rpms/selinux-policy/F-8 policy-20070703.patch, 1.215, 1.216 selinux-policy.spec, 1.637, 1.638
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Jul 2 20:54:20 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13400
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Wed Jul 2 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-111
- Handle updated NetworkManager
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.215
retrieving revision 1.216
diff -u -r1.215 -r1.216
--- policy-20070703.patch 16 Jun 2008 10:29:22 -0000 1.215
+++ policy-20070703.patch 2 Jul 2008 20:53:30 -0000 1.216
@@ -1050,6 +1050,17 @@
+ hal_use_fds(alsa_t)
+ hal_write_log(alsa_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-3.0.8/policy/modules/admin/amanda.fc
+--- nsaserefpolicy/policy/modules/admin/amanda.fc 2008-06-12 23:37:55.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/amanda.fc 2008-06-22 06:34:09.000000000 -0400
+@@ -3,6 +3,7 @@
+ /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+ /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
+ /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
++/etc/amanda/.*/index(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+
+ /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.0.8/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/amanda.if 2008-06-12 23:37:59.000000000 -0400
@@ -5932,7 +5943,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-06-12 23:37:56.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-06-22 06:45:05.000000000 -0400
@@ -271,45 +271,6 @@
########################################
@@ -6121,6 +6132,15 @@
## Search inotifyfs filesystem.
## </summary>
## <param name="domain">
+@@ -1625,7 +1705,7 @@
+ type nfs_t;
+ ')
+
+- dontaudit $1 nfs_t:file { read write };
++ dontaudit $1 nfs_t:file rw_file_perms;
+ ')
+
+ ########################################
@@ -2139,6 +2219,7 @@
rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t)
')
@@ -8102,7 +8122,7 @@
+/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.8/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-06-22 07:35:58.000000000 -0400
@@ -66,7 +66,6 @@
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
@@ -8120,7 +8140,15 @@
corenet_all_recvfrom_unlabeled(named_t)
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_all_if(named_t)
-@@ -119,15 +120,11 @@
+@@ -112,22 +113,18 @@
+ corenet_tcp_bind_all_nodes(named_t)
+ corenet_udp_bind_all_nodes(named_t)
+ corenet_tcp_bind_dns_port(named_t)
+-corenet_udp_bind_dns_port(named_t)
++corenet_udp_bind_all_ports(named_t)
+ corenet_tcp_bind_rndc_port(named_t)
+ corenet_tcp_connect_all_ports(named_t)
+ corenet_sendrecv_dns_server_packets(named_t)
corenet_sendrecv_dns_client_packets(named_t)
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
@@ -8693,7 +8721,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.8/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.if 2008-06-12 23:37:58.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.if 2008-07-02 15:53:34.000000000 -0400
@@ -35,6 +35,7 @@
#
template(`cron_per_role_template',`
@@ -8849,6 +8877,29 @@
## Read, and write cron daemon TCP sockets.
## </summary>
## <param name="domain">
+@@ -583,3 +586,22 @@
+
+ dontaudit $1 system_crond_tmp_t:file append;
+ ')
++
++########################################
++## <summary>
++## Read temporary files from the system cron jobs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cron_read_system_job_lib_files',`
++ gen_require(`
++ type system_crond_var_lib_t;
++ ')
++
++
++ read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cron.te 2008-06-12 23:37:58.000000000 -0400
@@ -12735,7 +12786,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-06-12 23:37:58.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-07-02 15:53:02.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.7.1)
@@ -12762,10 +12813,10 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
-+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched signal_perms };
++allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
@@ -12796,8 +12847,13 @@
mls_file_read_all_levels(NetworkManager_t)
-@@ -84,8 +97,11 @@
+@@ -82,10 +95,16 @@
+ files_read_etc_files(NetworkManager_t)
+ files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
++files_list_tmp(NetworkManager_t)
++
++storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
@@ -12808,15 +12864,17 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -113,6 +129,7 @@
+@@ -113,6 +132,9 @@
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
# Read gnome-keyring
userdom_read_unpriv_users_home_content_files(NetworkManager_t)
+userdom_unpriv_users_stream_connect(NetworkManager_t)
++
++cron_read_system_job_lib_files(NetworkManager_t)
optional_policy(`
bind_domtrans(NetworkManager_t)
-@@ -129,28 +146,22 @@
+@@ -129,28 +151,22 @@
')
optional_policy(`
@@ -12851,7 +12909,7 @@
')
optional_policy(`
-@@ -162,19 +173,20 @@
+@@ -162,19 +178,20 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
@@ -18719,7 +18777,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-06-22 06:46:13.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -19178,7 +19236,13 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-06-22 06:47:13.000000000 -0400
+@@ -1,4 +1,4 @@
+-
++
+ policy_module(authlogin,1.7.1)
+
+ ########################################
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -19214,7 +19278,7 @@
########################################
#
# PAM local policy
-@@ -94,36 +108,38 @@
+@@ -94,36 +108,39 @@
allow pam_t pam_tmp_t:file manage_file_perms;
