rpms/selinux-policy/devel policy-20080710.patch, 1.49, 1.50 selinux-policy.spec, 1.713, 1.714
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Sep 30 14:39:46 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31866
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Mon Sep 29 2008 Dan Walsh <dwalsh at redhat.com> 3.5.9-2
- Change all user tmpfs_t files to be labeled user_tmpfs_t
- Allow radiusd to create sock_files
policy-20080710.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.49 -r 1.50 policy-20080710.patch
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- policy-20080710.patch 26 Sep 2008 14:46:58 -0000 1.49
+++ policy-20080710.patch 30 Sep 2008 14:39:16 -0000 1.50
@@ -4417,8 +4417,8 @@
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.9/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.if 2008-09-25 08:33:18.000000000 -0400
-@@ -0,0 +1,293 @@
++++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.if 2008-09-29 10:47:02.000000000 -0400
+@@ -0,0 +1,290 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -4500,7 +4500,6 @@
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
-+ type $1_tmpfs_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
@@ -4534,8 +4533,6 @@
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect(nsplugin_t, $2)
+
-+ allow nsplugin_t $1_tmpfs_t:file { read getattr };
-+
+ userdom_use_user_terminals($1, nsplugin_t)
+ userdom_use_user_terminals($1, nsplugin_config_t)
+
@@ -4714,7 +4711,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.9/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.te 2008-09-29 11:06:29.000000000 -0400
@@ -0,0 +1,234 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -4784,6 +4781,7 @@
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
++userdom_manage_tmpfs(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
@@ -4814,7 +4812,6 @@
+files_read_config_files(nsplugin_t)
+
+fs_list_inotifyfs(nsplugin_t)
-+fs_manage_tmpfs_files(nsplugin_t)
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+
@@ -8796,7 +8793,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.9/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-09-29 15:11:59.000000000 -0400
@@ -334,10 +334,10 @@
#
interface(`sysadm_getattr_home_dirs',`
@@ -8929,7 +8926,7 @@
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:file read_file_perms;
-+ dontaudit $1 admin_home_t:dir search_dir_perms;
++ dontaudit $1 admin_home_t:dir list_dir_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
+
')
@@ -12477,8 +12474,8 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.9/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/clamav.fc 2008-09-25 08:33:18.000000000 -0400
-@@ -1,20 +1,21 @@
++++ serefpolicy-3.5.9/policy/modules/services/clamav.fc 2008-09-29 13:12:08.000000000 -0400
+@@ -1,20 +1,22 @@
/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
@@ -12497,6 +12494,7 @@
+/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
++/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
@@ -13547,8 +13545,8 @@
-') dnl end TODO
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.9/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-09-25 08:33:18.000000000 -0400
-@@ -8,24 +8,31 @@
++++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-09-30 10:27:16.000000000 -0400
+@@ -8,24 +8,33 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13556,6 +13554,8 @@
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
++
++/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
@@ -13583,7 +13583,7 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -33,7 +40,7 @@
+@@ -33,7 +42,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13592,7 +13592,7 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -43,10 +50,20 @@
+@@ -43,10 +52,20 @@
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
@@ -13744,18 +13744,21 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.9/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-09-03 07:59:15.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/cups.te 2008-09-25 08:33:18.000000000 -0400
-@@ -20,6 +20,9 @@
++++ serefpolicy-3.5.9/policy/modules/services/cups.te 2008-09-29 14:52:28.000000000 -0400
+@@ -20,6 +20,12 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
+type cupsd_initrc_exec_t;
+init_script_file(cupsd_initrc_exec_t)
+
++type cupsd_interface_t;
++files_type(cupsd_interface_t)
++
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
-@@ -48,6 +51,10 @@
+@@ -48,6 +54,10 @@
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
@@ -13766,7 +13769,7 @@
type hplip_etc_t;
files_config_file(hplip_etc_t)
-@@ -65,6 +72,16 @@
+@@ -65,6 +75,16 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
@@ -13783,7 +13786,7 @@
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
-@@ -79,13 +96,14 @@
+@@ -79,13 +99,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
@@ -13801,7 +13804,17 @@
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -104,7 +122,7 @@
+@@ -97,6 +118,9 @@
+ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+ files_search_etc(cupsd_t)
+
++manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
++can_exec(cupsd_t, cupsd_interface_t)
++
+ manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+@@ -104,7 +128,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -13810,7 +13823,7 @@
allow cupsd_t cupsd_exec_t:lnk_file read;
[...1830 lines suppressed...]
