rpms/selinux-policy/devel modules-minimum.conf, 1.19, 1.20 modules-mls.conf, 1.53, 1.54 modules-targeted.conf, 1.121, 1.122 policy-20090105.patch, 1.74, 1.75 selinux-policy.spec, 1.815, 1.816

Daniel J Walsh dwalsh at fedoraproject.org
Fri Apr 3 14:46:28 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30514

Modified Files:
	modules-minimum.conf modules-mls.conf modules-targeted.conf 
	policy-20090105.patch selinux-policy.spec 
Log Message:
* Fri Apr 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-7
- Allow setroubelshoot exec* privs to prevent crash from bad libraries
- add cpufreqselector



Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- modules-minimum.conf	20 Mar 2009 18:18:50 -0000	1.19
+++ modules-minimum.conf	3 Apr 2009 14:45:58 -0000	1.20
@@ -32,6 +32,13 @@
 # 
 ada = module
 
+# Layer: apps
+# Module: cpufreqselector 
+#
+# cpufreqselector executable
+# 
+cpufreqselector = module
+
 # Layer: modules
 # Module: awstats
 #


Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -r1.53 -r1.54
--- modules-mls.conf	20 Mar 2009 18:18:50 -0000	1.53
+++ modules-mls.conf	3 Apr 2009 14:45:58 -0000	1.54
@@ -32,6 +32,13 @@
 # 
 ada = module
 
+# Layer: apps
+# Module: cpufreqselector 
+#
+# cpufreqselector executable
+# 
+cpufreqselector = module
+
 # Layer: modules
 # Module: awstats
 #


Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- modules-targeted.conf	20 Mar 2009 18:18:50 -0000	1.121
+++ modules-targeted.conf	3 Apr 2009 14:45:58 -0000	1.122
@@ -32,6 +32,13 @@
 # 
 ada = module
 
+# Layer: apps
+# Module: cpufreqselector 
+#
+# cpufreqselector executable
+# 
+cpufreqselector = module
+
 # Layer: modules
 # Module: awstats
 #

policy-20090105.patch:

Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.74
retrieving revision 1.75
diff -u -r1.74 -r1.75
--- policy-20090105.patch	2 Apr 2009 15:23:57 -0000	1.74
+++ policy-20090105.patch	3 Apr 2009 14:45:58 -0000	1.75
@@ -1593,8 +1593,8 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te
 --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te	2009-04-02 10:05:45.000000000 -0400
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te	2009-04-03 10:09:12.000000000 -0400
+@@ -0,0 +1,44 @@
 +policy_module(cpufreqselector,1.0.0)
 +
 +########################################
@@ -1624,9 +1624,6 @@
 +
 +fs_list_inotifyfs(cpufreqselector_t)
 +
-+libs_use_ld_so(cpufreqselector_t)
-+libs_use_shared_libs(cpufreqselector_t)
-+
 +userdom_read_all_users_state(cpufreqselector_t)
 +
 +nscd_dontaudit_search_pid(cpufreqselector_t)
@@ -10987,8 +10984,8 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.10/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/devicekit.te	2009-03-30 10:09:41.000000000 -0400
-@@ -0,0 +1,210 @@
++++ serefpolicy-3.6.10/policy/modules/services/devicekit.te	2009-04-03 08:12:27.000000000 -0400
+@@ -0,0 +1,211 @@
 +policy_module(devicekit,1.0.0)
 +
 +########################################
@@ -11150,6 +11147,7 @@
 +dev_read_sysfs(devicekit_disk_t)
 +dev_read_urand(devicekit_disk_t)
 +dev_getattr_usbfs_dirs(devicekit_disk_t)
++dev_manage_generic_files(devicekit_disk_t)
 +
 +kernel_read_software_raid_state(devicekit_disk_t)
 +
@@ -19761,7 +19759,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te	2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te	2009-04-03 10:25:52.000000000 -0400
 @@ -11,6 +11,9 @@
  domain_type(setroubleshootd_t)
  init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -19772,7 +19770,7 @@
  type setroubleshoot_var_lib_t;
  files_type(setroubleshoot_var_lib_t)
  
-@@ -27,8 +30,8 @@
+@@ -27,8 +30,10 @@
  # setroubleshootd local policy
  #
  
@@ -19780,10 +19778,12 @@
 -allow setroubleshootd_t self:process { signull signal getattr getsched };
 +allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
 +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
++# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
++allow setroubleshootd_t self:process { execmem execstack };
  allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
  allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
  allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -52,7 +55,10 @@
+@@ -52,7 +57,10 @@
  
  kernel_read_kernel_sysctls(setroubleshootd_t)
  kernel_read_system_state(setroubleshootd_t)
@@ -19794,7 +19794,7 @@
  
  corecmd_exec_bin(setroubleshootd_t)
  corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +74,24 @@
+@@ -68,16 +76,24 @@
  
  dev_read_urand(setroubleshootd_t)
  dev_read_sysfs(setroubleshootd_t)
@@ -19820,7 +19820,7 @@
  
  selinux_get_enforce_mode(setroubleshootd_t)
  selinux_validate_context(setroubleshootd_t)
-@@ -94,22 +108,24 @@
+@@ -94,22 +110,24 @@
  
  locallogin_dontaudit_use_fds(setroubleshootd_t)
  
@@ -27011,7 +27011,7 @@
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if	2009-04-01 14:58:39.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/unconfined.if	2009-04-03 10:28:13.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -27130,7 +27130,7 @@
 +		type unconfined_t;
 +	')
 +
-+	dontaudit $1 unconfined_t:unix_stream_socket rw_file_perms;
++	dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
 +')
 +
 +########################################
@@ -27668,7 +27668,7 @@
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if	2009-04-01 14:59:58.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if	2009-04-03 10:26:58.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -29532,7 +29532,7 @@
 +		attribute userdomain;
 +	')
 +
-+	dontaudit $1 userdomain:unix_stream_socket rw_file_perms;
++	dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
 +')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.815
retrieving revision 1.816
diff -u -r1.815 -r1.816
--- selinux-policy.spec	2 Apr 2009 15:23:58 -0000	1.815
+++ selinux-policy.spec	3 Apr 2009 14:45:58 -0000	1.816
@@ -15,12 +15,12 @@
 %endif
 %define POLICYVER 23
 %define libsepolver 2.0.20-1
-%define POLICYCOREUTILSVER 2.0.61-7
+%define POLICYCOREUTILSVER 2.0.62-7
 %define CHECKPOLICYVER 2.0.16-3
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.10
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,10 @@
 %endif
 
 %changelog
+* Fri Apr 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-7
+- Allow setroubelshoot exec* privs to prevent crash from bad libraries
+- add cpufreqselector
+
 * Thu Apr 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-6
 - Dontaudit listing of /root directory for cron system jobs

More information about the fedora-extras-commits mailing list