rpms/selinux-policy/devel modules-minimum.conf, 1.19, 1.20 modules-mls.conf, 1.53, 1.54 modules-targeted.conf, 1.121, 1.122 policy-20090105.patch, 1.74, 1.75 selinux-policy.spec, 1.815, 1.816
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Apr 3 14:46:28 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30514
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-20090105.patch selinux-policy.spec
Log Message:
* Fri Apr 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-7
- Allow setroubelshoot exec* privs to prevent crash from bad libraries
- add cpufreqselector
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- modules-minimum.conf 20 Mar 2009 18:18:50 -0000 1.19
+++ modules-minimum.conf 3 Apr 2009 14:45:58 -0000 1.20
@@ -32,6 +32,13 @@
#
ada = module
+# Layer: apps
+# Module: cpufreqselector
+#
+# cpufreqselector executable
+#
+cpufreqselector = module
+
# Layer: modules
# Module: awstats
#
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -r1.53 -r1.54
--- modules-mls.conf 20 Mar 2009 18:18:50 -0000 1.53
+++ modules-mls.conf 3 Apr 2009 14:45:58 -0000 1.54
@@ -32,6 +32,13 @@
#
ada = module
+# Layer: apps
+# Module: cpufreqselector
+#
+# cpufreqselector executable
+#
+cpufreqselector = module
+
# Layer: modules
# Module: awstats
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- modules-targeted.conf 20 Mar 2009 18:18:50 -0000 1.121
+++ modules-targeted.conf 3 Apr 2009 14:45:58 -0000 1.122
@@ -32,6 +32,13 @@
#
ada = module
+# Layer: apps
+# Module: cpufreqselector
+#
+# cpufreqselector executable
+#
+cpufreqselector = module
+
# Layer: modules
# Module: awstats
#
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.74
retrieving revision 1.75
diff -u -r1.74 -r1.75
--- policy-20090105.patch 2 Apr 2009 15:23:57 -0000 1.74
+++ policy-20090105.patch 3 Apr 2009 14:45:58 -0000 1.75
@@ -1593,8 +1593,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te 2009-04-02 10:05:45.000000000 -0400
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te 2009-04-03 10:09:12.000000000 -0400
+@@ -0,0 +1,44 @@
+policy_module(cpufreqselector,1.0.0)
+
+########################################
@@ -1624,9 +1624,6 @@
+
+fs_list_inotifyfs(cpufreqselector_t)
+
-+libs_use_ld_so(cpufreqselector_t)
-+libs_use_shared_libs(cpufreqselector_t)
-+
+userdom_read_all_users_state(cpufreqselector_t)
+
+nscd_dontaudit_search_pid(cpufreqselector_t)
@@ -10987,8 +10984,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.10/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/devicekit.te 2009-03-30 10:09:41.000000000 -0400
-@@ -0,0 +1,210 @@
++++ serefpolicy-3.6.10/policy/modules/services/devicekit.te 2009-04-03 08:12:27.000000000 -0400
+@@ -0,0 +1,211 @@
+policy_module(devicekit,1.0.0)
+
+########################################
@@ -11150,6 +11147,7 @@
+dev_read_sysfs(devicekit_disk_t)
+dev_read_urand(devicekit_disk_t)
+dev_getattr_usbfs_dirs(devicekit_disk_t)
++dev_manage_generic_files(devicekit_disk_t)
+
+kernel_read_software_raid_state(devicekit_disk_t)
+
@@ -19761,7 +19759,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te 2009-04-03 10:25:52.000000000 -0400
@@ -11,6 +11,9 @@
domain_type(setroubleshootd_t)
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -19772,7 +19770,7 @@
type setroubleshoot_var_lib_t;
files_type(setroubleshoot_var_lib_t)
-@@ -27,8 +30,8 @@
+@@ -27,8 +30,10 @@
# setroubleshootd local policy
#
@@ -19780,10 +19778,12 @@
-allow setroubleshootd_t self:process { signull signal getattr getsched };
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
++# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
++allow setroubleshootd_t self:process { execmem execstack };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -52,7 +55,10 @@
+@@ -52,7 +57,10 @@
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
@@ -19794,7 +19794,7 @@
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +74,24 @@
+@@ -68,16 +76,24 @@
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
@@ -19820,7 +19820,7 @@
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,22 +108,24 @@
+@@ -94,22 +110,24 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -27011,7 +27011,7 @@
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-04-01 14:58:39.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-04-03 10:28:13.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -27130,7 +27130,7 @@
+ type unconfined_t;
+ ')
+
-+ dontaudit $1 unconfined_t:unix_stream_socket rw_file_perms;
++ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
@@ -27668,7 +27668,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-01 14:59:58.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-03 10:26:58.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -29532,7 +29532,7 @@
+ attribute userdomain;
+ ')
+
-+ dontaudit $1 userdomain:unix_stream_socket rw_file_perms;
++ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.815
retrieving revision 1.816
diff -u -r1.815 -r1.816
--- selinux-policy.spec 2 Apr 2009 15:23:58 -0000 1.815
+++ selinux-policy.spec 3 Apr 2009 14:45:58 -0000 1.816
@@ -15,12 +15,12 @@
%endif
%define POLICYVER 23
%define libsepolver 2.0.20-1
-%define POLICYCOREUTILSVER 2.0.61-7
+%define POLICYCOREUTILSVER 2.0.62-7
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.10
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,10 @@
%endif
%changelog
+* Fri Apr 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-7
+- Allow setroubelshoot exec* privs to prevent crash from bad libraries
+- add cpufreqselector
+
* Thu Apr 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-6
- Dontaudit listing of /root directory for cron system jobs
More information about the fedora-extras-commits
mailing list