rpms/selinux-policy/F-9 policy-20071130.patch,1.175,1.176

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Sun Jun 22 12:36:27 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17282

Modified Files:
	policy-20071130.patch 
Log Message:
* Sun Jun 22 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-68
- Allow virt to getsched and setsched on qemu 
- Allow networkmanager to getattr on fixed disk


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.175
retrieving revision 1.176
diff -u -r1.175 -r1.176
--- policy-20071130.patch	22 Jun 2008 12:09:00 -0000	1.175
+++ policy-20071130.patch	22 Jun 2008 12:35:35 -0000	1.176
@@ -12305,7 +12305,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.3.1/policy/modules/services/courier.te
 --- nsaserefpolicy/policy/modules/services/courier.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/courier.te	2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/courier.te	2008-06-22 08:33:57.000000000 -0400
 @@ -9,7 +9,10 @@
  courier_domain_template(authdaemon)
  
@@ -12318,6 +12318,14 @@
  
  courier_domain_template(pcp)
  
+@@ -25,6 +28,7 @@
+ 
+ type courier_exec_t;
+ files_type(courier_exec_t)
++mta_mailclient(courier_exec_t)
+ 
+ courier_domain_template(sqwebmail)
+ typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.3.1/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2008-06-12 23:38:02.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/services/cron.fc	2008-06-12 23:38:04.000000000 -0400
@@ -17746,7 +17754,7 @@
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te	2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te	2008-06-22 08:32:51.000000000 -0400
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -21902,7 +21910,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.3.1/policy/modules/services/qmail.te
 --- nsaserefpolicy/policy/modules/services/qmail.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/qmail.te	2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/qmail.te	2008-06-22 08:31:44.000000000 -0400
 @@ -14,7 +14,7 @@
  qmail_child_domain_template(qmail_clean, qmail_start_t)
  
@@ -31425,8 +31433,8 @@
 +/usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
 --- nsaserefpolicy/policy/modules/system/qemu.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if	2008-06-22 08:07:19.000000000 -0400
-@@ -0,0 +1,335 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if	2008-06-22 08:19:17.000000000 -0400
+@@ -0,0 +1,336 @@
 +
 +## <summary>policy for qemu</summary>
 +
@@ -31469,7 +31477,7 @@
 +
 +########################################
 +## <summary>
-+##	Send a signal to qemu.
++##	Set the schedule on qemu.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -31477,17 +31485,17 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`qemu_signal',`
++interface(`qemu_setsched',`
 +	gen_require(`
 +		type qemu_t;
 +	')
 +
-+	allow $1 qemu_t:process signal;
++	allow $1 qemu_t:process setsched;
 +')
 +
 +########################################
 +## <summary>
-+##	Set the schedule on qemu.
++##	Send a signal to qemu.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -31495,12 +31503,12 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`qemu_setsched',`
++interface(`qemu_signal',`
 +	gen_require(`
 +		type qemu_t;
 +	')
 +
-+	allow $1 qemu_t:process setsched;
++	allow $1 qemu_t:process signal;
 +')
 +
 +########################################
@@ -31688,7 +31696,7 @@
 +	domain_use_interactive_fds($1_t)
 +
 +	allow $1_t self:capability { dac_read_search dac_override };
-+	allow $1_t self:process { execstack execmem signal getsched };
++	allow $1_t self:process { execstack execmem signal getsched signull };
 +	allow $1_t self:tcp_socket create_stream_socket_perms;
 +
 +	## internal communication is often done using fifo and unix sockets.
@@ -31705,6 +31713,9 @@
 +	manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
 +	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
 +
++	dev_read_sound($1_t)
++	dev_write_sound($1_t)
++
 +	corenet_all_recvfrom_unlabeled($1_t)
 +	corenet_all_recvfrom_netlabel($1_t)
 +	corenet_tcp_sendrecv_all_if($1_t)
@@ -31735,6 +31746,8 @@
 +	term_getattr_pty_fs($1_t)
 +	term_use_generic_ptys($1_t)
 +
++	auth_use_nsswitch($1_t)
++
 +	libs_use_ld_so($1_t)
 +	libs_use_shared_libs($1_t)
 +
@@ -31751,10 +31764,6 @@
 +	')
 +
 +	optional_policy(`
-+		xen_rw_image_files($1_t)
-+	')
-+
-+	optional_policy(`
 +		xserver_stream_connect_xdm_xserver($1_t)
 +		xserver_read_xdm_tmp_files($1_t)
 +		xserver_read_xdm_pid($1_t)
@@ -31764,8 +31773,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te
 --- nsaserefpolicy/policy/modules/system/qemu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.te	2008-06-12 23:38:02.000000000 -0400
-@@ -0,0 +1,49 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.te	2008-06-22 08:16:26.000000000 -0400
+@@ -0,0 +1,79 @@
 +policy_module(qemu,1.0.0)
 +
 +## <desc>
@@ -31775,6 +31784,20 @@
 +## </desc>
 +gen_tunable(allow_qemu_full_network,false)
 +
++## <desc>
++## <p>
++## Allow qemu to use nfs file systems
++## </p>
++## </desc>
++gen_tunable(qemu_use_nfs,true)
++
++## <desc>
++## <p>
++## Allow qemu to use cifs/Samba file systems
++## </p>
++## </desc>
++gen_tunable(qemu_use_cifs,true)
++
 +########################################
 +#
 +# Declarations
@@ -31804,6 +31827,22 @@
 +	corenet_tcp_connect_all_ports(qemu_t)
 +')
 +
++tunable_policy(`qemu_use_nfs',`
++	fs_manage_nfs_files(qemu_t)
++')
++
++tunable_policy(`qemu_use_cifs',`
++	fs_manage_cifs_dirs(qemu_t)
++')
++
++optional_policy(`
++	xen_rw_image_files(qemu_t)
++')
++
++optional_policy(`
++	xen_rw_image_files(qemu_t)
++')
++
 +########################################
 +#
 +# qemu_unconfined local policy

More information about the fedora-extras-commits mailing list