rpms/selinux-policy/F-8 policy-20070703.patch, 1.179, 1.180 selinux-policy.spec, 1.608, 1.609
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Jan 31 21:00:03 UTC 2008
- Previous message (by thread): rpms/selinux-policy/devel policy-20071130.patch, 1.45, 1.46 selinux-policy.spec, 1.595, 1.596
- Next message (by thread): rpms/rainbow/OLPC-2 .cvsignore, 1.14, 1.15 rainbow.spec, 1.15, 1.16 sources, 1.15, 1.16
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23679
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Thu Jan 22 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-83
- Make oddjob_mkhomedir work with confined login domains
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.179
retrieving revision 1.180
diff -u -r1.179 -r1.180
--- policy-20070703.patch 31 Jan 2008 19:36:02 -0000 1.179
+++ policy-20070703.patch 31 Jan 2008 20:59:53 -0000 1.180
@@ -4586,7 +4586,7 @@
type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2008-01-31 15:48:18.000000000 -0500
@@ -45,6 +45,11 @@
# start with basic domain
domain_base_type($1)
@@ -7775,7 +7775,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/cron.te 2008-01-31 15:35:05.000000000 -0500
@@ -50,6 +50,7 @@
type crond_tmp_t;
@@ -11671,6 +11671,111 @@
logrotate_exec(ntpd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.0.8/policy/modules/services/oddjob.fc
+--- nsaserefpolicy/policy/modules/services/oddjob.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/oddjob.fc 2008-01-31 15:24:30.000000000 -0500
+@@ -1,5 +1,5 @@
+-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+ /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+-/var/run/oddjobd.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
++/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.0.8/policy/modules/services/oddjob.if
+--- nsaserefpolicy/policy/modules/services/oddjob.if 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/oddjob.if 2008-01-31 15:50:05.000000000 -0500
+@@ -44,6 +44,7 @@
+ ')
+
+ domtrans_pattern(oddjob_t, $2, $1)
++ domain_user_exemption_target($1)
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.0.8/policy/modules/services/oddjob.te
+--- nsaserefpolicy/policy/modules/services/oddjob.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/oddjob.te 2008-01-31 15:59:20.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(oddjob,1.3.0)
++policy_module(oddjob,1.4.0)
+
+ ########################################
+ #
+@@ -10,14 +10,20 @@
+ type oddjob_exec_t;
+ domain_type(oddjob_t)
+ init_daemon_domain(oddjob_t, oddjob_exec_t)
++domain_obj_id_change_exemption(oddjob_t)
+ domain_subj_id_change_exemption(oddjob_t)
+
+ type oddjob_mkhomedir_t;
+ type oddjob_mkhomedir_exec_t;
+ domain_type(oddjob_mkhomedir_t)
+-init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
++domain_obj_id_change_exemption(oddjob_mkhomedir_t)
++init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+ oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(oddjob_t,oddjob_exec_t,s0 - mcs_systemhigh)
++')
++
+ # pid files
+ type oddjob_var_run_t;
+ files_pid_file(oddjob_var_run_t)
+@@ -56,7 +62,6 @@
+
+ optional_policy(`
+ dbus_system_bus_client_template(oddjob,oddjob_t)
+- dbus_send_system_bus(oddjob_t)
+ dbus_connect_system_bus(oddjob_t)
+ ')
+
+@@ -69,20 +74,38 @@
+ # oddjob_mkhomedir local policy
+ #
+
++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
++allow oddjob_mkhomedir_t self:process setfscreate;
+ allow oddjob_mkhomedir_t self:fifo_file { read write };
+ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+ files_read_etc_files(oddjob_mkhomedir_t)
+
++kernel_read_system_state(oddjob_mkhomedir_t)
++
++auth_use_nsswitch(oddjob_mkhomedir_t)
++
+ libs_use_ld_so(oddjob_mkhomedir_t)
+ libs_use_shared_libs(oddjob_mkhomedir_t)
+
++logging_send_syslog_msg(oddjob_mkhomedir_t)
++
+ miscfiles_read_localization(oddjob_mkhomedir_t)
+
++selinux_get_fs_mount(oddjob_mkhomedir_t)
++selinux_validate_context(oddjob_mkhomedir_t)
++selinux_compute_access_vector(oddjob_mkhomedir_t)
++selinux_compute_create_context(oddjob_mkhomedir_t)
++selinux_compute_relabel_context(oddjob_mkhomedir_t)
++selinux_compute_user_contexts(oddjob_mkhomedir_t)
++
++seutil_read_config(oddjob_mkhomedir_t)
++seutil_read_file_contexts(oddjob_mkhomedir_t)
++seutil_read_default_contexts(oddjob_mkhomedir_t)
++
+ # Add/remove user home directories
++userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t)
+ userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
+-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
+-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
+-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
+-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
++userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t)
++userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.0.8/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/openct.te 2008-01-17 09:03:07.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.608
retrieving revision 1.609
diff -u -r1.608 -r1.609
--- selinux-policy.spec 31 Jan 2008 18:53:49 -0000 1.608
+++ selinux-policy.spec 31 Jan 2008 20:59:53 -0000 1.609
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 82%{?dist}
+Release: 83%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
%endif
%changelog
+* Thu Jan 22 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-83
+- Make oddjob_mkhomedir work with confined login domains
+
* Thu Jan 22 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-82
- Allow xdm to sys_ptrace
- Previous message (by thread): rpms/selinux-policy/devel policy-20071130.patch, 1.45, 1.46 selinux-policy.spec, 1.595, 1.596
- Next message (by thread): rpms/rainbow/OLPC-2 .cvsignore, 1.14, 1.15 rainbow.spec, 1.15, 1.16 sources, 1.15, 1.16
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list