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
@@ -19247,6 +19311,7 @@
+userdom_dontaudit_write_user_home_content_files(user, pam_t)
+userdom_append_unpriv_users_home_content_files(pam_t)
+userdom_dontaudit_read_user_tmp_files(user, pam_t)
++userdom_dontaudit_write_user_home_content_files(unconfined, pam_t)
optional_policy(`
locallogin_use_fds(pam_t)
@@ -19263,7 +19328,7 @@
########################################
#
# PAM console local policy
-@@ -149,6 +165,8 @@
+@@ -149,6 +166,8 @@
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
@@ -19272,7 +19337,7 @@
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
-@@ -159,6 +177,8 @@
+@@ -159,6 +178,8 @@
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
@@ -19281,7 +19346,7 @@
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
-@@ -168,6 +188,8 @@
+@@ -168,6 +189,8 @@
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
dev_read_urand(pam_console_t)
@@ -19290,7 +19355,7 @@
mls_file_read_all_levels(pam_console_t)
mls_file_write_all_levels(pam_console_t)
-@@ -200,6 +222,7 @@
+@@ -200,6 +223,7 @@
fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t)
@@ -19298,7 +19363,7 @@
init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)
-@@ -236,7 +259,7 @@
+@@ -236,7 +260,7 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
@@ -19307,7 +19372,7 @@
')
########################################
-@@ -256,6 +279,7 @@
+@@ -256,6 +280,7 @@
userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
@@ -19315,7 +19380,7 @@
########################################
#
-@@ -302,3 +326,31 @@
+@@ -302,3 +327,31 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -23379,7 +23444,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-06-27 07:07:05.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -24684,7 +24749,16 @@
')
########################################
-@@ -4895,7 +5111,7 @@
+@@ -4670,6 +4886,8 @@
+ ')
+
+ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++ fs_dontaudit_list_nfs($1)
++ fs_dontaudit_list_cifs($1)
+ ')
+
+ ########################################
+@@ -4895,7 +5113,7 @@
type user_home_dir_t, user_home_t;
')
@@ -24693,7 +24767,7 @@
filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
')
-@@ -4933,7 +5149,7 @@
+@@ -4933,7 +5151,7 @@
type user_home_dir_t;
')
@@ -24702,7 +24776,7 @@
allow $1 user_home_dir_t:dir manage_dir_perms;
')
-@@ -4954,7 +5170,7 @@
+@@ -4954,7 +5172,7 @@
type user_home_t;
')
@@ -24711,7 +24785,7 @@
manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -4973,7 +5189,7 @@
+@@ -4973,7 +5191,7 @@
type staff_home_dir_t;
')
@@ -24720,7 +24794,7 @@
allow $1 user_home_dir_t:dir relabelto;
')
-@@ -4992,7 +5208,7 @@
+@@ -4992,7 +5210,7 @@
type user_home_t, user_home_dir_t;
')
@@ -24729,7 +24803,7 @@
allow $1 user_home_t:dir list_dir_perms;
read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5013,7 +5229,7 @@
+@@ -5013,7 +5231,7 @@
type user_home_t;
')
@@ -24738,7 +24812,7 @@
allow $1 user_home_t:file execute;
')
-@@ -5033,7 +5249,7 @@
+@@ -5033,7 +5251,7 @@
type user_home_dir_t, user_home_t;
')
@@ -24747,7 +24821,7 @@
manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5072,7 +5288,7 @@
+@@ -5072,7 +5290,7 @@
type user_home_t;
')
@@ -24756,7 +24830,7 @@
manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5092,7 +5308,7 @@
+@@ -5092,7 +5310,7 @@
type user_home_t;
')
@@ -24765,7 +24839,7 @@
manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5112,7 +5328,7 @@
+@@ -5112,7 +5330,7 @@
type user_home_t;
')
@@ -24774,7 +24848,7 @@
manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5131,7 +5347,7 @@
+@@ -5131,7 +5349,7 @@
attribute user_home_dir_type;
')
@@ -24783,7 +24857,7 @@
allow $1 user_home_dir_type:dir search_dir_perms;
')
-@@ -5151,7 +5367,7 @@
+@@ -5151,7 +5369,7 @@
attribute user_home_dir_type, user_home_type;
')
@@ -24792,7 +24866,7 @@
allow $1 user_home_type:dir list_dir_perms;
read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
-@@ -5173,7 +5389,7 @@
+@@ -5173,7 +5391,7 @@
attribute user_home_dir_type, user_home_type;
')
@@ -24801,7 +24875,7 @@
manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
-@@ -5193,7 +5409,7 @@
+@@ -5193,7 +5411,7 @@
attribute user_home_dir_type, user_home_type;
')
@@ -24810,7 +24884,7 @@
manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
-@@ -5323,7 +5539,7 @@
+@@ -5323,7 +5541,7 @@
attribute user_tmpfile;
')
@@ -24819,7 +24893,7 @@
')
########################################
-@@ -5346,6 +5562,25 @@
+@@ -5346,6 +5564,25 @@
########################################
## <summary>
@@ -24845,7 +24919,7 @@
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
-@@ -5529,6 +5764,24 @@
+@@ -5529,6 +5766,24 @@
########################################
## <summary>
@@ -24870,7 +24944,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5812,420 @@
+@@ -5559,3 +5814,420 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.637
retrieving revision 1.638
diff -u -r1.637 -r1.638
--- selinux-policy.spec 29 May 2008 20:18:38 -0000 1.637
+++ selinux-policy.spec 2 Jul 2008 20:53:30 -0000 1.638
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 109%{?dist}
+Release: 111%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,12 @@
%endif
%changelog
+* Wed Jul 2 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-111
+- Handle updated NetworkManager
+
+* Mon Jun 18 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-110
+- Add cxoffice homedir context
+
* Thu May 29 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-109
- Remove extra context for dbus
More information about the fedora-extras-commits
mailing list