rpms/selinux-policy/devel .cvsignore, 1.148, 1.149 policy-20080710.patch, 1.46, 1.47 sources, 1.164, 1.165
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Sep 26 12:39:26 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21117
Modified Files:
.cvsignore policy-20080710.patch sources
Log Message:
* Wed Sep 24 2008 Dan Walsh <dwalsh at redhat.com> 3.5.9-1
- Upgrade to upstream
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.148
retrieving revision 1.149
diff -u -r1.148 -r1.149
--- .cvsignore 12 Sep 2008 20:36:20 -0000 1.148
+++ .cvsignore 26 Sep 2008 12:38:56 -0000 1.149
@@ -150,3 +150,4 @@
serefpolicy-3.5.6.tgz
serefpolicy-3.5.7.tgz
serefpolicy-3.5.8.tgz
+serefpolicy-3.5.9.tgz
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- policy-20080710.patch 25 Sep 2008 18:54:16 -0000 1.46
+++ policy-20080710.patch 26 Sep 2008 12:38:56 -0000 1.47
@@ -431,7 +431,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.5.9/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-08-14 10:07:05.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/admin/amanda.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/admin/amanda.te 2008-09-25 15:03:17.000000000 -0400
@@ -129,6 +129,8 @@
corenet_tcp_bind_all_nodes(amanda_t)
corenet_udp_bind_all_nodes(amanda_t)
@@ -541,22 +541,31 @@
-') dnl end TODO
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.9/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/admin/kismet.te 2008-09-25 08:33:18.000000000 -0400
-@@ -26,7 +26,10 @@
++++ serefpolicy-3.5.9/policy/modules/admin/kismet.te 2008-09-25 15:06:28.000000000 -0400
+@@ -26,7 +26,11 @@
#
allow kismet_t self:capability { net_admin net_raw setuid setgid };
+allow kismet_t self:fifo_file rw_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
-+allow kismet_t self:unix_dgram_socket create_socket_perms;
++allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
++allow kismet_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
allow kismet_t kismet_log_t:dir setattr;
-@@ -42,6 +45,8 @@
+@@ -42,6 +46,16 @@
corecmd_exec_bin(kismet_t)
++corenet_all_recvfrom_unlabeled(kismet_t)
++corenet_all_recvfrom_netlabel(kismet_t)
++corenet_tcp_sendrecv_all_if(kismet_t)
++corenet_tcp_sendrecv_all_nodes(kismet_t)
++corenet_tcp_sendrecv_all_ports(kismet_t)
++corenet_tcp_bind_all_nodes(kismet_t)
++corenet_tcp_bind_all_kismet_port(kismet_t)
++
+kernel_search_debugfs(kismet_t)
+
auth_use_nsswitch(kismet_t)
@@ -6482,7 +6491,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.9/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-09-24 09:07:27.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/kernel/corenetwork.te.in 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/kernel/corenetwork.te.in 2008-09-25 15:05:47.000000000 -0400
@@ -75,6 +75,7 @@
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
@@ -6499,10 +6508,11 @@
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -116,14 +118,17 @@
+@@ -116,14 +118,18 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
++network_port(kismet, tcp,2501,s0)
+network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
@@ -6517,7 +6527,7 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -135,11 +140,13 @@
+@@ -135,11 +141,13 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
@@ -6531,7 +6541,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -157,7 +164,7 @@
+@@ -157,7 +165,7 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -6540,7 +6550,7 @@
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
-@@ -168,13 +175,16 @@
+@@ -168,13 +176,16 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -7261,7 +7271,7 @@
## all protocols (TCP, UDP, etc)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.9/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/kernel/domain.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/kernel/domain.te 2008-09-25 15:20:04.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -14248,7 +14258,7 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.9/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/dbus.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/dbus.if 2008-09-25 15:21:22.000000000 -0400
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -18661,7 +18671,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.9/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/networkmanager.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/networkmanager.te 2008-09-25 15:14:50.000000000 -0400
@@ -33,9 +33,9 @@
# networkmanager will ptrace itself if gdb is installed
@@ -18720,7 +18730,13 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -133,9 +141,12 @@
+@@ -128,14 +136,18 @@
+ # in /etc created by NetworkManager will be labelled net_conf_t.
