rpms/selinux-policy/devel policy-20071130.patch, 1.92, 1.93 selinux-policy.spec, 1.627, 1.628

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Mon Mar 10 20:16:55 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29592

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Mon Mar 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-13
- Additional changes for MLS policy


policy-20071130.patch:

View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.92 -r 1.93 policy-20071130.patch
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.92
retrieving revision 1.93
diff -u -r1.92 -r1.93
--- policy-20071130.patch	6 Mar 2008 22:25:06 -0000	1.92
+++ policy-20071130.patch	10 Mar 2008 20:16:22 -0000	1.93
@@ -2050,7 +2050,7 @@
  ifdef(`distro_suse', `
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.3.1/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/rpm.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/rpm.if	2008-03-09 08:33:16.000000000 -0400
 @@ -152,6 +152,24 @@
  
  ########################################
@@ -2076,10 +2076,31 @@
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -173,6 +191,27 @@
+@@ -173,6 +191,48 @@
  
  ########################################
  ## <summary>
++##	dontaudit attempts to Send and receive messages from
++##	rpm over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rpm_dontaudit_dbus_chat',`
++	gen_require(`
++		type rpm_t;
++		class dbus send_msg;
++	')
++
++	dontaudit $1 rpm_t:dbus send_msg;
++	dontaudit rpm_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
 +##	Send and receive messages from
 +##	rpm_script over dbus.
 +## </summary>
@@ -2104,7 +2125,7 @@
  ##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
-@@ -210,6 +249,24 @@
+@@ -210,6 +270,24 @@
  
  ########################################
  ## <summary>
@@ -2129,7 +2150,7 @@
  ##	Create, read, write, and delete RPM
  ##	script temporary files.
  ## </summary>
-@@ -225,7 +282,29 @@
+@@ -225,7 +303,29 @@
  	')
  
  	files_search_tmp($1)
@@ -2159,7 +2180,7 @@
  ')
  
  ########################################
-@@ -289,3 +368,157 @@
+@@ -289,3 +389,157 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -5055,7 +5076,7 @@
 +HOME_DIR/\.macromedia(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-04 14:46:08.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-10 14:36:14.000000000 -0400
 @@ -0,0 +1,344 @@
 +
 +## <summary>policy for nsplugin</summary>
@@ -5272,7 +5293,7 @@
 +	nsplugin_use($1, $2)
 +
 +	optional_policy(`
-+		xserver_common_app_template($2, nsplugin_t)
++		xserver_common_app_to_user($2, nsplugin_t)
 +	')
 +
 +	role $3 types nsplugin_t;
@@ -5403,8 +5424,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-04 10:03:36.000000000 -0500
-@@ -0,0 +1,154 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-10 14:35:49.000000000 -0400
+@@ -0,0 +1,166 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@@ -5471,6 +5492,7 @@
 +
 +dev_read_rand(nsplugin_t)
 +dev_read_sound(nsplugin_t)
++dev_write_sound(nsplugin_t)
 +
 +kernel_read_kernel_sysctls(nsplugin_t)
 +kernel_read_system_state(nsplugin_t)
@@ -5495,6 +5517,7 @@
 +miscfiles_manage_home_fonts(nsplugin_t)
 +
 +userdom_read_user_home_content_files(user, nsplugin_t)
++userdom_read_user_tmp_files(user, nsplugin_t)
 +userdom_write_user_tmp_sockets(user, nsplugin_t)
 +userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t)
 +
@@ -5503,6 +5526,10 @@
 +')
 +
 +optional_policy(`
++	gnome_exec_gconf(nsplugin_t)
++')
++
++optional_policy(`
 +	mozilla_read_user_home_files(user, nsplugin_t)
 +	mozilla_write_user_home_files(user, nsplugin_t)
 +')
@@ -5511,6 +5538,7 @@
 +	xserver_stream_connect_xdm_xserver(nsplugin_t)
 +	xserver_xdm_rw_shm(nsplugin_t)
 +	xserver_read_xdm_tmp_files(nsplugin_t)
++	xserver_read_user_xauth(user, nsplugin_t)
 +')
 +
 +########################################
@@ -5519,16 +5547,18 @@
 +#
 +
 +allow nsplugin_config_t self:capability { sys_nice setuid setgid };
-+allow nsplugin_config_t self:process { setsched getsched execmem };
++allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
 +allow nsplugin_t self:sem create_sem_perms;
 +allow nsplugin_t self:shm create_shm_perms;
++allow nsplugin_t self:msgq create_msgq_perms;
 +
 +allow nsplugin_config_t self:fifo_file rw_file_perms;
 +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
 +manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir })
++manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
 +
 +can_exec(nsplugin_config_t, nsplugin_rw_t)
 +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -5559,6 +5589,9 @@
 +userdom_search_all_users_home_content(nsplugin_config_t)
 +
 +nsplugin_domtrans(nsplugin_config_t)
++
++allow nsplugin_t user_home_t:dir { write read };
++allow nsplugin_t user_home_t:file write;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.3.1/policy/modules/apps/screen.fc
 --- nsaserefpolicy/policy/modules/apps/screen.fc	2007-10-12 08:56:02.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/apps/screen.fc	2008-02-26 08:29:22.000000000 -0500
@@ -10430,7 +10463,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te	2008-02-26 10:37:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te	2008-03-10 13:34:57.000000000 -0400
 @@ -13,6 +13,9 @@
  type consolekit_var_run_t;
  files_pid_file(consolekit_var_run_t)
@@ -10470,7 +10503,7 @@
  # needs to read /var/lib/dbus/machine-id
  files_read_var_lib_files(consolekit_t)
  
