rpms/selinux-policy/F-9 policy-20071130.patch, 1.164, 1.165 selinux-policy.spec, 1.679, 1.680
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri May 30 17:24:57 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31624
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Fri May 30 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-63
- Allow policykit_resolve to ptrace user processes
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.164
retrieving revision 1.165
diff -u -r1.164 -r1.165
--- policy-20071130.patch 30 May 2008 14:43:33 -0000 1.164
+++ policy-20071130.patch 30 May 2008 17:24:14 -0000 1.165
@@ -1834,8 +1834,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.3.1/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-05-28 09:06:12.000000000 -0400
-@@ -0,0 +1,56 @@
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-05-30 11:26:24.751817000 -0400
+@@ -0,0 +1,53 @@
+
+policy_module(kismet,1.0.0)
+
@@ -1864,15 +1864,12 @@
+#
+
+allow kismet_t self:capability { net_admin setuid setgid };
++allow kismet_t self:packet_socket create_socket_perms;
+
+corecmd_exec_bin(kismet_t)
+
+auth_use_nsswitch(kismet_t)
+
-+allow kismet_t self:fifo_file rw_file_perms;
-+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
-+allow kismet_t self:packet_socket create_socket_perms;
-+
+files_read_etc_files(kismet_t)
+
+libs_use_ld_so(kismet_t)
@@ -2611,7 +2608,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-05-28 09:06:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-05-30 11:30:24.705821000 -0400
@@ -55,7 +55,7 @@
#
@@ -7290,7 +7287,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-02-26 08:23:12.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-05-28 09:06:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-05-30 12:13:11.044389000 -0400
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -7717,7 +7714,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.3.1/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-05-28 09:06:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-05-30 12:12:17.406541000 -0400
@@ -32,6 +32,12 @@
type apm_bios_t;
dev_node(apm_bios_t)
@@ -9217,7 +9214,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-05-28 09:06:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-05-30 12:18:18.585456000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -9603,7 +9600,40 @@
')
########################################
-@@ -841,12 +778,16 @@
+@@ -828,6 +765,32 @@
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to delete
++## apache system content rw files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
++interface(`apache_delete_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_content_rw_t;
++ ')
++
++ files_search_tmp($1)
++ delete_dirs_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t)
++ delete_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t)
++ delete_lnk_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t)
++ delete_fifo_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t)
++ delete_sock_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t)
++')
++
++########################################
++## <summary>
+ ## Execute all web scripts in the system
+ ## script domain.
+ ## </summary>
+@@ -841,12 +804,16 @@
# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
@@ -9622,7 +9652,7 @@
')
')
-@@ -932,7 +873,7 @@
+@@ -932,7 +899,7 @@
type httpd_squirrelmail_t;
')
@@ -9631,7 +9661,7 @@
')
########################################
-@@ -1023,16 +964,16 @@
+@@ -1023,16 +990,16 @@
#
interface(`apache_manage_all_user_content',`
gen_require(`
@@ -9655,7 +9685,7 @@
')
########################################
-@@ -1088,3 +1029,169 @@
+@@ -1088,3 +1055,169 @@
allow httpd_t $1:process signal;
')
@@ -16020,7 +16050,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-05-28 15:41:47.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-05-30 12:03:12.069682000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -17170,7 +17200,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-05-28 09:27:23.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-05-30 12:21:34.347831000 -0400
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -17280,7 +17310,7 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.3.1/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mta.fc 2008-05-28 09:23:48.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.fc 2008-05-30 12:23:07.289600000 -0400
@@ -9,8 +9,10 @@
')
@@ -17292,10 +17322,13 @@
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-@@ -25,3 +27,4 @@
- #ifdef(`postfix.te', `', `
- #/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
