rpms/selinux-policy/devel modules-minimum.conf, 1.21, 1.22 modules-targeted.conf, 1.123, 1.124 policy-20090105.patch, 1.84, 1.85 selinux-policy.spec, 1.821, 1.822

Sat Apr 11 12:30:54 UTC 2009

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10851

Modified Files:
	modules-minimum.conf modules-targeted.conf 
	policy-20090105.patch selinux-policy.spec 
Log Message:
* Thu Apr 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-3
- Separate out the ucnonfined user from the unconfined.pp package



Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22

--- modules-minimum.conf	8 Apr 2009 00:59:45 -0000	1.21
+++ modules-minimum.conf	11 Apr 2009 12:30:21 -0000	1.22
@@ -1676,6 +1676,13 @@
 # 
 soundserver = module
 
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+# 
+unconfineduser = module
+
 # Layer:role
 # Module: staff
 #


Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.123
retrieving revision 1.124
diff -u -r1.123 -r1.124
--- modules-targeted.conf	8 Apr 2009 00:59:45 -0000	1.123
+++ modules-targeted.conf	11 Apr 2009 12:30:22 -0000	1.124
@@ -1676,6 +1676,13 @@
 # 
 soundserver = module
 
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+# 
+unconfineduser = module
+
 # Layer:role
 # Module: staff
 #

policy-20090105.patch:

View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.84 -r 1.85 policy-20090105.patch
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- policy-20090105.patch	8 Apr 2009 13:18:20 -0000	1.84
+++ policy-20090105.patch	11 Apr 2009 12:30:22 -0000	1.85
@@ -1022,7 +1022,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te	2009-04-09 04:59:09.000000000 -0400
 @@ -31,6 +31,9 @@
  files_type(rpm_var_lib_t)
  typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1101,7 +1101,7 @@
  
  libs_exec_ld_so(rpm_t)
  libs_exec_lib_files(rpm_t)
-@@ -174,10 +190,20 @@
+@@ -174,17 +190,28 @@
  ')
  
  optional_policy(`
@@ -1122,8 +1122,9 @@
  	prelink_domtrans(rpm_t)
  ')
  
-@@ -185,6 +211,7 @@
- 	unconfined_domain(rpm_t)
+ optional_policy(`
+-	unconfined_domain(rpm_t)
++	unconfined_domain_noaudit(rpm_t)
  	# yum-updatesd requires this
  	unconfined_dbus_chat(rpm_t)
 +	unconfined_dbus_chat(rpm_script_t)
@@ -1514,6 +1515,16 @@
 +	xserver_write_pid(vbetool_t)
 +')
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.te serefpolicy-3.6.12/policy/modules/apps/ada.te
+--- nsaserefpolicy/policy/modules/apps/ada.te	2009-01-05 15:39:38.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/ada.te	2009-04-09 04:47:52.000000000 -0400
+@@ -21,5 +21,5 @@
+ userdom_use_user_terminals(ada_t)
+ 
+ optional_policy(`
+-	unconfined_domain_noaudit(ada_t)
++	unconfined_domain(ada_t)
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te
 --- nsaserefpolicy/policy/modules/apps/awstats.te	2009-02-16 08:44:12.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/awstats.te	2009-04-07 16:01:44.000000000 -0400
@@ -2384,7 +2395,7 @@
  	corecmd_search_bin($1)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.12/policy/modules/apps/mono.te
 --- nsaserefpolicy/policy/modules/apps/mono.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/mono.te	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/mono.te	2009-04-09 04:48:20.000000000 -0400
 @@ -15,7 +15,7 @@
  # Local policy
  #
@@ -2394,7 +2405,12 @@
  
  init_dbus_chat_script(mono_t)
  
