rpms/selinux-policy/devel policy-20080710.patch, 1.41, 1.42 selinux-policy.spec, 1.708, 1.709
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Sep 22 17:56:26 UTC 2008
- Previous message (by thread): rpms/libselinux/devel libselinux-rhat.patch, 1.164, 1.165 libselinux.spec, 1.341, 1.342
- Next message (by thread): rpms/eigen2/devel .cvsignore, 1.2, 1.3 eigen2.spec, 1.1, 1.2 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8911
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Mon Sep 22 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-5
- Add file context for /dev/mspblk.*
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42
--- policy-20080710.patch 22 Sep 2008 12:33:03 -0000 1.41
+++ policy-20080710.patch 22 Sep 2008 17:55:56 -0000 1.42
@@ -218,6 +218,17 @@
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.8/policy/flask/access_vectors
+--- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400
++++ serefpolicy-3.5.8/policy/flask/access_vectors 2008-09-22 13:22:25.000000000 -0400
+@@ -616,6 +616,7 @@
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
++ nlmsg_tty_audit
+ }
+
+ class netlink_ip6fw_socket
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.8/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2008-08-07 11:15:13.000000000 -0400
+++ serefpolicy-3.5.8/policy/global_tunables 2008-09-17 08:49:08.000000000 -0400
@@ -870,7 +881,7 @@
ifdef(`distro_suse', `
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.8/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/rpm.if 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/admin/rpm.if 2008-09-22 09:09:03.000000000 -0400
@@ -152,6 +152,24 @@
########################################
@@ -8049,7 +8060,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/kernel/kernel.if 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/kernel/kernel.if 2008-09-22 12:18:03.000000000 -0400
@@ -1198,6 +1198,7 @@
')
@@ -8058,7 +8069,15 @@
')
########################################
-@@ -1768,6 +1769,7 @@
+@@ -1234,6 +1235,7 @@
+ interface(`kernel_read_sysctl',`
+ gen_require(`
+ type sysctl_t;
++ type proc_t;
+ ')
+
+ list_dirs_pattern($1, proc_t, sysctl_t)
+@@ -1768,6 +1770,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -8066,7 +8085,7 @@
')
########################################
-@@ -2582,6 +2584,24 @@
+@@ -2582,6 +2585,24 @@
########################################
## <summary>
@@ -8271,6 +8290,25 @@
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.8/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-08-07 11:15:01.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/kernel/storage.fc 2008-09-22 12:22:40.000000000 -0400
+@@ -27,6 +27,7 @@
+ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
++/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -65,6 +66,7 @@
+
+ /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+ /dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.8/policy/modules/roles/guest.fc
--- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/policy/modules/roles/guest.fc 2008-09-17 08:49:08.000000000 -0400
@@ -19377,7 +19415,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-22 09:09:30.000000000 -0400
@@ -29,9 +29,9 @@
# networkmanager will ptrace itself if gdb is installed
@@ -19470,7 +19508,7 @@
')
optional_policy(`
-@@ -168,9 +184,16 @@
+@@ -168,9 +184,17 @@
')
optional_policy(`
@@ -19483,6 +19521,7 @@
+')
+
+optional_policy(`
++ rpm_exec(NetworkManager_t)
+ rpm_read_db(NetworkManager_t)
+ rpm_dontaudit_manage_db(NetworkManager_t)
')
@@ -22006,7 +22045,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.8/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/prelude.te 2008-09-19 10:06:36.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/prelude.te 2008-09-22 09:13:31.000000000 -0400
@@ -13,18 +13,56 @@
type prelude_spool_t;
files_type(prelude_spool_t)
@@ -22074,7 +22113,7 @@
corecmd_search_bin(prelude_t)
corenet_all_recvfrom_unlabeled(prelude_t)
