rpms/selinux-policy/devel policy-20071130.patch, 1.98, 1.99 selinux-policy.spec, 1.630, 1.631

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Wed Mar 12 12:35:28 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24113

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Wed Mar 12 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-16
- Change init_t to an unconfined_domain


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.98
retrieving revision 1.99
diff -u -r1.98 -r1.99
--- policy-20071130.patch	12 Mar 2008 02:21:18 -0000	1.98
+++ policy-20071130.patch	12 Mar 2008 12:35:06 -0000	1.99
@@ -3316,7 +3316,7 @@
 +/usr/lib(64)?/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.3.1/policy/modules/apps/gpg.if
 --- nsaserefpolicy/policy/modules/apps/gpg.if	2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/gpg.if	2008-02-29 17:00:38.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/gpg.if	2008-03-12 08:31:43.000000000 -0400
 @@ -38,6 +38,10 @@
  	gen_require(`
  		type gpg_exec_t, gpg_helper_exec_t;
@@ -3328,7 +3328,7 @@
  	')
  
  	########################################
-@@ -45,275 +49,59 @@
+@@ -45,275 +49,61 @@
  	# Declarations
  	#
  
@@ -3519,6 +3519,8 @@
 +	dontaudit gpg_t $2:udp_socket rw_socket_perms;
 +	dontaudit gpg_helper_t $2:tcp_socket rw_socket_perms;
 +	dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
++	#Leaked File Descriptors
++	dontaudit gpg_helper_t $2:unix_stream_socket rw_socket_perms;
  
 -	# allow gpg to connect to the gpg agent
 -	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
@@ -5076,8 +5078,8 @@
 +HOME_DIR/\.macromedia(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-10 14:36:14.000000000 -0400
-@@ -0,0 +1,344 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-12 08:30:42.000000000 -0400
+@@ -0,0 +1,347 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -5239,10 +5241,13 @@
 +	read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
 +	can_exec($2, nsplugin_rw_t)
 +
-+	allow nsplugin_t $2:udp_socket { read write };
-+	allow nsplugin_t $2:tcp_socket { read write };
++	#Leaked File Descriptors
++	dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
++	dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
++	dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
 +	allow nsplugin_t $2:unix_stream_socket connectto;
 +	dontaudit nsplugin_t $2:process ptrace;
++
 +	allow nsplugin_t $1_tmpfs_t:file { read getattr };
 +
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
@@ -26321,7 +26326,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-11 18:57:27.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-12 08:33:31.000000000 -0400
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -26414,7 +26419,7 @@
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -163,22 +194,25 @@
+@@ -163,14 +194,16 @@
  	fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
  ')
  
@@ -26436,18 +26441,18 @@
  ')
  
  optional_policy(`
- 	nscd_socket_use(init_t)
+@@ -181,13 +214,18 @@
+ 	unconfined_domain(init_t)
  ')
  
--optional_policy(`
--	unconfined_domain(init_t)
 +ifndef(`distro_ubuntu',`
 +	corecmd_shell_domtrans(init_t,initrc_t)
 +	corecmd_shell_entry_type(initrc_t)
- ')
- 
++')
++
  ########################################
-@@ -187,7 +221,7 @@
+ #
+ # Init script local policy
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -26456,7 +26461,7 @@
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  
-@@ -201,10 +235,9 @@
+@@ -201,10 +239,9 @@
  allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
  term_create_pty(initrc_t,initrc_devpts_t)
  
@@ -26469,7 +26474,7 @@
  
  manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
  manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -257,7 +290,7 @@
+@@ -257,7 +294,7 @@
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
  dev_setattr_all_chr_files(initrc_t)
@@ -26478,7 +26483,7 @@
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -283,7 +316,6 @@
+@@ -283,7 +320,6 @@
  mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
@@ -26486,7 +26491,7 @@
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -496,6 +528,31 @@
+@@ -496,6 +532,31 @@
  	')
  ')
  
@@ -26518,7 +26523,7 @@
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -559,14 +616,6 @@
+@@ -559,14 +620,6 @@
  ')
  
  optional_policy(`
@@ -26533,7 +26538,7 @@
  	ftp_read_config(initrc_t)
  ')
  
-@@ -639,12 +688,6 @@
+@@ -639,12 +692,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -26546,7 +26551,7 @@
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -705,6 +748,9 @@
+@@ -705,6 +752,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -26556,7 +26561,7 @@
  ')
  
  optional_policy(`
-@@ -717,9 +763,11 @@
+@@ -717,9 +767,11 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -26571,7 +26576,7 @@
  ')
  
  optional_policy(`
-@@ -738,6 +786,11 @@
+@@ -738,6 +790,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -26583,7 +26588,7 @@
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -752,6 +805,10 @@
+@@ -752,6 +809,10 @@
  ')
  
  optional_policy(`
@@ -26594,7 +26599,7 @@
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
-@@ -774,3 +831,4 @@
+@@ -774,3 +835,4 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -27160,7 +27165,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc
 --- nsaserefpolicy/policy/modules/system/lvm.fc	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.fc	2008-03-11 18:59:24.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/lvm.fc	2008-03-12 07:01:13.000000000 -0400
 @@ -55,6 +55,7 @@
  /sbin/lvs		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -27169,6 +27174,11 @@
  /sbin/pvchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/pvcreate		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/pvdata		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -97,3 +98,4 @@
+ /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
+ /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
+ /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
++/var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/lvm.te	2008-03-11 19:04:42.000000000 -0400
@@ -29611,7 +29621,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-09 08:38:37.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-12 08:26:37.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -31962,7 +31972,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6074,368 @@
+@@ -5704,3 +6074,370 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -32331,6 +32341,8 @@
 +	netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 +  ')
 +')
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/userdomain.te	2008-02-26 08:29:22.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.630
retrieving revision 1.631
diff -u -r1.630 -r1.631
--- selinux-policy.spec	12 Mar 2008 01:00:13 -0000	1.630
+++ selinux-policy.spec	12 Mar 2008 12:35:06 -0000	1.631
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,9 @@
 %endif
 
 %changelog
+* Wed Mar 12 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-16
+- Change init_t to an unconfined_domain
+
 * Tue Mar 11 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-15
 - Allow init to transition to initrc_t on shell exec.
 - Fix init to be able to sendto init_t.

More information about the fedora-extras-commits mailing list