+ sysnet_manage_config(NetworkManager_t)
+ sysnet_etc_filetrans_config(NetworkManager_t)
++sysnet_read_dhcp_config(NetworkManager_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
# Read gnome-keyring
userdom_read_unpriv_users_home_content_files(NetworkManager_t)
@@ -18733,7 +18749,7 @@
optional_policy(`
bind_domtrans(NetworkManager_t)
bind_manage_cache(NetworkManager_t)
-@@ -151,21 +162,26 @@
+@@ -151,21 +163,26 @@
')
optional_policy(`
@@ -18765,7 +18781,7 @@
')
optional_policy(`
-@@ -174,9 +190,17 @@
+@@ -174,9 +191,17 @@
')
optional_policy(`
@@ -31056,36 +31072,37 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.9/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/unconfined.fc 2008-09-25 08:33:18.000000000 -0400
-@@ -2,15 +2,11 @@
++++ serefpolicy-3.5.9/policy/modules/system/unconfined.fc 2008-09-25 14:37:47.000000000 -0400
+@@ -2,15 +2,29 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
- /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
-
- /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
- /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
+-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+
++/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
ifdef(`distro_gentoo',`
- /usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
- ')
-@@ -14,3 +10,20 @@
- ifdef(`distro_gentoo',`
- /usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
')
-+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/totem.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/rhythmbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+
-+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/bin/haddock.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -31097,7 +31114,7 @@
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.9/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-09-11 16:42:49.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/unconfined.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/unconfined.if 2008-09-25 14:28:00.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -31249,10 +31266,10 @@
+interface(`unconfined_execmem_domtrans',`
+
+ gen_require(`
-+ type unconfined_execmem_t, unconfined_execmem_exec_t;
++ type unconfined_execmem_t, execmem_exec_t;
+ ')
+
-+ domtrans_pattern($1, unconfined_execmem_exec_t, unconfined_execmem_t)
++ domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t)
+')
+
+########################################
@@ -31428,8 +31445,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.9/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-09-11 16:42:49.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/unconfined.te 2008-09-25 08:33:18.000000000 -0400
-@@ -1,40 +1,80 @@
++++ serefpolicy-3.5.9/policy/modules/system/unconfined.te 2008-09-25 14:27:15.000000000 -0400
+@@ -1,40 +1,81 @@
-policy_module(unconfined, 2.3.1)
+policy_module(unconfined, 2.3.0)
@@ -31482,26 +31499,30 @@
+role system_r types unconfined_t;
type unconfined_execmem_t;
- type unconfined_execmem_exec_t;
- init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+-type unconfined_execmem_exec_t;
+-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
++type execmem_exec_t;
++init_system_domain(unconfined_execmem_t, execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
-
++type execmem_exec_t alias unconfined_execmem_exec_t;
++
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
-+
+
########################################
#
# Local policy
#
+-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
+dontaudit unconfined_t self:dir write;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
- domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
++domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t)
files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
@@ -31515,7 +31536,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,28 +82,37 @@
+@@ -42,28 +83,37 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -31557,7 +31578,7 @@
')
optional_policy(`
-@@ -75,12 +124,6 @@
+@@ -75,12 +125,6 @@
')
optional_policy(`
@@ -31570,7 +31591,7 @@
init_dbus_chat_script(unconfined_t)
dbus_stub(unconfined_t)
-@@ -106,12 +149,24 @@
+@@ -106,12 +150,24 @@
')
optional_policy(`
@@ -31595,7 +31616,7 @@
')
optional_policy(`
-@@ -123,31 +178,33 @@
+@@ -123,31 +179,33 @@
')
optional_policy(`
@@ -31636,7 +31657,7 @@
')
optional_policy(`
-@@ -159,43 +216,48 @@
+@@ -159,43 +217,48 @@
')
optional_policy(`
@@ -31701,7 +31722,7 @@
')
optional_policy(`
-@@ -203,7 +265,7 @@
+@@ -203,7 +266,7 @@
')
optional_policy(`
@@ -31710,7 +31731,7 @@
')
optional_policy(`
-@@ -215,11 +277,12 @@
+@@ -215,11 +278,12 @@
')
optional_policy(`
@@ -31725,7 +31746,7 @@
')
########################################
-@@ -229,14 +292,35 @@
+@@ -229,14 +293,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/sources,v
retrieving revision 1.164
retrieving revision 1.165
diff -u -r1.164 -r1.165
--- sources 16 Sep 2008 13:57:15 -0000 1.164
+++ sources 26 Sep 2008 12:38:56 -0000 1.165
@@ -1 +1 @@
-dcacf4cddcb4232564044e8d33c4d28e serefpolicy-3.5.8.tgz
+1fc530b9656edfe96053b028274f6658 serefpolicy-3.5.9.tgz
More information about the fedora-extras-commits
mailing list