-@@ -47,16 +57,33 @@
+@@ -47,16 +57,37 @@
  
  auth_use_nsswitch(consolekit_t)
  
@@ -10492,22 +10525,26 @@
 +hal_ptrace(consolekit_t)
 +mcs_ptrace_all(consolekit_t)
 +
++optional_policy(`
++	cron_read_system_job_lib_files(consolekit_t)
++')
++
  optional_policy(`
 -	dbus_system_bus_client_template(consolekit, consolekit_t)
[...2097 lines suppressed...]
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -31198,7 +31449,7 @@
  ')
  
  ########################################
-@@ -4551,10 +4700,10 @@
+@@ -4551,10 +4701,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -31211,7 +31462,7 @@
  ')
  
  ########################################
-@@ -4569,10 +4718,10 @@
+@@ -4569,10 +4719,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -31224,7 +31475,7 @@
  ')
  
  ########################################
-@@ -4588,10 +4737,10 @@
+@@ -4588,10 +4738,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -31237,7 +31488,7 @@
  ')
  
  ########################################
-@@ -4606,10 +4755,10 @@
+@@ -4606,10 +4756,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -31250,7 +31501,7 @@
  ')
  
  ########################################
-@@ -4625,10 +4774,10 @@
+@@ -4625,10 +4775,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -31263,7 +31514,7 @@
  ')
  
  ########################################
-@@ -4644,12 +4793,11 @@
+@@ -4644,12 +4794,11 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -31279,7 +31530,7 @@
  ')
  
  ########################################
-@@ -4676,10 +4824,10 @@
+@@ -4676,10 +4825,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -31292,7 +31543,7 @@
  ')
  
  ########################################
-@@ -4694,10 +4842,10 @@
+@@ -4694,10 +4843,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -31305,7 +31556,7 @@
  ')
  
  ########################################
-@@ -4712,13 +4860,13 @@
+@@ -4712,13 +4861,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -31323,7 +31574,7 @@
  ')
  
  ########################################
-@@ -4754,11 +4902,49 @@
+@@ -4754,11 +4903,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -31374,7 +31625,7 @@
  ')
  
  ########################################
-@@ -4778,6 +4964,14 @@
+@@ -4778,6 +4965,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -31389,7 +31640,7 @@
  ')
  
  ########################################
-@@ -4839,6 +5033,26 @@
+@@ -4839,6 +5034,26 @@
  
  ########################################
  ## <summary>
@@ -31416,7 +31667,7 @@
  ##	Create, read, write, and delete all directories
  ##	in all users home directories.
  ## </summary>
-@@ -4859,6 +5073,25 @@
+@@ -4859,6 +5074,25 @@
  
  ########################################
  ## <summary>
@@ -31442,7 +31693,7 @@
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5112,26 @@
+@@ -4879,6 +5113,26 @@
  
  ########################################
  ## <summary>
@@ -31469,7 +31720,7 @@
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5368,7 @@
+@@ -5115,7 +5369,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -31478,7 +31729,7 @@
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5557,50 @@
+@@ -5304,6 +5558,50 @@
  
  ########################################
  ## <summary>
@@ -31529,7 +31780,7 @@
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,6 +5806,42 @@
+@@ -5509,6 +5807,42 @@
  
  ########################################
  ## <summary>
@@ -31572,7 +31823,7 @@
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5674,6 +6007,42 @@
+@@ -5674,6 +6008,42 @@
  
  ########################################
  ## <summary>
@@ -31615,7 +31866,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6073,368 @@
+@@ -5704,3 +6074,368 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -33213,11 +33464,24 @@
 +## <summary>Policy for user user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.3.1/policy/modules/users/user.te
 --- nsaserefpolicy/policy/modules/users/user.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/user.te	2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.3.1/policy/modules/users/user.te	2008-03-10 11:57:48.000000000 -0400
+@@ -0,0 +1,17 @@
 +policy_module(user,1.0.1)
 +userdom_unpriv_user_template(user)
 +
++optional_policy(`
++	kerneloops_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++	rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++	setroubleshoot_dontaudit_stream_connect(user_t)
++')
++
++
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.3.1/policy/modules/users/webadm.fc
 --- nsaserefpolicy/policy/modules/users/webadm.fc	1969-12-31 19:00:00.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.627
retrieving revision 1.628
diff -u -r1.627 -r1.628
--- selinux-policy.spec	6 Mar 2008 21:50:52 -0000	1.627
+++ selinux-policy.spec	10 Mar 2008 20:16:22 -0000	1.628
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,9 @@
 %endif
 
 %changelog
+* Mon Mar 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-13
+- Additional changes for MLS policy
+
 * Thu Mar 6 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-12
 - Fix initrc_context generation for MLS

More information about the fedora-extras-commits mailing list