rpms/selinux-policy/devel policy-20090105.patch,1.81,1.82
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Apr 7 11:29:11 UTC 2009
- Previous message (by thread): rpms/rednotebook/devel .cvsignore, 1.4, 1.5 rednotebook.spec, 1.3, 1.4 sources, 1.4, 1.5
- Next message (by thread): comps comps-f10.xml.in,1.234,1.235 comps-f11.xml.in,1.175,1.176
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23312
Modified Files:
policy-20090105.patch
Log Message:
* Mon Apr 6 2009 Dan Walsh <dwalsh at redhat.com> 3.6.11-1
- Dontaudit binds to ports < 1024 for named
- Upgrade to latest upstream
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -r1.81 -r1.82
--- policy-20090105.patch 6 Apr 2009 19:27:19 -0000 1.81
+++ policy-20090105.patch 7 Apr 2009 11:29:08 -0000 1.82
@@ -5392,7 +5392,7 @@
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.11/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/kernel/kernel.if 2009-04-06 12:59:54.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/kernel/kernel.if 2009-04-07 07:25:16.000000000 -0400
@@ -1197,6 +1197,26 @@
')
@@ -10869,7 +10869,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.11/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/services/devicekit.te 2009-04-06 12:59:54.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/services/devicekit.te 2009-04-07 07:01:32.000000000 -0400
@@ -0,0 +1,211 @@
+policy_module(devicekit,1.0.0)
+
@@ -11019,7 +11019,7 @@
+# DeviceKit disk local policy
+#
+
-+allow devicekit_disk_t self:capability sys_nice;
++allow devicekit_disk_t self:capability { sys_nice sys_ptrace };
+
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+
@@ -18331,7 +18331,7 @@
ccs_read_config(ricci_modstorage_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.11/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.11/policy/modules/services/rpc.te 2009-04-06 15:25:10.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/services/rpc.te 2009-04-07 07:27:16.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -18341,7 +18341,33 @@
rpc_domain_template(gssd)
-@@ -141,6 +141,7 @@
+@@ -79,16 +79,25 @@
+ fs_read_rpc_symlinks(rpcd_t)
+ fs_rw_rpc_sockets(rpcd_t)
+
++kernel_signal(rpcd_t)
++
+ selinux_dontaudit_read_fs(rpcd_t)
+
+ miscfiles_read_certs(rpcd_t)
+
+ seutil_dontaudit_search_config(rpcd_t)
+
++userdom_signal_unpriv_users(rpcd_t)
++
+ optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
+ ')
+
++optional_policy(`
++ unconfined_execmem_signal(rpcd_t)
++ unconfined_signal(rpcd_t)
++')
++
+ ########################################
+ #
+ # NFSD local policy
+@@ -141,6 +150,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -18349,7 +18375,7 @@
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -183,9 +184,12 @@
+@@ -183,9 +193,12 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@@ -26803,7 +26829,7 @@
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.11/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/system/unconfined.if 2009-04-06 12:59:54.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/system/unconfined.if 2009-04-07 07:26:40.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -26879,7 +26905,7 @@
')
########################################
-@@ -367,6 +374,24 @@
+@@ -367,6 +374,42 @@
########################################
## <summary>
@@ -26901,10 +26927,28 @@
+
+########################################
+## <summary>
++## Send a signal to the unconfined execmem domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_execmem_signal',`
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ allow $1 unconfined_execmem_t:process signal;
++')
++
++########################################
++## <summary>
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
-@@ -458,6 +483,25 @@
+@@ -458,6 +501,25 @@
########################################
## <summary>
@@ -26930,7 +26974,7 @@
## Connect to the unconfined domain using
## a unix domain stream socket.
## </summary>
-@@ -581,3 +625,150 @@
+@@ -581,3 +643,150 @@
allow $1 unconfined_t:dbus acquire_svc;
')
@@ -27460,7 +27504,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.11/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/system/userdomain.if 2009-04-06 12:59:54.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/system/userdomain.if 2009-04-07 07:23:04.000000000 -0400
@@ -30,8 +30,9 @@
')
- Previous message (by thread): rpms/rednotebook/devel .cvsignore, 1.4, 1.5 rednotebook.spec, 1.3, 1.4 sources, 1.4, 1.5
- Next message (by thread): comps comps-f10.xml.in,1.234,1.235 comps-f11.xml.in,1.175,1.176
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list