-@@ -46,3 +46,7 @@
+@@ -42,7 +42,11 @@
+ ')
+ 
+ optional_policy(`
+-	unconfined_domain_noaudit(mono_t)
++	unconfined_domain(mono_t)
  	unconfined_dbus_chat(mono_t)
  	unconfined_dbus_connect(mono_t)
  ')
@@ -4272,7 +4288,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.12/policy/modules/apps/wine.te
 --- nsaserefpolicy/policy/modules/apps/wine.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/wine.te	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/wine.te	2009-04-09 04:47:36.000000000 -0400
 @@ -9,6 +9,7 @@
  type wine_t;
  type wine_exec_t;
@@ -4285,9 +4301,10 @@
  
  optional_policy(`
  	allow wine_t self:process { execstack execmem execheap };
+-	unconfined_domain_noaudit(wine_t)
 +	domain_mmap_low_type(wine_t)
 +	domain_mmap_low(wine_t)
- 	unconfined_domain_noaudit(wine_t)
++	unconfined_domain(wine_t)
  	files_execmod_all_files(wine_t)
  
 +')
@@ -4689,7 +4706,7 @@
  type urandom_device_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2009-04-09 10:10:17.000000000 -0400
 @@ -629,6 +629,7 @@
  
  	dontaudit $1 unconfined_domain_type:dir search_dir_perms;
@@ -4909,7 +4926,7 @@
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-04-09 10:14:04.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -5118,7 +5135,36 @@
  ')
  
  ########################################
-@@ -4532,7 +4662,8 @@
+@@ -4413,6 +4543,28 @@
+ 
+ ########################################
+ ## <summary>
++##	manage all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 { var_t var_lock_t }:dir search_dir_perms;
++	manage_dirs_pattern($1, lockfile, lockfile)
++	manage_files_pattern($1, lockfile, lockfile)
++	manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
+ ##	Create an object in the locks directory, with a private
+ ##	type using a type transition.
+ ## </summary>
+@@ -4532,7 +4684,8 @@
  		type var_t, var_run_t;
  	')
  
@@ -5128,7 +5174,7 @@
  ')
  
  ########################################
-@@ -4873,7 +5004,7 @@
+@@ -4873,7 +5026,7 @@
  	selinux_compute_member($1)
  
  	# Need sys_admin capability for mounting
@@ -5137,7 +5183,7 @@
  
  	# Need to give access to the directories to be polyinstantiated
  	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4895,12 +5026,15 @@
+@@ -4895,12 +5048,15 @@
  	allow $1 poly_t:dir { create mounton };
  	fs_unmount_xattr_fs($1)
  
@@ -5154,7 +5200,7 @@
  	')
  ')
  
-@@ -4921,3 +5055,95 @@
+@@ -4921,3 +5077,95 @@
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -5493,7 +5539,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2009-02-03 22:50:50.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te	2009-04-09 10:10:27.000000000 -0400
 @@ -63,6 +63,15 @@
  genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
  
@@ -5576,23 +5622,27 @@
  tunable_policy(`read_default_t',`
  	files_list_default(kernel_t)
  	files_read_default_files(kernel_t)
-@@ -359,6 +384,10 @@
- 	unconfined_domain(kernel_t)
+@@ -356,7 +381,11 @@
  ')
  
[...39694 lines suppressed...]
  	files_read_kernel_symbol_table($1_t)
  
-@@ -986,37 +1048,47 @@
+@@ -986,37 +1049,47 @@
  		')
  	')
  
@@ -28365,7 +29724,7 @@
  ')
  
  #######################################
-@@ -1050,7 +1122,7 @@
+@@ -1050,7 +1123,7 @@
  #
  template(`userdom_admin_user_template',`
  	gen_require(`
@@ -28374,7 +29733,7 @@
  	')
  
  	##############################
-@@ -1059,8 +1131,7 @@
+@@ -1059,8 +1132,7 @@
  	#
  
  	# Inherit rules for ordinary users.
@@ -28384,7 +29743,7 @@
  
  	domain_obj_id_change_exemption($1_t)
  	role system_r types $1_t;
-@@ -1083,7 +1154,8 @@
+@@ -1083,7 +1155,8 @@
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -28394,7 +29753,7 @@
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1099,6 +1171,7 @@
+@@ -1099,6 +1172,7 @@
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -28402,7 +29761,7 @@
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1106,8 +1179,6 @@
+@@ -1106,8 +1180,6 @@
  
  	dev_getattr_generic_blk_files($1_t)
  	dev_getattr_generic_chr_files($1_t)
@@ -28411,7 +29770,7 @@
  	# Allow MAKEDEV to work
  	dev_create_all_blk_files($1_t)
  	dev_create_all_chr_files($1_t)
-@@ -1162,20 +1233,6 @@
+@@ -1162,20 +1234,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -28432,7 +29791,7 @@
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1221,6 +1278,7 @@
+@@ -1221,6 +1279,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -28440,7 +29799,7 @@
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1286,11 +1344,15 @@
+@@ -1286,11 +1345,15 @@
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -28456,7 +29815,7 @@
  ')
  
