rpms/selinux-policy/devel modules-targeted.conf, 1.90, 1.91 policy-20080509.patch, 1.8, 1.9 selinux-policy.spec, 1.666, 1.667
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Jun 4 17:27:34 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16426
Modified Files:
modules-targeted.conf policy-20080509.patch
selinux-policy.spec
Log Message:
* Wed Jun 4 2008 Dan Walsh <dwalsh at redhat.com> 3.4.1-4
- Add livecd policy
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.90
retrieving revision 1.91
diff -u -r1.90 -r1.91
--- modules-targeted.conf 30 May 2008 19:24:44 -0000 1.90
+++ modules-targeted.conf 4 Jun 2008 17:26:52 -0000 1.91
@@ -1668,3 +1668,10 @@
# IMAP and POP3 email servers
#
courier = module
+
+# Layer: apps
+# Module: livecd
+#
+# livecd creator
+#
+livecd = module
policy-20080509.patch:
Index: policy-20080509.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080509.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20080509.patch 4 Jun 2008 12:57:43 -0000 1.8
+++ policy-20080509.patch 4 Jun 2008 17:26:52 -0000 1.9
@@ -1898,7 +1898,7 @@
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.4.1/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-05-23 09:15:06.000000000 -0400
-+++ serefpolicy-3.4.1/policy/modules/apps/gnome.if 2008-06-03 16:01:51.000000000 -0400
++++ serefpolicy-3.4.1/policy/modules/apps/gnome.if 2008-06-04 11:11:07.509407000 -0400
@@ -36,6 +36,7 @@
gen_require(`
type gconfd_exec_t, gconf_etc_t;
@@ -1907,7 +1907,7 @@
')
##############################
-@@ -44,41 +45,31 @@
+@@ -44,41 +45,32 @@
#
type $1_gconfd_t, gnomedomain;
@@ -1923,6 +1923,7 @@
-
- type $1_gconf_tmp_t;
- files_tmp_file($1_gconf_tmp_t)
++ typealias gnome_home_t alias $1_gnome_home_t;
+ typealias gconf_home_t alias $1_gconf_home_t;
+ typealias gconf_tmp_t alias $1_gconf_tmp_t;
@@ -1964,7 +1965,7 @@
ps_process_pattern($2,$1_gconfd_t)
-@@ -86,6 +77,10 @@
+@@ -86,6 +78,10 @@
files_read_etc_files($1_gconfd_t)
@@ -1975,7 +1976,7 @@
libs_use_ld_so($1_gconfd_t)
libs_use_shared_libs($1_gconfd_t)
-@@ -93,11 +88,8 @@
+@@ -93,11 +89,8 @@
logging_send_syslog_msg($1_gconfd_t)
@@ -1989,7 +1990,7 @@
optional_policy(`
nscd_dontaudit_search_pid($1_gconfd_t)
-@@ -107,6 +99,10 @@
+@@ -107,6 +100,10 @@
xserver_use_xdm_fds($1_gconfd_t)
xserver_rw_xdm_pipes($1_gconfd_t)
')
@@ -2000,7 +2001,7 @@
')
########################################
-@@ -128,11 +124,28 @@
+@@ -128,11 +125,28 @@
template(`gnome_stream_connect_gconf_template',`
gen_require(`
type $1_gconfd_t;
@@ -2032,7 +2033,7 @@
')
########################################
-@@ -141,7 +154,7 @@
+@@ -141,7 +155,7 @@
## </summary>
## <desc>
## <p>
@@ -2041,7 +2042,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -170,6 +183,30 @@
+@@ -170,6 +184,30 @@
########################################
## <summary>
@@ -2072,7 +2073,7 @@
## manage gnome homedir content (.config)
## </summary>
## <param name="userdomain_prefix">
-@@ -186,9 +223,29 @@
+@@ -186,9 +224,29 @@
#
template(`gnome_manage_user_gnome_config',`
gen_require(`
@@ -3200,7 +3201,7 @@
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.4.1/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.4.1/policy/modules/apps/livecd.if 2008-06-03 09:53:54.000000000 -0400
++++ serefpolicy-3.4.1/policy/modules/apps/livecd.if 2008-06-04 13:26:20.582917000 -0400
@@ -0,0 +1,56 @@
+
+## <summary>policy for livecd</summary>
@@ -29897,8 +29898,8 @@
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.4.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.4.1/policy/modules/system/qemu.if 2008-06-03 09:53:56.000000000 -0400
-@@ -0,0 +1,313 @@
++++ serefpolicy-3.4.1/policy/modules/system/qemu.if 2008-06-04 13:13:44.213306000 -0400
+@@ -0,0 +1,318 @@
+
+## <summary>policy for qemu</summary>
+
@@ -30142,7 +30143,7 @@
+ domain_use_interactive_fds($1_t)
+
+ allow $1_t self:capability { dac_read_search dac_override };
-+ allow $1_t self:process { execstack execmem signal getsched };
++ allow $1_t self:process { execstack execmem signal getsched signull };
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+
+ ## internal communication is often done using fifo and unix sockets.
@@ -30159,6 +30160,9 @@
+ manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
++ dev_read_sound($1_t)
++ dev_write_sound($1_t)
++
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
@@ -30189,6 +30193,8 @@
+ term_getattr_pty_fs($1_t)
+ term_use_generic_ptys($1_t)
+
++ auth_use_nsswitch($1_t)
++
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+
@@ -32074,7 +32080,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.4.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-05-29 15:55:43.000000000 -0400
-+++ serefpolicy-3.4.1/policy/modules/system/unconfined.te 2008-06-03 11:34:41.000000000 -0400
++++ serefpolicy-3.4.1/policy/modules/system/unconfined.te 2008-06-04 13:26:18.902281000 -0400
@@ -1,40 +1,79 @@
-policy_module(unconfined, 2.2.1)
@@ -32242,20 +32248,21 @@
')
optional_policy(`
-@@ -123,11 +176,7 @@
+@@ -123,11 +176,11 @@
')
optional_policy(`
- inn_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- java_domtrans(unconfined_t)
+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -139,18 +188,6 @@
+- java_domtrans(unconfined_t)
++ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
+@@ -139,18 +192,6 @@
')
optional_policy(`
@@ -32274,7 +32281,7 @@
prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
-@@ -159,38 +196,46 @@
+@@ -159,38 +200,46 @@
')
optional_policy(`
@@ -32334,7 +32341,7 @@
')
optional_policy(`
-@@ -198,23 +243,33 @@
+@@ -198,23 +247,33 @@
')
optional_policy(`
@@ -32373,7 +32380,7 @@
')
########################################
-@@ -224,14 +279,35 @@
+@@ -224,14 +283,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.666
retrieving revision 1.667
diff -u -r1.666 -r1.667
--- selinux-policy.spec 4 Jun 2008 12:57:43 -0000 1.666
+++ selinux-policy.spec 4 Jun 2008 17:26:52 -0000 1.667
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.4.1
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -375,7 +375,10 @@
%endif
%changelog
-* Fri May 9 2008 Dan Walsh <dwalsh at redhat.com> 3.4.1-3
+* Wed Jun 4 2008 Dan Walsh <dwalsh at redhat.com> 3.4.1-4
+- Add livecd policy
+
+* Wed Jun 4 2008 Dan Walsh <dwalsh at redhat.com> 3.4.1-3
- Dontaudit search of admin_home for init_system_domain
- Rewrite of xace interfaces
- Lots of new fs_list_inotify
More information about the fedora-extras-commits
mailing list