- #')
+@@ -22,6 +24,4 @@
+ /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+ /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+-#ifdef(`postfix.te', `', `
+-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+-#')
+/var/spool/courier(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.3.1/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2008-02-26 08:23:10.000000000 -0500
@@ -19002,7 +19035,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.3.1/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/oddjob.if 2008-05-29 12:10:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/oddjob.if 2008-05-30 12:25:55.088235000 -0400
@@ -44,6 +44,7 @@
')
@@ -19725,8 +19758,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-05-30 10:28:34.023521000 -0400
-@@ -0,0 +1,215 @@
++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-05-30 13:22:39.887398000 -0400
+@@ -0,0 +1,219 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
@@ -19761,7 +19794,7 @@
+# polkit local policy
+#
+
-+allow polkit_auth_t self:capability setgid;
++allow polkit_t self:capability setgid;
+
+allow polkit_t self:process getattr;
+
@@ -19927,6 +19960,7 @@
+miscfiles_read_localization(polkit_resolve_t)
+
+logging_send_syslog_msg(polkit_resolve_t)
++
+userdom_read_all_users_state(polkit_resolve_t)
+userdom_ptrace_all_users(polkit_resolve_t)
+
@@ -19942,6 +19976,9 @@
+ hal_read_state(polkit_resolve_t)
+')
+
++optional_policy(`
++ unconfined_ptrace(polkit_resolve_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.3.1/policy/modules/services/portslave.te
--- nsaserefpolicy/policy/modules/services/portslave.te 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/portslave.te 2008-05-28 09:06:14.000000000 -0400
@@ -21232,7 +21269,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.3.1/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/procmail.te 2008-05-28 09:06:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/procmail.te 2008-05-30 12:29:15.684405000 -0400
@@ -14,6 +14,10 @@
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
@@ -24822,7 +24859,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-05-28 09:06:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-05-30 12:37:56.557934000 -0400
@@ -21,8 +21,10 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -26014,7 +26051,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.3.1/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.fc 2008-05-29 08:55:38.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.fc 2008-05-30 12:39:38.663958000 -0400
@@ -1,13 +1,13 @@
#
# HOME_DIR
@@ -27498,7 +27535,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-05-29 09:08:39.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-05-30 12:07:42.622831000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -28382,7 +28419,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-05-28 09:06:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-05-30 12:43:24.223984000 -0400
@@ -56,10 +56,6 @@
miscfiles_read_localization($1_chkpwd_t)
@@ -28440,7 +28477,15 @@
# for SSP/ProPolice
dev_read_urand($1)
# for fingerprint readers
-@@ -226,8 +239,40 @@
+@@ -190,6 +203,7 @@
+ dev_rw_generic_usb_dev($1)
+
+ files_read_etc_files($1)
++ files_read_etc_runtime_files($1)
+
+ fs_list_auto_mountpoints($1)
+
+@@ -226,8 +240,40 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -28481,7 +28526,7 @@
')
')
-@@ -333,19 +378,15 @@
+@@ -333,19 +379,15 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -28505,7 +28550,7 @@
')
optional_policy(`
-@@ -356,6 +397,28 @@
+@@ -356,6 +398,28 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -28534,7 +28579,7 @@
')
########################################
-@@ -369,12 +432,12 @@
+@@ -369,12 +433,12 @@
## </param>
## <param name="role">
## <summary>
@@ -28549,7 +28594,7 @@
## </summary>
## </param>
#
-@@ -386,6 +449,7 @@
+@@ -386,6 +450,7 @@
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -28557,7 +28602,15 @@
')
########################################
-@@ -1447,6 +1511,10 @@
+@@ -1436,6 +1501,7 @@
+
+ # read /etc/nsswitch.conf
+ files_read_etc_files($1)
++ files_read_etc_runtime_files($1)
+
+ miscfiles_read_certs($1)
+
+@@ -1447,6 +1513,10 @@
')
optional_policy(`
@@ -28568,7 +28621,7 @@
nis_use_ypbind($1)
')
-@@ -1457,6 +1525,7 @@
+@@ -1457,6 +1527,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -28576,7 +28629,7 @@
')
')
-@@ -1491,3 +1560,59 @@
+@@ -1491,3 +1562,59 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -28797,7 +28850,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.fc serefpolicy-3.3.1/policy/modules/system/getty.fc
