rpms/selinux-policy/devel policy-20090105.patch, 1.73, 1.74 selinux-policy.spec, 1.814, 1.815
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Apr 2 15:24:29 UTC 2009
- Previous message (by thread): rpms/kdesdk/F-10 .cvsignore, 1.53, 1.54 kdesdk.spec, 1.127, 1.128 sources, 1.56, 1.57
- Next message (by thread): rpms/kdetoys/F-9 .cvsignore, 1.23, 1.24 kdetoys.spec, 1.31, 1.32 sources, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3909
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Thu Apr 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-6
- Dontaudit listing of /root directory for cron system jobs
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.73
retrieving revision 1.74
diff -u -r1.73 -r1.74
--- policy-20090105.patch 30 Mar 2009 16:06:48 -0000 1.73
+++ policy-20090105.patch 2 Apr 2009 15:23:57 -0000 1.74
@@ -1580,6 +1580,68 @@
/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/growisoifs -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.fc serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.fc
+--- nsaserefpolicy/policy/modules/apps/cpufreqselector.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.fc 2009-04-02 10:05:45.000000000 -0400
+@@ -0,0 +1 @@
++/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.if serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.if
+--- nsaserefpolicy/policy/modules/apps/cpufreqselector.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.if 2009-04-02 10:05:45.000000000 -0400
+@@ -0,0 +1,2 @@
++## <summary>cpufreq-selector policy</summary>
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te
+--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te 2009-04-02 10:05:45.000000000 -0400
+@@ -0,0 +1,47 @@
++policy_module(cpufreqselector,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cpufreqselector_t;
++type cpufreqselector_exec_t;
++
++dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
++
++########################################
++#
++# cpufreq-selector local policy
++#
++
++allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
++allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
++
++files_read_etc_files(cpufreqselector_t)
++files_read_usr_files(cpufreqselector_t)
++
++corecmd_search_bin(cpufreqselector_t)
++
++dev_rw_sysfs(cpufreqselector_t)
++
++fs_list_inotifyfs(cpufreqselector_t)
++
++libs_use_ld_so(cpufreqselector_t)
++libs_use_shared_libs(cpufreqselector_t)
++
++userdom_read_all_users_state(cpufreqselector_t)
++
++nscd_dontaudit_search_pid(cpufreqselector_t)
++
++optional_policy(`
++ consolekit_dbus_chat(cpufreqselector_t)
++')
++
++optional_policy(`
++ polkit_domtrans_auth(cpufreqselector_t)
++ polkit_read_lib(cpufreqselector_t)
++ polkit_read_reload(cpufreqselector_t)
++')
++
++permissive cpufreqselector_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.fc serefpolicy-3.6.10/policy/modules/apps/git.fc
--- nsaserefpolicy/policy/modules/apps/git.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/apps/git.fc 2009-03-30 10:09:41.000000000 -0400
@@ -9098,7 +9160,7 @@
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.10/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/cron.if 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/cron.if 2009-04-02 11:21:32.000000000 -0400
@@ -12,6 +12,10 @@
## </param>
#
@@ -9187,7 +9249,7 @@
optional_policy(`
gen_require(`
-@@ -261,6 +277,7 @@
+@@ -261,10 +277,12 @@
allow $1 system_cronjob_t:fifo_file rw_file_perms;
allow $1 system_cronjob_t:process sigchld;
@@ -9195,7 +9257,12 @@
allow $1 crond_t:fifo_file rw_file_perms;
allow $1 crond_t:fd use;
allow $1 crond_t:process sigchld;
-@@ -343,6 +360,24 @@
+
++ userdom_dontaudit_list_admin_dir($1)
+ role system_r types $1;
+ ')
+
+@@ -343,6 +361,24 @@
########################################
## <summary>
@@ -9220,7 +9287,7 @@
## Read and write a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -361,7 +396,7 @@
+@@ -361,7 +397,7 @@
########################################
## <summary>
@@ -9229,7 +9296,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -369,7 +404,7 @@
+@@ -369,7 +405,7 @@
## </summary>
## </param>
#
@@ -9238,7 +9305,7 @@
gen_require(`
type crond_t;
')
