rpms/selinux-policy/F-9 policy-20071130.patch,1.175,1.176
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Sun Jun 22 12:36:27 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17282
Modified Files:
policy-20071130.patch
Log Message:
* Sun Jun 22 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-68
- Allow virt to getsched and setsched on qemu
- Allow networkmanager to getattr on fixed disk
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.175
retrieving revision 1.176
diff -u -r1.175 -r1.176
--- policy-20071130.patch 22 Jun 2008 12:09:00 -0000 1.175
+++ policy-20071130.patch 22 Jun 2008 12:35:35 -0000 1.176
@@ -12305,7 +12305,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.3.1/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/courier.te 2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/courier.te 2008-06-22 08:33:57.000000000 -0400
@@ -9,7 +9,10 @@
courier_domain_template(authdaemon)
@@ -12318,6 +12318,14 @@
courier_domain_template(pcp)
+@@ -25,6 +28,7 @@
+
+ type courier_exec_t;
+ files_type(courier_exec_t)
++mta_mailclient(courier_exec_t)
+
+ courier_domain_template(sqwebmail)
+ typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.3.1/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/cron.fc 2008-06-12 23:38:04.000000000 -0400
@@ -17746,7 +17754,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-22 08:32:51.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -21902,7 +21910,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.3.1/policy/modules/services/qmail.te
--- nsaserefpolicy/policy/modules/services/qmail.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/qmail.te 2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/qmail.te 2008-06-22 08:31:44.000000000 -0400
@@ -14,7 +14,7 @@
qmail_child_domain_template(qmail_clean, qmail_start_t)
@@ -31425,8 +31433,8 @@
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-06-22 08:07:19.000000000 -0400
-@@ -0,0 +1,335 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-06-22 08:19:17.000000000 -0400
+@@ -0,0 +1,336 @@
+
+## <summary>policy for qemu</summary>
+
@@ -31469,7 +31477,7 @@
+
+########################################
+## <summary>
-+## Send a signal to qemu.
++## Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -31477,17 +31485,17 @@
+## </summary>
+## </param>
+#
-+interface(`qemu_signal',`
++interface(`qemu_setsched',`
+ gen_require(`
+ type qemu_t;
+ ')
+
-+ allow $1 qemu_t:process signal;
++ allow $1 qemu_t:process setsched;
+')
+
+########################################
+## <summary>
-+## Set the schedule on qemu.
++## Send a signal to qemu.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -31495,12 +31503,12 @@
+## </summary>
+## </param>
+#
-+interface(`qemu_setsched',`
++interface(`qemu_signal',`
+ gen_require(`
+ type qemu_t;
+ ')
+
-+ allow $1 qemu_t:process setsched;
++ allow $1 qemu_t:process signal;
+')
+
+########################################
@@ -31688,7 +31696,7 @@
+ domain_use_interactive_fds($1_t)
+
+ allow $1_t self:capability { dac_read_search dac_override };
-+ allow $1_t self:process { execstack execmem signal getsched };
++ allow $1_t self:process { execstack execmem signal getsched signull };
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+
+ ## internal communication is often done using fifo and unix sockets.
@@ -31705,6 +31713,9 @@
+ manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
++ dev_read_sound($1_t)
++ dev_write_sound($1_t)
++
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
@@ -31735,6 +31746,8 @@
+ term_getattr_pty_fs($1_t)
+ term_use_generic_ptys($1_t)
+
++ auth_use_nsswitch($1_t)
++
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+
@@ -31751,10 +31764,6 @@
+ ')
+
+ optional_policy(`
-+ xen_rw_image_files($1_t)
-+ ')
-+
-+ optional_policy(`
+ xserver_stream_connect_xdm_xserver($1_t)
+ xserver_read_xdm_tmp_files($1_t)
+ xserver_read_xdm_pid($1_t)
@@ -31764,8 +31773,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-06-12 23:38:02.000000000 -0400
-@@ -0,0 +1,49 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-06-22 08:16:26.000000000 -0400
+@@ -0,0 +1,79 @@
+policy_module(qemu,1.0.0)
+
+## <desc>
@@ -31775,6 +31784,20 @@
+## </desc>
+gen_tunable(allow_qemu_full_network,false)
+
++## <desc>
++## <p>
++## Allow qemu to use nfs file systems
++## </p>
++## </desc>
++gen_tunable(qemu_use_nfs,true)
++
++## <desc>
++## <p>
++## Allow qemu to use cifs/Samba file systems
++## </p>
++## </desc>
++gen_tunable(qemu_use_cifs,true)
++
+########################################
+#
+# Declarations
@@ -31804,6 +31827,22 @@
+ corenet_tcp_connect_all_ports(qemu_t)
+')
+
++tunable_policy(`qemu_use_nfs',`
++ fs_manage_nfs_files(qemu_t)
++')
++
++tunable_policy(`qemu_use_cifs',`
++ fs_manage_cifs_dirs(qemu_t)
++')
++
++optional_policy(`
++ xen_rw_image_files(qemu_t)
++')
++
++optional_policy(`
++ xen_rw_image_files(qemu_t)
++')
++
+########################################
+#
+# qemu_unconfined local policy
More information about the fedora-extras-commits
mailing list