  ########################################
-@@ -1387,7 +1449,7 @@
+@@ -1387,7 +1450,7 @@
  
  ########################################
  ## <summary>
@@ -28465,7 +29824,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1420,6 +1482,14 @@
+@@ -1420,6 +1483,14 @@
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -28480,7 +29839,7 @@
  ')
  
  ########################################
-@@ -1435,9 +1505,11 @@
+@@ -1435,9 +1506,11 @@
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -28492,7 +29851,7 @@
  ')
  
  ########################################
-@@ -1494,6 +1566,25 @@
+@@ -1494,6 +1567,25 @@
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -28518,7 +29877,7 @@
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1568,6 +1659,8 @@
+@@ -1568,6 +1660,8 @@
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -28527,7 +29886,7 @@
  ')
  
  ########################################
-@@ -1643,6 +1736,7 @@
+@@ -1643,6 +1737,7 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -28535,7 +29894,7 @@
  	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
  	files_search_home($1)
  ')
-@@ -1741,30 +1835,79 @@
+@@ -1741,30 +1836,80 @@
  
  ########################################
  ## <summary>
@@ -28622,10 +29981,11 @@
 +
 +	files_search_home($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	dontaudit $1 user_home_type:sock_file execute;
  ')
  
  ########################################
-@@ -1787,6 +1930,46 @@
+@@ -1787,6 +1932,46 @@
  
  ########################################
  ## <summary>
@@ -28672,7 +30032,7 @@
  ##	Create, read, write, and delete files
  ##	in a user home subdirectory.
  ## </summary>
-@@ -1799,6 +1982,7 @@
+@@ -1799,6 +1984,7 @@
  interface(`userdom_manage_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -28680,7 +30040,7 @@
  	')
  
  	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2512,7 @@
+@@ -2328,7 +2514,7 @@
  
  ########################################
  ## <summary>
@@ -28689,7 +30049,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2814,7 +2998,25 @@
+@@ -2814,7 +3000,25 @@
  		type user_tmp_t;
  	')
  
@@ -28716,7 +30076,7 @@
  ')
  
  ########################################
-@@ -2851,6 +3053,7 @@
+@@ -2851,6 +3055,7 @@
  	')
  
  	read_files_pattern($1,userdomain,userdomain)
@@ -28724,7 +30084,7 @@
  	kernel_search_proc($1)
  ')
  
-@@ -2981,3 +3184,482 @@
+@@ -2981,3 +3186,482 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.821
retrieving revision 1.822
diff -u -r1.821 -r1.822
--- selinux-policy.spec	8 Apr 2009 13:18:20 -0000	1.821
+++ selinux-policy.spec	11 Apr 2009 12:30:22 -0000	1.822
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -167,7 +167,7 @@
 
 %define loadminpolicy() \
 ( cd /usr/share/selinux/%1; \
-semodule -b base.pp.bz2 -i unconfined.pp.bz2 -s %1; \
+semodule -b base.pp.bz2 -i unconfined.pp.bz2 unconfineduser.pp.bz2 -s %1; \
 ); \
 
 %define loadpolicy() \
@@ -313,14 +313,10 @@
 %post targeted
 if [ $1 -eq 1 ]; then
 %loadpolicy targeted
-#semanage -S targeted -i - << __eof
-#login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
-#login -m  -s unconfined_u -r s0-s0:c0.c1023 root
-#__eof
 restorecon -R /root /var/log /var/run 2> /dev/null
 else
 semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
-%loadpolicy targeted
+%loadpolicy targeted unconfined.pp unconfineduser.pp
 %relabel targeted
 fi
 exit 0
@@ -444,6 +440,9 @@
 %endif
 
 %changelog
+* Thu Apr 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-3
+- Separate out the ucnonfined user from the unconfined.pp package
+
 * Wed Apr 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-2
 - Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.
 