-@@ -56,6 +97,9 @@
+@@ -56,15 +97,23 @@
corenet_tcp_sendrecv_all_if(prelude_t)
corenet_tcp_sendrecv_all_nodes(prelude_t)
corenet_tcp_bind_all_nodes(prelude_t)
@@ -22084,14 +22123,16 @@
dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
-@@ -65,6 +109,11 @@
+
++kernel_read_sysctl(prelude_t)
++
+ # Init script handling
+ domain_use_interactive_fds(prelude_t)
files_read_etc_files(prelude_t)
files_read_usr_files(prelude_t)
+files_search_tmp(prelude_t)
+
-+files_search_tmp(prelude_t)
-+
+fs_rw_anon_inodefs_files(prelude_t)
auth_use_nsswitch(prelude_t)
@@ -22104,7 +22145,15 @@
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
-@@ -123,9 +173,122 @@
+@@ -117,15 +167,129 @@
+ # Init script handling
+ domain_use_interactive_fds(prelude_audisp_t)
+
++kernel_read_sysctl(prelude_audisp_t)
++
+ files_read_etc_files(prelude_audisp_t)
+
+ libs_use_ld_so(prelude_audisp_t)
libs_use_shared_libs(prelude_audisp_t)
logging_send_syslog_msg(prelude_audisp_t)
@@ -22216,7 +22265,6 @@
+
+miscfiles_read_localization(prelude_lml_t)
+
-+# if prelude_lml wants to relay to a remote prelude-manager using dns
+sysnet_dns_name_resolve(prelude_lml_t)
+
+optional_policy(`
@@ -22227,7 +22275,7 @@
########################################
#
# prewikka_cgi Declarations
-@@ -133,8 +296,19 @@
+@@ -133,8 +297,19 @@
optional_policy(`
apache_content_template(prewikka)
@@ -28730,7 +28778,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/xserver.te 2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/xserver.te 2008-09-22 09:10:33.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -29035,7 +29083,7 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -382,16 +485,32 @@
+@@ -382,16 +485,33 @@
')
optional_policy(`
@@ -29045,6 +29093,7 @@
+
+# On crash gdm execs gdb to dump stack
+optional_policy(`
++ rpm_exec(xdm_t)
+ rpm_read_db(xdm_t)
+ rpm_dontaudit_manage_db(xdm_t)
+')
@@ -29069,7 +29118,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -427,7 +546,7 @@
+@@ -427,7 +547,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -29078,7 +29127,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -439,6 +558,15 @@
+@@ -439,6 +559,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -29094,7 +29143,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -450,10 +578,19 @@
+@@ -450,10 +579,19 @@
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
@@ -29115,7 +29164,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -468,8 +605,19 @@
+@@ -468,8 +606,19 @@
optional_policy(`
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
@@ -29135,7 +29184,7 @@
optional_policy(`
resmgr_stream_connect(xdm_t)
-@@ -481,8 +629,25 @@
+@@ -481,8 +630,25 @@
')
optional_policy(`
@@ -29163,7 +29212,7 @@
ifndef(`distro_redhat',`
allow xdm_xserver_t self:process { execheap execmem };
-@@ -491,7 +656,6 @@
+@@ -491,7 +657,6 @@
ifdef(`distro_rhel4',`
allow xdm_xserver_t self:process { execheap execmem };
')
@@ -29171,7 +29220,7 @@
########################################
#
-@@ -544,3 +708,56 @@
+@@ -544,3 +709,56 @@
#
allow pam_t xdm_t:fifo_file { getattr ioctl write };
') dnl end TODO
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.708
retrieving revision 1.709
diff -u -r1.708 -r1.709
--- selinux-policy.spec 22 Sep 2008 12:33:03 -0000 1.708
+++ selinux-policy.spec 22 Sep 2008 17:55:56 -0000 1.709
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.8
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
%endif
%changelog
+* Mon Sep 22 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-5
+- Add file context for /dev/mspblk.*
+
* Sun Sep 21 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-4
- Fix transition to nsplugin
'
- Previous message (by thread): rpms/libselinux/devel libselinux-rhat.patch, 1.164, 1.165 libselinux.spec, 1.341, 1.342
- Next message (by thread): rpms/eigen2/devel .cvsignore, 1.2, 1.3 eigen2.spec, 1.1, 1.2 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list