rpms/selinux-policy/devel policy-20080710.patch, 1.31, 1.32 sources, 1.163, 1.164
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Sep 16 13:57:16 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21026
Modified Files:
policy-20080710.patch sources
Log Message:
* Thu Sep 11 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-1
- Merge upstream changes
- Add Xavier Toth patches
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- policy-20080710.patch 16 Sep 2008 13:47:03 -0000 1.31
+++ policy-20080710.patch 16 Sep 2008 13:57:15 -0000 1.32
@@ -33240,7 +33240,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-15 11:58:54.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-16 09:56:01.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@@ -34377,7 +34377,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1189,36 +1183,45 @@
+@@ -1189,36 +1183,49 @@
')
')
@@ -34416,6 +34416,10 @@
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ cron_per_role_template($1, $1_usertype, $1_r)
++ ')
++
++ optional_policy(`
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
+ ')
+
@@ -34436,7 +34440,7 @@
')
')
-@@ -1295,8 +1298,6 @@
+@@ -1295,8 +1302,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -34445,7 +34449,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1318,8 +1319,6 @@
+@@ -1318,8 +1323,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -34454,7 +34458,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1374,13 +1373,6 @@
+@@ -1374,13 +1377,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -34468,7 +34472,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1432,6 +1424,7 @@
+@@ -1432,6 +1428,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -34476,7 +34480,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1461,10 +1454,6 @@
+@@ -1461,10 +1458,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@@ -34487,7 +34491,7 @@
optional_policy(`
aide_run($1,$2, $3)
')
-@@ -1484,6 +1473,14 @@
+@@ -1484,6 +1477,14 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@@ -34502,7 +34506,7 @@
')
########################################
-@@ -1741,11 +1738,15 @@
+@@ -1741,11 +1742,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@@ -34521,7 +34525,7 @@
')
########################################
-@@ -1841,11 +1842,11 @@
+@@ -1841,11 +1846,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -34535,7 +34539,7 @@
')
########################################
-@@ -1875,11 +1876,11 @@
+@@ -1875,11 +1880,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -34549,7 +34553,7 @@
')
########################################
-@@ -1923,12 +1924,12 @@
+@@ -1923,12 +1928,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -34565,7 +34569,7 @@
')
########################################
-@@ -1958,10 +1959,11 @@
+@@ -1958,10 +1963,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -34579,7 +34583,7 @@
')
########################################
-@@ -1993,11 +1995,47 @@
+@@ -1993,11 +1999,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -34629,7 +34633,7 @@
')
########################################
-@@ -2029,10 +2067,10 @@
+@@ -2029,10 +2071,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -34642,7 +34646,7 @@
')
########################################
-@@ -2062,11 +2100,11 @@
+@@ -2062,11 +2104,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -34656,7 +34660,7 @@
')
########################################
-@@ -2096,11 +2134,11 @@
+@@ -2096,11 +2138,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -34671,7 +34675,7 @@
')
########################################
-@@ -2130,10 +2168,14 @@
+@@ -2130,10 +2172,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -34688,7 +34692,7 @@
')
########################################
-@@ -2163,11 +2205,11 @@
+@@ -2163,11 +2209,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -34702,7 +34706,7 @@
')
########################################
-@@ -2197,11 +2239,11 @@
+@@ -2197,11 +2243,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -34716,7 +34720,7 @@
')
########################################
-@@ -2231,10 +2273,10 @@
+@@ -2231,10 +2277,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -34729,7 +34733,7 @@
')
########################################
-@@ -2266,12 +2308,12 @@
+@@ -2266,12 +2312,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -34745,7 +34749,7 @@
')
########################################
-@@ -2303,10 +2345,10 @@
+@@ -2303,10 +2349,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -34758,7 +34762,7 @@
')
########################################
-@@ -2338,12 +2380,12 @@
+@@ -2338,12 +2384,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -34774,7 +34778,7 @@
')
########################################
-@@ -2375,12 +2417,12 @@
+@@ -2375,12 +2421,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -34790,7 +34794,7 @@
')
########################################
-@@ -2412,12 +2454,12 @@
+@@ -2412,12 +2458,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -34806,7 +34810,7 @@
')
########################################
-@@ -2462,11 +2504,11 @@
+@@ -2462,11 +2508,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -34820,7 +34824,7 @@
')
########################################
-@@ -2511,11 +2553,11 @@
+@@ -2511,11 +2557,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -34834,7 +34838,7 @@
')
########################################
-@@ -2555,11 +2597,11 @@
+@@ -2555,11 +2601,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -34848,7 +34852,7 @@
')
########################################
-@@ -2589,11 +2631,11 @@
+@@ -2589,11 +2635,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -34862,7 +34866,7 @@
')
########################################
-@@ -2623,11 +2665,11 @@
+@@ -2623,11 +2669,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -34876,7 +34880,7 @@
')
########################################
-@@ -2659,10 +2701,10 @@
+@@ -2659,10 +2705,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -34889,7 +34893,7 @@
')
########################################
-@@ -2694,10 +2736,10 @@
+@@ -2694,10 +2740,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -34902,7 +34906,7 @@
')
########################################
-@@ -2727,12 +2769,12 @@
+@@ -2727,12 +2773,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -34918,7 +34922,7 @@
')
########################################
-@@ -2764,10 +2806,10 @@
+@@ -2764,10 +2810,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -34931,7 +34935,7 @@
')
########################################
-@@ -2799,10 +2841,10 @@
+@@ -2799,10 +2845,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -34944,7 +34948,7 @@
')
########################################
-@@ -2832,12 +2874,12 @@
+@@ -2832,12 +2878,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -34960,7 +34964,7 @@