--- nsaserefpolicy/policy/modules/system/getty.fc 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/getty.fc 2008-05-28 09:06:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/getty.fc 2008-05-30 11:40:38.195749000 -0400
@@ -8,5 +8,5 @@
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
@@ -29783,7 +29836,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-05-28 09:06:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-05-30 11:43:25.619453000 -0400
@@ -4,6 +4,8 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
@@ -29797,12 +29850,21 @@
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/var/lib/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
++/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+
ifdef(`distro_suse', `
/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
+@@ -35,7 +40,7 @@
+ /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+-/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
+ ifndef(`distro_gentoo',`
+ /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@@ -46,7 +51,7 @@
')
@@ -32940,73 +33002,68 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-05-29 12:13:16.000000000 -0400
-@@ -6,35 +6,71 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-05-30 11:52:11.654105000 -0400
+@@ -1,78 +1,102 @@
+
+-policy_module(unconfined,2.1.0)
++policy_module(unconfined,1.7.0)
+
+ ########################################
+ #
# Declarations
#
++type unconfined_gnome_home_t;
++files_type(unconfined_gnome_home_t)
-+## <desc>
-+## <p>
-+## Transition to confined nsplugin domains from unconfined user
-+## </p>
-+## </desc>
-+gen_tunable(allow_unconfined_nsplugin_transition,false)
-+
-+## <desc>
-+## <p>
-+## Allow unconfined domain to map low memory in the kernel
-+## </p>
-+## </desc>
-+gen_tunable(allow_unconfined_mmap_low,false)
-+
-+## <desc>
-+## <p>
-+## Transition to confined qemu domains from unconfined user
-+## </p>
-+## </desc>
-+gen_tunable(allow_unconfined_qemu_transition,false)
-+
- # usage in this module of types created by these
- # calls is not correct, however we dont currently
- # have another method to add access to these types
+-# usage in this module of types created by these
+-# calls is not correct, however we dont currently
+-# have another method to add access to these types
-userdom_base_user_template(unconfined)
-userdom_manage_home_template(unconfined)
-userdom_manage_tmp_template(unconfined)
-userdom_manage_tmpfs_template(unconfined)
--
--type unconfined_exec_t;
--init_system_domain(unconfined_t, unconfined_exec_t)
-+userdom_restricted_user_template(unconfined)
-+userdom_common_user_template(unconfined)
-+#userdom_xwindows_client_template(unconfined)
++attribute unconfined_terminal;
++
++userdom_unpriv_user_template(unconfined)
++userdom_xwindows_client_template(unconfined)
+
++unconfined_terminal_type(unconfined_devpts_t)
++unconfined_terminal_type(unconfined_tty_device_t)
++userdom_user_home_content(unconfined,unconfined_gnome_home_t)
+
+ type unconfined_exec_t;
+-init_system_domain(unconfined_t, unconfined_exec_t)
++init_system_domain(unconfined_t,unconfined_exec_t)
++role unconfined_r types unconfined_t;
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
-+init_script_role_transition(unconfined_r)
type unconfined_execmem_t;
type unconfined_execmem_exec_t;
- init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
++init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
++unconfined_domain(unconfined_t)
++
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
-+typealias unconfined_notrans_exec_t alias unconfined_exec_t;
+
########################################
#
# Local policy
#
+-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
+dontaudit unconfined_t self:dir write;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
- domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
++domtrans_pattern(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
@@ -33014,39 +33071,36 @@
mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)
- init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++init_run_daemon(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+init_domtrans_script(unconfined_t)
-+init_chat(unconfined_t)
- libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +78,44 @@
- logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ logging_send_syslog_msg(unconfined_t)
+-logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-
+-seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-
+-unconfined_domain(unconfined_t)
++mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+# Unconfined running as system_r
+mount_domtrans_unconfined(unconfined_t)
-