-@@ -416,6 +451,42 @@
+@@ -416,6 +452,42 @@
########################################
## <summary>
@@ -9281,7 +9348,7 @@
## Inherit and use a file descriptor
## from system cron jobs.
## </summary>
-@@ -481,11 +552,14 @@
+@@ -481,11 +553,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -9297,7 +9364,7 @@
')
########################################
-@@ -506,3 +580,101 @@
+@@ -506,3 +581,101 @@
dontaudit $1 system_cronjob_tmp_t:file append;
')
@@ -18450,7 +18517,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.10/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/samba.if 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/samba.if 2009-04-01 15:42:15.000000000 -0400
@@ -4,6 +4,45 @@
## from Windows NT servers.
## </summary>
@@ -18850,7 +18917,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.10/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/samba.te 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/samba.te 2009-04-01 15:20:37.000000000 -0400
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -19136,7 +19203,7 @@
allow swat_t self:udp_socket create_socket_perms;
+allow swat_t self:unix_stream_socket connectto;
-+can_exec(swat_t, smbd_exec_t)
++samba_domtrans_smb(swat_t)
+allow swat_t smbd_port_t:tcp_socket name_bind;
+allow swat_t smbd_t:process { signal signull };
+allow swat_t smbd_var_run_t:file { lock unlink };
@@ -23819,13 +23886,14 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.10/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/init.if 2009-03-30 10:09:41.000000000 -0400
-@@ -280,6 +280,27 @@
++++ serefpolicy-3.6.10/policy/modules/system/init.if 2009-04-01 15:00:12.000000000 -0400
+@@ -280,6 +280,28 @@
kernel_dontaudit_use_fds($1)
')
')
+
+ userdom_dontaudit_search_user_home_dirs($1)
++ userdom_dontaudit_rw_stream($1)
+
+ tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_user_ttys($1)
@@ -23848,7 +23916,7 @@
')
########################################
-@@ -546,7 +567,7 @@
+@@ -546,7 +568,7 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
@@ -23857,7 +23925,7 @@
')
')
-@@ -619,18 +640,19 @@
+@@ -619,18 +641,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -23881,7 +23949,7 @@
')
')
-@@ -646,23 +668,43 @@
+@@ -646,23 +669,43 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -23929,7 +23997,7 @@
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -1291,6 +1333,25 @@
+@@ -1291,6 +1334,25 @@
########################################
## <summary>
@@ -23955,7 +24023,7 @@
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1521,3 +1582,51 @@
+@@ -1521,3 +1583,51 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -24009,7 +24077,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.10/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-04-01 15:00:25.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -24292,13 +24360,15 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +865,17 @@
+@@ -790,3 +865,19 @@
optional_policy(`
zebra_read_config(initrc_t)
')
+
+userdom_append_user_home_content_files(daemon)
+userdom_write_user_tmp_files(daemon)
++userdom_dontaudit_rw_stream(daemon)
++
+logging_append_all_logs(daemon)
+
+optional_policy(`
@@ -26941,7 +27011,7 @@
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-04-01 14:58:39.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -27598,7 +27668,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-01 14:59:58.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -28982,7 +29052,7 @@
kernel_search_proc($1)
')
-@@ -2981,3 +3182,462 @@
+@@ -2981,3 +3182,482 @@
allow $1 userdomain:dbus send_msg;
')
@@ -29445,6 +29515,26 @@
+ allow $1 userdomain:key manage_key_perms;
+')
+
++
++########################################
++## <summary>
++## Do not audit attempts to read and write
++## unserdomain stream.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_rw_stream',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ dontaudit $1 userdomain:unix_stream_socket rw_file_perms;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/system/userdomain.te 2009-03-30 10:09:41.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.814
retrieving revision 1.815
diff -u -r1.814 -r1.815
--- selinux-policy.spec 30 Mar 2009 16:06:48 -0000 1.814
+++ selinux-policy.spec 2 Apr 2009 15:23:58 -0000 1.815
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.10
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
%endif
%changelog
+* Thu Apr 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-6
+- Dontaudit listing of /root directory for cron system jobs
+
* Mon Mar 30 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-5
- Fix missing ld.so.cache label
- Previous message (by thread): rpms/kdesdk/F-10 .cvsignore, 1.53, 1.54 kdesdk.spec, 1.127, 1.128 sources, 1.56, 1.57
- Next message (by thread): rpms/kdetoys/F-9 .cvsignore, 1.23, 1.24 kdetoys.spec, 1.31, 1.32 sources, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list