gen_require(`
@@ -33663,7 +33752,25 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -4616,11 +4663,11 @@
+@@ -3211,13 +3255,13 @@
+ #
+ template(`userdom_rw_user_tmpfs_files',`
+ gen_require(`
+- type $1_tmpfs_t;
++ type user_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($2)
+- allow $2 $1_tmpfs_t:dir list_dir_perms;
+- rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+- read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++ allow $2 user_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($2,user_tmpfs_t,user_tmpfs_t)
++ read_lnk_files_pattern($2,user_tmpfs_t,user_tmpfs_t)
+ ')
+
+ ########################################
+@@ -4616,11 +4660,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -33677,7 +33784,7 @@
')
########################################
-@@ -4640,6 +4687,14 @@
+@@ -4640,6 +4684,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -33692,7 +33799,7 @@
')
########################################
-@@ -4677,6 +4732,8 @@
+@@ -4677,6 +4729,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -33701,7 +33808,7 @@
')
########################################
-@@ -4721,6 +4778,25 @@
+@@ -4721,6 +4775,25 @@
########################################
## <summary>
@@ -33727,7 +33834,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4946,7 +5022,7 @@
+@@ -4946,7 +5019,7 @@
########################################
## <summary>
@@ -33736,7 +33843,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5318,7 +5394,7 @@
+@@ -5318,7 +5391,7 @@
########################################
## <summary>
@@ -33745,7 +33852,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5326,18 +5402,17 @@
+@@ -5326,18 +5399,17 @@
## </summary>
## </param>
#
@@ -33768,7 +33875,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5345,17 +5420,17 @@
+@@ -5345,17 +5417,17 @@
## </summary>
## </param>
#
@@ -33790,7 +33897,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5363,18 +5438,18 @@
+@@ -5363,18 +5435,18 @@
## </summary>
## </param>
#
@@ -33814,7 +33921,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5382,17 +5457,54 @@
+@@ -5382,17 +5454,54 @@
## </summary>
## </param>
#
@@ -33873,7 +33980,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5483,6 +5595,42 @@
+@@ -5483,6 +5592,42 @@
########################################
## <summary>
@@ -33916,7 +34023,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5513,3 +5661,524 @@
+@@ -5513,3 +5658,548 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -34250,13 +34357,13 @@
+#
+template(`userdom_read_user_tmpfs_files',`
+ gen_require(`
-+ type $1_tmpfs_t;
++ type user_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($2)
-+ allow $2 $1_tmpfs_t:dir list_dir_perms;
-+ read_files_pattern($2, $1_tmpfs_t, $1_tmpfs_t)
-+ read_lnk_files_pattern($2, $1_tmpfs_t, $1_tmpfs_t)
++ allow $2 user_tmpfs_t:dir list_dir_perms;
++ read_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
++ read_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+')
+
+#######################################
@@ -34441,9 +34548,33 @@
+
+ dontaudit $1 user_home_t:file unlink;
+')
++
++#######################################
++## <summary>
++## The template for creating a tmpfs type
++## that the user has full access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_tmpfs',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_sock_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_fifo_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.9/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/userdomain.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/userdomain.te 2008-09-29 08:43:56.000000000 -0400
@@ -8,13 +8,6 @@
## <desc>
@@ -34485,7 +34616,7 @@
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -81,6 +73,72 @@
+@@ -81,6 +73,76 @@
# unprivileged user domains
attribute unpriv_userdomain;
@@ -34521,6 +34652,10 @@
+type user_tmp_t, user_file_type, user_tmpfile;
+files_tmp_file(user_tmp_t)
+
++type user_tmpfs_t, user_file_type;
++files_tmpfs_file(user_tmpfs_t)
++
++
+##############################
+#
+# User home directory file rules
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.713
retrieving revision 1.714
diff -u -r1.713 -r1.714
--- selinux-policy.spec 25 Sep 2008 18:54:16 -0000 1.713
+++ selinux-policy.spec 30 Sep 2008 14:39:16 -0000 1.714
@@ -10,14 +10,14 @@
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
%define BUILD_MLS 1
%endif
-%define POLICYVER 21
+%define POLICYVER 23
%define libsepolver 2.0.20-1
%define POLICYCOREUTILSVER 2.0.54-2
%define CHECKPOLICYVER 2.0.16-1
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.9
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -40,8 +40,9 @@
Url: http://serefpolicy.sourceforge.net
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
-BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
+BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER} bzip2
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3
+Requires(post): /usr/bin/bunzip2
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
Obsoletes: selinux-policy-devel
Provides: selinux-policy-devel
@@ -77,6 +78,9 @@
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
+%define bzmoduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf " ../%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
+
%define installCmds() \
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
@@ -96,12 +100,13 @@
install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
echo -n > %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
+bzip2 %{buildroot}/%{_usr}/share/selinux/%1/*.pp
%nil
%define fileList() \
%defattr(-,root,root) \
%dir %{_usr}/share/selinux/%1 \
-%{_usr}/share/selinux/%1/*.pp \
+%{_usr}/share/selinux/%1/*.pp.bz2 \
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
%ghost %{_sysconfdir}/selinux/%1/seusers \
@@ -144,9 +149,13 @@
fi
%define loadpolicy() \
-( cd /usr/share/selinux/%1; \
+tempdir=`mktemp -d /usr/share/selinux/%1/tmpXXXX`; \
+( cd $tempdir; \
+cp ../base.pp.bz2 %{expand:%%bzmoduleList %1} .; \
+bunzip2 *; \
semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
); \
+rm -rf $tempdir; \
%define relabel() \
. %{_sysconfdir}/selinux/config; \
@@ -381,6 +390,10 @@
%endif
%changelog
+* Mon Sep 29 2008 Dan Walsh <dwalsh at redhat.com> 3.5.9-2
+- Change all user tmpfs_t files to be labeled user_tmpfs_t
+- Allow radiusd to create sock_files
+
* Wed Sep 24 2008 Dan Walsh <dwalsh at redhat.com> 3.5.9-1
- Upgrade to upstream
More information about the fedora-extras-commits
mailing list