-+seutil_run_setsebool(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-
- unconfined_domain(unconfined_t)
-+domain_mmap_low(unconfined_t)
++
++seutil_run_setsebool(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++seutil_run_setfiles(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++seutil_run_semanage(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
userdom_priveleged_home_dir_manager(unconfined_t)
optional_policy(`
- ada_domtrans(unconfined_t)
-+ gen_require(`
-+ type nsplugin_t;
-+ type nsplugin_config_t;
-+ ')
-+ role unconfined_r types nsplugin_t;
-+ role unconfined_r types nsplugin_config_t;
-+ tunable_policy(`allow_unconfined_nsplugin_transition', `
-+ nsplugin_use(unconfined, unconfined_t)
-+ ')
++ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
@@ -33054,42 +33108,33 @@
- apache_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
-+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ apache_per_role_template(unconfined, unconfined_t, unconfined_r)
+ apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ unconfined_domain(httpd_unconfined_script_t)
')
optional_policy(`
- bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- cron_per_role_template(unconfined, unconfined_t, unconfined_r)
-- # this is disallowed usage:
-- unconfined_domain(unconfined_crond_t)
-+ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ cron_per_role_template(unconfined,unconfined_t,unconfined_r)
+ # this is disallowed usage:
+ unconfined_domain(unconfined_crond_t)
++ unconfined_domain(unconfined_crontab_t)
++ role system_r types unconfined_crontab_t;
++ rpm_transition_script(unconfined_crond_t)
')
optional_policy(`
-@@ -101,12 +144,24 @@
- ')
-
- optional_policy(`
-+ gnomeclock_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ kerneloops_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
- networkmanager_dbus_chat(unconfined_t)
- ')
-
+@@ -107,126 +131,143 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -33100,181 +33145,183 @@
')
optional_policy(`
-@@ -118,11 +173,7 @@
+- firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ firstboot_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
+- ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ java_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- inn_domtrans(unconfined_t)
--')
--
--optional_policy(`
++ ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
- java_domtrans(unconfined_t)
-+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ lpd_run_checkpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -134,82 +185,91 @@
+- lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
+-
+ optional_policy(`
+- modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- mono_domtrans(unconfined_t)
--')
--
--optional_policy(`
++ prelink_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ portmap_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
-+ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ rpm_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ # Allow SELinux aware applications to request rpm_script execution
++ rpm_transition_script(unconfined_t)
')
optional_policy(`
- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ tunable_policy(`allow_unconfined_qemu_transition', `
-+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ ', `
-+ qemu_runas_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ ')
-+ qemu_role(unconfined_r)
-+ qemu_unconfined_role(unconfined_r)
++ samba_per_role_template(unconfined)
++ samba_run_unconfined_net(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ samba_run_winbind_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ samba_run_smbcontrol(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ # Allow SELinux aware applications to request rpm_script execution
-+ rpm_role_transition(unconfined_r)
++ sendmail_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-+ cron_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ # this is disallowed usage:
-+ unconfined_domain(unconfined_crond_t)
-+ unconfined_domain(unconfined_crontab_t)
-+ role system_r types unconfined_crontab_t;
-+ rpm_transition_script(unconfined_crond_t)
++ sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ sysnet_dbus_chat_dhcpc(unconfined_t)
')
--
++optional_policy(`
++ tzdata_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++')
+
optional_policy(`
- pyzor_per_role_template(unconfined)
-+ samba_per_role_template(unconfined)
-+ samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ usermanage_run_admin_passwd(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
-+ sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ vpn_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ sysnet_dbus_chat_dhcpc(unconfined_t)
