rpms/selinux-policy/devel modules-minimum.conf, 1.21, 1.22 modules-targeted.conf, 1.123, 1.124 policy-20090105.patch, 1.84, 1.85 selinux-policy.spec, 1.821, 1.822
Daniel J Walsh
dwalsh at fedoraproject.org
Sat Apr 11 12:30:54 UTC 2009
- Previous message (by thread): rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.413, 1.414 policycoreutils.spec, 1.600, 1.601
- Next message (by thread): rpms/mono/devel mono-24-ppc-glocks.patch, NONE, 1.1 import.log, 1.45, 1.46 mono.spec, 1.122, 1.123
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10851
Modified Files:
modules-minimum.conf modules-targeted.conf
policy-20090105.patch selinux-policy.spec
Log Message:
* Thu Apr 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-3
- Separate out the ucnonfined user from the unconfined.pp package
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- modules-minimum.conf 8 Apr 2009 00:59:45 -0000 1.21
+++ modules-minimum.conf 11 Apr 2009 12:30:21 -0000 1.22
@@ -1676,6 +1676,13 @@
#
soundserver = module
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+#
+unconfineduser = module
+
# Layer:role
# Module: staff
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.123
retrieving revision 1.124
diff -u -r1.123 -r1.124
--- modules-targeted.conf 8 Apr 2009 00:59:45 -0000 1.123
+++ modules-targeted.conf 11 Apr 2009 12:30:22 -0000 1.124
@@ -1676,6 +1676,13 @@
#
soundserver = module
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+#
+unconfineduser = module
+
# Layer:role
# Module: staff
#
policy-20090105.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.84 -r 1.85 policy-20090105.patch
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- policy-20090105.patch 8 Apr 2009 13:18:20 -0000 1.84
+++ policy-20090105.patch 11 Apr 2009 12:30:22 -0000 1.85
@@ -1022,7 +1022,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-09 04:59:09.000000000 -0400
@@ -31,6 +31,9 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1101,7 +1101,7 @@
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,10 +190,20 @@
+@@ -174,17 +190,28 @@
')
optional_policy(`
@@ -1122,8 +1122,9 @@
prelink_domtrans(rpm_t)
')
-@@ -185,6 +211,7 @@
- unconfined_domain(rpm_t)
+ optional_policy(`
+- unconfined_domain(rpm_t)
++ unconfined_domain_noaudit(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
@@ -1514,6 +1515,16 @@
+ xserver_write_pid(vbetool_t)
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.te serefpolicy-3.6.12/policy/modules/apps/ada.te
+--- nsaserefpolicy/policy/modules/apps/ada.te 2009-01-05 15:39:38.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/ada.te 2009-04-09 04:47:52.000000000 -0400
+@@ -21,5 +21,5 @@
+ userdom_use_user_terminals(ada_t)
+
+ optional_policy(`
+- unconfined_domain_noaudit(ada_t)
++ unconfined_domain(ada_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/awstats.te 2009-04-07 16:01:44.000000000 -0400
@@ -2384,7 +2395,7 @@
corecmd_search_bin($1)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.12/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-09 04:48:20.000000000 -0400
@@ -15,7 +15,7 @@
# Local policy
#
@@ -2394,7 +2405,12 @@
init_dbus_chat_script(mono_t)
-@@ -46,3 +46,7 @@
+@@ -42,7 +42,11 @@
+ ')
+
+ optional_policy(`
+- unconfined_domain_noaudit(mono_t)
++ unconfined_domain(mono_t)
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
')
@@ -4272,7 +4288,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.12/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-04-09 04:47:36.000000000 -0400
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
@@ -4285,9 +4301,10 @@
optional_policy(`
allow wine_t self:process { execstack execmem execheap };
+- unconfined_domain_noaudit(wine_t)
+ domain_mmap_low_type(wine_t)
+ domain_mmap_low(wine_t)
- unconfined_domain_noaudit(wine_t)
++ unconfined_domain(wine_t)
files_execmod_all_files(wine_t)
+')
@@ -4689,7 +4706,7 @@
type urandom_device_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-09 10:10:17.000000000 -0400
@@ -629,6 +629,7 @@
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
@@ -4909,7 +4926,7 @@
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-09 10:14:04.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5118,7 +5135,36 @@
')
########################################
-@@ -4532,7 +4662,8 @@
+@@ -4413,6 +4543,28 @@
+
+ ########################################
+ ## <summary>
++## manage all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ manage_dirs_pattern($1, lockfile, lockfile)
++ manage_files_pattern($1, lockfile, lockfile)
++ manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
+ ## Create an object in the locks directory, with a private
+ ## type using a type transition.
