rpms/selinux-policy/devel policy-20080509.patch, 1.21, 1.22 selinux-policy.spec, 1.676, 1.677
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Jun 26 12:13:22 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11210
Modified Files:
policy-20080509.patch selinux-policy.spec
Log Message:
* Thu Jun 26 2008 Dan Walsh <dwalsh at redhat.com> 3.4.2-8
- Allow vpnc to run ifconfig
policy-20080509.patch:
Index: policy-20080509.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080509.patch,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- policy-20080509.patch 24 Jun 2008 11:14:04 -0000 1.21
+++ policy-20080509.patch 26 Jun 2008 12:12:35 -0000 1.22
@@ -1670,9 +1670,20 @@
+ xserver_exec_pid(vbetool_t)
+ xserver_write_pid(vbetool_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.4.2/policy/modules/admin/vpn.if
+--- nsaserefpolicy/policy/modules/admin/vpn.if 2008-06-12 23:25:08.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/admin/vpn.if 2008-06-26 07:40:44.000000000 -0400
+@@ -48,6 +48,7 @@
+ vpn_domtrans($1)
+ role $2 types vpnc_t;
+ allow vpnc_t $3:chr_file rw_term_perms;
++ sysnet_run_ifconfig(vpnc_t, $2, $3)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.4.2/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/admin/vpn.te 2008-06-12 23:37:53.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/admin/vpn.te 2008-06-26 07:39:30.000000000 -0400
@@ -24,7 +24,8 @@
allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
@@ -1683,6 +1694,14 @@
allow vpnc_t self:tcp_socket create_stream_socket_perms;
allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
+@@ -102,7 +103,6 @@
+ seutil_dontaudit_search_config(vpnc_t)
+ seutil_use_newrole_fds(vpnc_t)
+
+-sysnet_domtrans_ifconfig(vpnc_t)
+ sysnet_etc_filetrans_config(vpnc_t)
+ sysnet_manage_config(vpnc_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.4.2/policy/modules/apps/ethereal.fc
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-06-12 23:25:03.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/apps/ethereal.fc 2008-06-12 23:37:51.000000000 -0400
@@ -13994,7 +14013,7 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.4.2/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/dbus.if 2008-06-22 20:49:35.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/dbus.if 2008-06-26 07:23:57.000000000 -0400
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -14106,8 +14125,11 @@
')
')
-@@ -209,12 +229,9 @@
+@@ -207,14 +227,12 @@
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
++ attribute dbusd_unconfined;
')
-# type $1_dbusd_system_t;
@@ -14116,12 +14138,12 @@
# SE-DBus specific permissions
-# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
- allow $2 { system_dbusd_t self }:dbus send_msg;
-+ allow $2 { system_dbusd_t $2 }:dbus send_msg;
-+ allow system_dbusd_t $2:dbus send_msg;
++ allow $2 { system_dbusd_t $2 dbusd_unconfined }:dbus send_msg;
++ allow { system_dbusd_t dbusd_unconfined } $2:dbus send_msg;
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
-@@ -223,6 +240,10 @@
+@@ -223,6 +241,10 @@
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
dbus_read_config($2)
@@ -14132,7 +14154,7 @@
')
#######################################
-@@ -251,18 +272,16 @@
+@@ -251,18 +273,16 @@
template(`dbus_user_bus_client_template',`
gen_require(`
type $1_dbusd_t;
@@ -14153,7 +14175,7 @@
')
########################################
-@@ -292,6 +311,55 @@
+@@ -292,6 +312,55 @@
########################################
## <summary>
@@ -14209,7 +14231,7 @@
## Read dbus configuration.
## </summary>
## <param name="domain">
-@@ -366,3 +434,55 @@
+@@ -366,3 +435,55 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -14267,7 +14289,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.4.2/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/dbus.te 2008-06-22 20:51:20.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/dbus.te 2008-06-26 07:22:31.000000000 -0400
@@ -9,9 +9,10 @@
#
# Delcarations
@@ -14349,7 +14371,7 @@
libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t)
-@@ -122,9 +140,40 @@
+@@ -122,9 +140,38 @@
')
optional_policy(`
@@ -14380,10 +14402,8 @@
+optional_policy(`
+ gen_require(`
+ type unconfined_dbusd_t;
-+ attribute domain;
+ ')
+ unconfined_domain(unconfined_dbusd_t)
-+ allow dbusd_unconfined domain:dbus send_msg;
+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
@@ -25716,7 +25736,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.4.2/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/squid.te 2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/squid.te 2008-06-25 07:54:09.000000000 -0400
@@ -31,12 +31,15 @@
type squid_var_run_t;
files_pid_file(squid_var_run_t)
@@ -25730,7 +25750,7 @@
#
-allow squid_t self:capability { setgid setuid dac_override sys_resource };
-+allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
++allow squid_t self:capability { setgid killa setuid dac_override sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
@@ -25742,7 +25762,7 @@
corenet_tcp_bind_http_cache_port(squid_t)
corenet_udp_bind_http_cache_port(squid_t)
corenet_tcp_bind_ftp_port(squid_t)
-@@ -92,6 +96,7 @@
+@@ -92,10 +96,12 @@
corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
@@ -25750,7 +25770,12 @@
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
-@@ -109,6 +114,8 @@
+ corenet_tcp_connect_http_cache_port(squid_t)
++corenet_tcp_connect_pgpkeyserver_port(squid_t)
+ corenet_sendrecv_http_client_packets(squid_t)
+ corenet_sendrecv_ftp_client_packets(squid_t)