-+ sysnet_role_transition_dhcpc(unconfined_r)
++ webalizer_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- samba_per_role_template(unconfined)
- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
++ unconfined_domain(unconfined_mozilla_t)
++ allow unconfined_mozilla_t self:process { execstack execmem };
')
optional_policy(`
- sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- sysnet_dbus_chat_dhcpc(unconfined_t)
-+ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ xserver_xdm_rw_shm(unconfined_t)
')
++########################################
++#
++# Unconfined Execmem Local policy
++#
++
++allow unconfined_execmem_t self:process { execstack execmem };
++unconfined_domain_noaudit(unconfined_execmem_t)
++allow unconfined_execmem_t unconfined_t:process transition;
++
optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ gen_require(`
++ type unconfined_dbusd_t;
++ ')
++ unconfined_domain(unconfined_dbusd_t)
')
optional_policy(`
- vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ mono_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ unconfined_domain(unconfined_mono_t)
++ init_dbus_chat_script(unconfined_execmem_t)
++ dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
++ unconfined_dbus_chat(unconfined_execmem_t)
++ unconfined_dbus_connect(unconfined_execmem_t)
')
optional_policy(`
- webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++ avahi_dbus_chat(unconfined_execmem_t)
')
optional_policy(`
- wine_domtrans(unconfined_t)
-+ livecd_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++ hal_dbus_chat(unconfined_execmem_t)
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
-+ xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ xserver_xdm_rw_shm(unconfined_t)
++ xserver_xdm_rw_shm(unconfined_execmem_t)
')
++corecmd_exec_all_executables(unconfined_t)
++
########################################
-@@ -219,14 +279,36 @@
-
- allow unconfined_execmem_t self:process { execstack execmem };
- unconfined_domain_noaudit(unconfined_execmem_t)
-+allow unconfined_execmem_t unconfined_t:process transition;
+ #
+-# Unconfined Execmem Local policy
++# Unconfined notrans Local policy
+ #
- optional_policy(`
+-allow unconfined_execmem_t self:process { execstack execmem };
+-unconfined_domain_noaudit(unconfined_execmem_t)
+-
+-optional_policy(`
- dbus_stub(unconfined_execmem_t)
-
- init_dbus_chat_script(unconfined_execmem_t)
-+ dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
- unconfined_dbus_chat(unconfined_execmem_t)
-+ unconfined_dbus_connect(unconfined_execmem_t)
-+')
+- init_dbus_chat_script(unconfined_execmem_t)
+- unconfined_dbus_chat(unconfined_execmem_t)
++allow unconfined_notrans_t self:process { execstack execmem };
++unconfined_domain_noaudit(unconfined_notrans_t)
++domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
-+optional_policy(`
-+ avahi_dbus_chat(unconfined_execmem_t)
-+')
-+
-+optional_policy(`
-+ hal_dbus_chat(unconfined_execmem_t)
- ')
-+
-+optional_policy(`
-+ xserver_xdm_rw_shm(unconfined_execmem_t)
-+')
-+
-+########################################
-+#
-+# Unconfined notrans Local policy
-+#
-+
-+allow unconfined_notrans_t self:process { execstack execmem };
-+unconfined_domain_noaudit(unconfined_notrans_t)
-+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
-+# Allow SELinux aware applications to request rpm_script execution
-+rpm_transition_script(unconfined_notrans_t)
-+domain_ptrace_all_domains(unconfined_notrans_t)
-+
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.3.1/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-02-26 08:23:09.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.fc 2008-05-28 09:06:14.000000000 -0400
@@ -33290,7 +33337,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-30 10:42:18.613335000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-30 11:52:25.954180000 -0400
@@ -29,9 +29,14 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.679
retrieving revision 1.680
diff -u -r1.679 -r1.680
--- selinux-policy.spec 30 May 2008 14:43:33 -0000 1.679
+++ selinux-policy.spec 30 May 2008 17:24:14 -0000 1.680
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 62%{?dist}
+Release: 63%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,7 +385,7 @@
%endif
%changelog
-* Fri May 30 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-62
+* Fri May 30 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-63
- Allow policykit_resolve to ptrace user processes
* Fri May 30 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-61
More information about the fedora-extras-commits
mailing list