
')
########################################
-@@ -2628,11 +2645,11 @@
+@@ -2628,11 +2650,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -24624,7 +24629,7 @@
')
########################################
-@@ -2662,11 +2679,11 @@
+@@ -2662,11 +2684,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -24638,7 +24643,7 @@
')
########################################
-@@ -2698,10 +2715,10 @@
+@@ -2698,10 +2720,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -24651,7 +24656,7 @@
')
########################################
-@@ -2733,10 +2750,10 @@
+@@ -2733,10 +2755,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -24664,7 +24669,7 @@
')
########################################
-@@ -2766,12 +2783,12 @@
+@@ -2766,12 +2788,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -24680,7 +24685,7 @@
')
########################################
-@@ -2803,10 +2820,10 @@
+@@ -2803,10 +2825,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -24693,7 +24698,7 @@
')
########################################
-@@ -2838,10 +2855,48 @@
+@@ -2838,10 +2860,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -24744,7 +24749,7 @@
')
########################################
-@@ -2871,12 +2926,12 @@
+@@ -2871,12 +2931,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -24760,7 +24765,7 @@
')
########################################
-@@ -2908,10 +2963,10 @@
+@@ -2908,10 +2968,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -24773,7 +24778,7 @@
')
########################################
-@@ -2943,12 +2998,12 @@
+@@ -2943,12 +3003,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -24789,7 +24794,7 @@
')
########################################
-@@ -2980,11 +3035,11 @@
+@@ -2980,11 +3040,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -24803,7 +24808,7 @@
')
########################################
-@@ -3016,11 +3071,11 @@
+@@ -3016,11 +3076,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -24817,7 +24822,7 @@
')
########################################
-@@ -3052,11 +3107,11 @@
+@@ -3052,11 +3112,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -24831,7 +24836,7 @@
')
########################################
-@@ -3088,11 +3143,11 @@
+@@ -3088,11 +3148,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -24845,7 +24850,7 @@
')
########################################
-@@ -3124,11 +3179,11 @@
+@@ -3124,11 +3184,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -24859,7 +24864,7 @@
')
########################################
-@@ -3173,10 +3228,10 @@
+@@ -3173,10 +3233,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -24872,7 +24877,7 @@
files_search_tmp($2)
')
-@@ -3217,10 +3272,10 @@
+@@ -3217,10 +3277,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -24885,7 +24890,7 @@
')
########################################
-@@ -3248,6 +3303,42 @@
+@@ -3248,6 +3308,42 @@
## </summary>
## </param>
#
@@ -24928,7 +24933,7 @@
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4225,11 +4316,11 @@
+@@ -4225,11 +4321,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -24942,7 +24947,7 @@
')
########################################
-@@ -4245,10 +4336,10 @@
+@@ -4245,10 +4341,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -24955,7 +24960,7 @@
')
########################################
-@@ -4264,11 +4355,11 @@
+@@ -4264,11 +4360,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -24969,7 +24974,7 @@
')
########################################
-@@ -4283,16 +4374,16 @@
+@@ -4283,16 +4379,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -24989,7 +24994,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4301,12 +4392,27 @@
+@@ -4301,17 +4397,32 @@
## </summary>
## </param>
#
@@ -25002,10 +25007,11 @@
- dontaudit $1 staff_home_t:file append;
+ dontaudit $1 user_home_t:file append_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files in the staff users home directory.
+## Do not audit attempts to append to the staff
+## users home directory.
+## </summary>
@@ -25017,10 +25023,15 @@
+#
+interface(`userdom_dontaudit_append_staff_home_content_files',`
+ userdom_dontaudit_append_unpriv_home_content_files($1)
- ')
-
- ########################################
-@@ -4321,13 +4427,13 @@
++')
++
++########################################
++## <summary>
++## Read files in the staff users home directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4321,13 +4432,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -25038,7 +25049,7 @@
')
########################################
-@@ -4525,10 +4631,10 @@
+@@ -4525,10 +4636,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -25051,7 +25062,7 @@
')
########################################
-@@ -4545,10 +4651,10 @@
+@@ -4545,10 +4656,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -25064,7 +25075,7 @@
')
########################################
-@@ -4563,10 +4669,10 @@
+@@ -4563,10 +4674,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -25077,7 +25088,7 @@
')
########################################
-@@ -4582,10 +4688,10 @@
+@@ -4582,10 +4693,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -25090,7 +25101,7 @@
')
########################################
-@@ -4600,10 +4706,10 @@
+@@ -4600,10 +4711,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -25103,7 +25114,7 @@
')
########################################
-@@ -4619,10 +4725,10 @@
+@@ -4619,10 +4730,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -25116,7 +25127,7 @@
')
########################################
-@@ -4638,12 +4744,11 @@
+@@ -4638,12 +4749,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -25132,7 +25143,7 @@
')
########################################
-@@ -4670,10 +4775,10 @@
+@@ -4670,10 +4780,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -25145,7 +25156,7 @@
')
########################################
-@@ -4688,10 +4793,10 @@
+@@ -4688,10 +4798,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -25158,7 +25169,7 @@
')
########################################
-@@ -4706,13 +4811,13 @@
+@@ -4706,13 +4816,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -25176,7 +25187,7 @@
')
########################################
-@@ -4748,11 +4853,49 @@
+@@ -4748,11 +4858,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -25227,7 +25238,7 @@
')
########################################
-@@ -4772,6 +4915,14 @@
+@@ -4772,6 +4920,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -25242,7 +25253,7 @@
')
########################################
-@@ -5109,7 +5260,7 @@
+@@ -5109,7 +5265,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -25251,7 +25262,7 @@
')
files_search_home($1)
-@@ -5298,6 +5449,49 @@
+@@ -5298,6 +5454,49 @@
########################################
## <summary>
@@ -25301,7 +25312,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5503,6 +5697,42 @@
+@@ -5503,6 +5702,42 @@
########################################
## <summary>
@@ -25344,7 +25355,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5668,6 +5898,42 @@
+@@ -5668,6 +5903,42 @@
########################################
## <summary>
@@ -25387,7 +25398,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5698,3 +5964,277 @@
+@@ -5698,3 +5969,277 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.589
retrieving revision 1.590
diff -u -r1.589 -r1.590
--- selinux-policy.spec 22 Jan 2008 19:46:50 -0000 1.589
+++ selinux-policy.spec 23 Jan 2008 18:24:12 -0000 1.590
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
%endif
%changelog
+* Wed Jan 23 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-18
+- Allow pam_selinux_permit to kill all processes
+
* Mon Jan 21 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-17
- Allow ptrace or user processes by users of same type
- Add boolean for transition to nsplugin
- Previous message (by thread): rpms/perl-Text-Autoformat/devel perl-Text-Autoformat.spec,1.9,1.10
- Next message (by thread): rpms/krb5/devel krb5-1.6.2-key_exp.patch, 1.2, 1.3 krb5-trunk-kpasswd_tcp.patch, 1.1, 1.2 krb5-trunk-seqnum.patch, 1.1, 1.2 krb5.spec, 1.151, 1.152
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list