+ corenet_sendrecv_gopher_client_packets(squid_t)
+@@ -109,6 +115,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
@@ -25759,7 +25784,7 @@
selinux_dontaudit_getattr_dir(squid_t)
-@@ -128,6 +135,7 @@
+@@ -128,6 +136,7 @@
files_getattr_home_dir(squid_t)
auth_use_nsswitch(squid_t)
@@ -25767,7 +25792,7 @@
libs_use_ld_so(squid_t)
libs_use_shared_libs(squid_t)
-@@ -149,11 +157,7 @@
+@@ -149,11 +158,7 @@
')
optional_policy(`
@@ -25780,7 +25805,7 @@
')
optional_policy(`
-@@ -168,7 +172,12 @@
+@@ -168,7 +173,12 @@
udev_read_db(squid_t)
')
@@ -29263,6 +29288,50 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.4.2/policy/modules/system/ipsec.if
+--- nsaserefpolicy/policy/modules/system/ipsec.if 2008-06-12 23:25:07.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/ipsec.if 2008-06-26 07:50:38.000000000 -0400
+@@ -150,6 +150,26 @@
+ manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
+ ')
+
++
++########################################
++## <summary>
++## write the ipsec_var_run_t files.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ipsec_write_pid',`
++ gen_require(`
++ type ipsec_var_run_t;
++ ')
++
++ files_search_pids($1)
++ write_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute racoon in the racoon domain.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.4.2/policy/modules/system/ipsec.te
+--- nsaserefpolicy/policy/modules/system/ipsec.te 2008-06-12 23:25:07.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/ipsec.te 2008-06-26 07:46:57.000000000 -0400
+@@ -69,8 +69,8 @@
+ read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+ read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+
+-allow ipsec_t ipsec_var_run_t:file manage_file_perms;
+-allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
++manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
++manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+ files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
+
+ can_exec(ipsec_t, ipsec_mgmt_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.4.2/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/iptables.te 2008-06-12 23:37:52.000000000 -0400
@@ -32174,7 +32243,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.4.2/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/sysnetwork.te 2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/sysnetwork.te 2008-06-26 07:51:07.000000000 -0400
@@ -20,6 +20,10 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -32317,7 +32386,18 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -332,6 +351,14 @@
+@@ -324,6 +343,10 @@
+ ')
+
+ optional_policy(`
++ ipsec_write_pid(ifconfig_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(ifconfig_t)
+ ')
+
+@@ -332,6 +355,14 @@
')
optional_policy(`
@@ -32448,14 +32528,15 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.4.2/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/unconfined.fc 2008-06-23 06:28:00.000000000 -0400
-@@ -2,15 +2,26 @@
++++ serefpolicy-3.4.2/policy/modules/system/unconfined.fc 2008-06-26 07:24:15.000000000 -0400
+@@ -2,15 +2,28 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
- /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -32480,6 +32561,8 @@
+/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++
++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.4.2/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/unconfined.if 2008-06-22 20:50:34.000000000 -0400
@@ -33212,7 +33295,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.4.2/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/userdomain.if 2008-06-14 07:13:36.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/userdomain.if 2008-06-26 08:07:11.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@@ -35304,7 +35387,16 @@
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -4710,6 +4823,25 @@
+@@ -4666,6 +4779,8 @@
+ ')
+
+ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++ fs_dontaudit_list_nfs($2)
++ fs_dontaudit_list_cifs($2)
+ ')
+
+ ########################################
+@@ -4710,6 +4825,25 @@
########################################
## <summary>
@@ -35330,7 +35422,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4935,7 +5067,7 @@
+@@ -4935,7 +5069,7 @@
########################################
## <summary>
@@ -35339,7 +35431,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5307,6 +5439,42 @@
+@@ -5307,6 +5441,42 @@
########################################
## <summary>
@@ -35382,7 +35474,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5357,7 +5525,7 @@
+@@ -5357,7 +5527,7 @@
attribute userdomain;
')
@@ -35391,7 +35483,7 @@
kernel_search_proc($1)
')
-@@ -5472,6 +5640,42 @@
+@@ -5472,6 +5642,42 @@
########################################
## <summary>
@@ -35434,7 +35526,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5502,3 +5706,525 @@
+@@ -5502,3 +5708,525 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.676
retrieving revision 1.677
diff -u -r1.676 -r1.677
--- selinux-policy.spec 24 Jun 2008 11:14:04 -0000 1.676
+++ selinux-policy.spec 26 Jun 2008 12:12:35 -0000 1.677
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.4.2
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -375,6 +375,9 @@
%endif
%changelog
+* Thu Jun 26 2008 Dan Walsh <dwalsh at redhat.com> 3.4.2-8
+- Allow vpnc to run ifconfig
+
* Tue Jun 24 2008 Dan Walsh <dwalsh at redhat.com> 3.4.2-7
- Allow confined users to use postgres
- Allow system_mail_t to exec other mail clients
More information about the fedora-extras-commits
mailing list