rpms/selinux-policy/devel policy-20071130.patch, 1.108, 1.109 selinux-policy.spec, 1.639, 1.640
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Mar 21 23:24:22 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21936
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Fri Mar 18 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-23
- Fix file context for MATLAB
- Fixes for xace
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.108
retrieving revision 1.109
diff -u -r1.108 -r1.109
--- policy-20071130.patch 20 Mar 2008 16:11:16 -0000 1.108
+++ policy-20071130.patch 21 Mar 2008 23:24:11 -0000 1.109
@@ -3964,8 +3964,18 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.3.1/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-03-13 18:18:13.000000000 -0400
-@@ -11,6 +11,7 @@
++++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-03-21 06:52:02.000000000 -0400
+@@ -3,14 +3,15 @@
+ #
+ /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+ /opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ #
+ # /usr
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -3973,16 +3983,15 @@
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,11 @@
+@@ -20,5 +21,10 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/local/matlab/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/matlab(/.*)?/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
@@ -14704,7 +14713,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-03-21 18:49:34.000000000 -0400
@@ -8,6 +8,7 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -14713,13 +14722,14 @@
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
-@@ -16,10 +17,11 @@
+@@ -16,10 +17,12 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
-
@@ -14775,7 +14785,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-03-20 09:19:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-03-21 18:50:19.000000000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -14795,7 +14805,18 @@
logging_log_filetrans(hald_t,hald_log_t,file)
manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
-@@ -93,6 +96,7 @@
+@@ -82,8 +85,9 @@
+ manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+ manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+
++manage_dirs_pattern(hald_t,hald_var_run_t,hald_var_run_t)
+ manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
+-files_pid_filetrans(hald_t,hald_var_run_t,file)
++files_pid_filetrans(hald_t,hald_var_run_t,{ dir file })
+
+ kernel_read_system_state(hald_t)
+ kernel_read_network_state(hald_t)
+@@ -93,6 +97,7 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
@@ -14803,7 +14824,7 @@
auth_read_pam_console_data(hald_t)
-@@ -155,6 +159,8 @@
+@@ -155,6 +160,8 @@
selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t)
@@ -14812,7 +14833,7 @@
storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
-@@ -172,6 +178,8 @@
+@@ -172,6 +179,8 @@
init_rw_utmp(hald_t)
init_telinit(hald_t)
@@ -14821,7 +14842,7 @@
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)
libs_exec_ld_so(hald_t)
-@@ -244,6 +252,10 @@
+@@ -244,6 +253,10 @@
')
optional_policy(`
@@ -14832,7 +14853,7 @@
hotplug_read_config(hald_t)
')
-@@ -265,6 +277,11 @@
+@@ -265,6 +278,11 @@
')
optional_policy(`
@@ -14844,7 +14865,7 @@
rpc_search_nfs_state_data(hald_t)
')
-@@ -291,7 +308,8 @@
+@@ -291,7 +309,8 @@
#
allow hald_acl_t self:capability { dac_override fowner };
@@ -14854,7 +14875,14 @@
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
allow hald_t hald_acl_t:process signal;
-@@ -304,6 +322,7 @@
+@@ -301,9 +320,14 @@
+ manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
+ files_search_var_lib(hald_acl_t)
+
++manage_dirs_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
++manage_files_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
++files_pid_filetrans(hald_acl_t,hald_var_run_t,{ dir file })
++
corecmd_exec_bin(hald_acl_t)
dev_getattr_all_chr_files(hald_acl_t)
@@ -14862,7 +14890,7 @@
dev_getattr_generic_usb_dev(hald_acl_t)
dev_getattr_video_dev(hald_acl_t)
dev_setattr_video_dev(hald_acl_t)
-@@ -325,6 +344,11 @@
+@@ -325,6 +349,11 @@
miscfiles_read_localization(hald_acl_t)
@@ -14874,7 +14902,7 @@
########################################
#
# Local hald mac policy
-@@ -338,10 +362,14 @@
+@@ -338,10 +367,14 @@
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t)
@@ -14889,7 +14917,7 @@
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