')
########################################
-@@ -2869,10 +2911,10 @@
+@@ -2869,10 +2915,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -34973,7 +34977,7 @@
')
########################################
-@@ -2904,12 +2946,12 @@
+@@ -2904,12 +2950,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -34989,7 +34993,7 @@
')
########################################
-@@ -2941,11 +2983,11 @@
+@@ -2941,11 +2987,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -35003,7 +35007,7 @@
')
########################################
-@@ -2977,11 +3019,11 @@
+@@ -2977,11 +3023,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -35017,7 +35021,7 @@
')
########################################
-@@ -3013,11 +3055,11 @@
+@@ -3013,11 +3059,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -35031,7 +35035,7 @@
')
########################################
-@@ -3049,11 +3091,11 @@
+@@ -3049,11 +3095,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -35045,7 +35049,7 @@
')
########################################
-@@ -3085,11 +3127,11 @@
+@@ -3085,11 +3131,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -35059,7 +35063,7 @@
')
########################################
-@@ -3134,10 +3176,10 @@
+@@ -3134,10 +3180,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -35072,7 +35076,7 @@
files_search_tmp($2)
')
-@@ -3178,19 +3220,19 @@
+@@ -3178,19 +3224,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -35096,7 +35100,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -4616,11 +4658,11 @@
+@@ -4616,11 +4662,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -35110,7 +35114,7 @@
')
########################################
-@@ -4640,6 +4682,14 @@
+@@ -4640,6 +4686,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -35125,7 +35129,7 @@
')
########################################
-@@ -4677,6 +4727,8 @@
+@@ -4677,6 +4731,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -35134,7 +35138,7 @@
')
########################################
-@@ -4721,6 +4773,25 @@
+@@ -4721,6 +4777,25 @@
########################################
## <summary>
@@ -35160,7 +35164,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4946,7 +5017,7 @@
+@@ -4946,7 +5021,7 @@
########################################
## <summary>
@@ -35169,11 +35173,103 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5318,6 +5389,42 @@
+@@ -5318,7 +5393,7 @@
########################################
## <summary>
+-## Read and write unprivileged user ttys.
+## Write all unprivileged users files in /tmp
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5326,18 +5401,17 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_use_unpriv_users_ttys',`
++interface(`userdom_manage_unpriv_users_tmp_files',`
+ gen_require(`
+- attribute user_ttynode;
++ type user_tmp_t;
+ ')
+
+- allow $1 user_ttynode:chr_file rw_term_perms;
++ manage_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to use unprivileged
+-## user ttys.
++## Write all unprivileged users lnk_files in /tmp
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5345,17 +5419,17 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_use_unpriv_users_ttys',`
++interface(`userdom_manage_unpriv_users_tmp_symlinks',`
+ gen_require(`
+- attribute user_ttynode;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_ttynode:chr_file rw_file_perms;
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read the process state of all user domains.
++## Read and write unprivileged user ttys.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5363,18 +5437,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_use_unpriv_users_ttys',`
+ gen_require(`
+- attribute userdomain;
++ attribute user_ttynode;
+ ')
+
+- read_files_pattern($1,userdomain,userdomain)
+- kernel_search_proc($1)
++ allow $1 user_ttynode:chr_file rw_term_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of all user domains.
++## Do not audit attempts to use unprivileged
++## user ttys.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5382,17 +5456,54 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_getattr_all_users',`
++interface(`userdom_dontaudit_use_unpriv_users_ttys',`
+ gen_require(`
+- attribute userdomain;
++ attribute user_ttynode;
+ ')
+
+- allow $1 userdomain:process getattr;
++ dontaudit $1 user_ttynode:chr_file rw_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Inherit the file descriptors from all user domains
++## Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -35181,17 +35277,18 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_manage_unpriv_users_tmp_files',`
++interface(`userdom_read_all_users_state',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
++ ps_process_pattern($1, userdomain)
++ kernel_search_proc($1)
+')
+
+########################################
+## <summary>
-+## Write all unprivileged users lnk_files in /tmp
++## Get the attributes of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -35199,42 +35296,32 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
++interface(`userdom_getattr_all_users',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ allow $1 userdomain:process getattr;
+')
+
+########################################
+## <summary>
- ## Read and write unprivileged user ttys.
++## Inherit the file descriptors from all user domains
## </summary>
## <param name="domain">
-@@ -5368,7 +5475,7 @@
- attribute userdomain;
- ')
-
-- read_files_pattern($1,userdomain,userdomain)
-+ ps_process_pattern($1, userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -5483,7 +5590,7 @@
+ ## <summary>
+@@ -5483,6 +5594,42 @@
########################################
## <summary>
--## Send a dbus message to all user domains.
+## Manage keys for all user domains.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5491,7 +5598,43 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_dbus_send_all_users',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
@@ -35263,19 +35350,10 @@
+
+########################################
+## <summary>
-+## Send a dbus message to all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dbus_send_all_users',`
- gen_require(`
- attribute userdomain;
- class dbus send_msg;
-@@ -5513,3 +5656,524 @@
+ ## Send a dbus message to all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -5513,3 +5660,524 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/sources,v
retrieving revision 1.163
retrieving revision 1.164
diff -u -r1.163 -r1.164
--- sources 12 Sep 2008 20:36:21 -0000 1.163
+++ sources 16 Sep 2008 13:57:15 -0000 1.164
@@ -1 +1 @@
-1b4c8999f49501d5bcfc81fb2498b2e6 serefpolicy-3.5.8.tgz
+dcacf4cddcb4232564044e8d33c4d28e serefpolicy-3.5.8.tgz
More information about the fedora-extras-commits
mailing list