-@@ -391,3 +419,7 @@
+@@ -391,3 +424,7 @@
libs_use_shared_libs(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -23952,7 +23980,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-14 11:14:49.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-20 16:09:38.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -24081,13 +24109,13 @@
allow $1_xserver_t self:process { execmem execheap execstack };
')
-+ tunable_policy(`xserver_object_manager',`
-+ selinux_validate_context($1_xserver_t)
-+ selinux_compute_access_vector($1_xserver_t)
-+ selinux_compute_create_context($1_xserver_t)
-+ seutil_read_default_contexts($1_xserver_t)
-+ allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
++ selinux_validate_context($1_xserver_t)
++ selinux_compute_access_vector($1_xserver_t)
++ selinux_compute_create_context($1_xserver_t)
++ seutil_read_default_contexts($1_xserver_t)
++ allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
+
++ tunable_policy(`xserver_object_manager',`
+ allow $1_xserver_t input_xevent_t:x_event send;
+ allow $1_xserver_t x_rootwindow_t:x_drawable send;
+ allow $1_xserver_t xdm_t:x_event send;
@@ -25321,7 +25349,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-18 15:08:05.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-21 18:46:59.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -25567,7 +25595,7 @@
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
-@@ -226,6 +344,7 @@
+@@ -226,9 +344,11 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -25575,7 +25603,11 @@
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
-@@ -237,6 +356,7 @@
++fs_rw_anon_inodefs_files(xdm_t)
+
+ storage_dontaudit_read_fixed_disk(xdm_t)
+ storage_dontaudit_write_fixed_disk(xdm_t)
+@@ -237,6 +357,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25583,7 +25615,7 @@
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -245,6 +365,7 @@
+@@ -245,6 +366,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -25591,7 +25623,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,12 +377,11 @@
+@@ -256,12 +378,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -25605,7 +25637,7 @@
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +390,13 @@
+@@ -270,8 +391,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -25619,7 +25651,11 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -304,7 +429,11 @@
+@@ -301,10 +427,15 @@
+
+ optional_policy(`
+ alsa_domtrans(xdm_t)
++ alsa_read_rw_config(xdm_t)
')
optional_policy(`
@@ -25632,7 +25668,7 @@
')
optional_policy(`
-@@ -312,6 +441,23 @@
+@@ -312,6 +443,23 @@
')
optional_policy(`
@@ -25656,7 +25692,7 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +468,10 @@
+@@ -322,6 +470,10 @@
')
optional_policy(`
@@ -25667,7 +25703,7 @@
loadkeys_exec(xdm_t)
')
-@@ -335,6 +485,11 @@
+@@ -335,6 +487,11 @@
')
optional_policy(`
@@ -25679,7 +25715,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +498,8 @@
+@@ -343,8 +500,8 @@
')
optional_policy(`
@@ -25689,7 +25725,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +535,7 @@
+@@ -380,7 +537,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -25698,7 +25734,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +547,15 @@
+@@ -392,6 +549,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -25714,7 +25750,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +568,17 @@
+@@ -404,9 +570,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -25732,7 +25768,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +592,22 @@
+@@ -420,6 +594,22 @@
')
optional_policy(`
@@ -25755,7 +25791,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +617,139 @@
+@@ -429,47 +619,139 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.639
retrieving revision 1.640
diff -u -r1.639 -r1.640
--- selinux-policy.spec 20 Mar 2008 16:11:16 -0000 1.639
+++ selinux-policy.spec 21 Mar 2008 23:24:11 -0000 1.640
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 22%{?dist}
+Release: 23%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,10 @@
%endif
%changelog
+* Fri Mar 18 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-23
+- Fix file context for MATLAB
+- Fixes for xace
+
* Tue Mar 18 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-22
- Allow stunnel to transition to inetd children domains
- Make unconfined_dbusd_t an unconfined domain
More information about the fedora-extras-commits
mailing list