+ ## </summary>
+@@ -4532,7 +4684,8 @@
type var_t, var_run_t;
')
@@ -5128,7 +5174,7 @@
')
########################################
-@@ -4873,7 +5004,7 @@
+@@ -4873,7 +5026,7 @@
selinux_compute_member($1)
# Need sys_admin capability for mounting
@@ -5137,7 +5183,7 @@
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4895,12 +5026,15 @@
+@@ -4895,12 +5048,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -5154,7 +5200,7 @@
')
')
-@@ -4921,3 +5055,95 @@
+@@ -4921,3 +5077,95 @@
typeattribute $1 files_unconfined_type;
')
@@ -5493,7 +5539,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-09 10:10:27.000000000 -0400
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -5576,23 +5622,27 @@
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
-@@ -359,6 +384,10 @@
- unconfined_domain(kernel_t)
+@@ -356,7 +381,11 @@
')
[...39694 lines suppressed...]
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1048,47 @@
+@@ -986,37 +1049,47 @@
')
')
@@ -28365,7 +29724,7 @@
')
#######################################
-@@ -1050,7 +1122,7 @@
+@@ -1050,7 +1123,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -28374,7 +29733,7 @@
')
##############################
-@@ -1059,8 +1131,7 @@
+@@ -1059,8 +1132,7 @@
#
# Inherit rules for ordinary users.
@@ -28384,7 +29743,7 @@
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1154,8 @@
+@@ -1083,7 +1155,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -28394,7 +29753,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1171,7 @@
+@@ -1099,6 +1172,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -28402,7 +29761,7 @@
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1179,6 @@
+@@ -1106,8 +1180,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -28411,7 +29770,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1233,6 @@
+@@ -1162,20 +1234,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -28432,7 +29791,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1278,7 @@
+@@ -1221,6 +1279,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -28440,7 +29799,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1344,15 @@
+@@ -1286,11 +1345,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -28456,7 +29815,7 @@
')
########################################
-@@ -1387,7 +1449,7 @@
+@@ -1387,7 +1450,7 @@
########################################
## <summary>
@@ -28465,7 +29824,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1482,14 @@
+@@ -1420,6 +1483,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -28480,7 +29839,7 @@
')
########################################
-@@ -1435,9 +1505,11 @@
+@@ -1435,9 +1506,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -28492,7 +29851,7 @@
')
########################################
-@@ -1494,6 +1566,25 @@
+@@ -1494,6 +1567,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -28518,7 +29877,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1568,6 +1659,8 @@
+@@ -1568,6 +1660,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -28527,7 +29886,7 @@
')
########################################
-@@ -1643,6 +1736,7 @@
+@@ -1643,6 +1737,7 @@
type user_home_dir_t, user_home_t;
')
@@ -28535,7 +29894,7 @@
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,30 +1835,79 @@
+@@ -1741,30 +1836,80 @@
########################################
## <summary>
@@ -28622,10 +29981,11 @@
+
+ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ dontaudit $1 user_home_type:sock_file execute;
')
########################################
-@@ -1787,6 +1930,46 @@
+@@ -1787,6 +1932,46 @@
########################################
## <summary>
@@ -28672,7 +30032,7 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -1799,6 +1982,7 @@
+@@ -1799,6 +1984,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -28680,7 +30040,7 @@
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2512,7 @@
+@@ -2328,7 +2514,7 @@
########################################
## <summary>
@@ -28689,7 +30049,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -2814,7 +2998,25 @@
+@@ -2814,7 +3000,25 @@
type user_tmp_t;
')
@@ -28716,7 +30076,7 @@
')
########################################
-@@ -2851,6 +3053,7 @@
+@@ -2851,6 +3055,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -28724,7 +30084,7 @@
kernel_search_proc($1)
')
-@@ -2981,3 +3184,482 @@
+@@ -2981,3 +3186,482 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.821
retrieving revision 1.822
diff -u -r1.821 -r1.822
--- selinux-policy.spec 8 Apr 2009 13:18:20 -0000 1.821
+++ selinux-policy.spec 11 Apr 2009 12:30:22 -0000 1.822
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -167,7 +167,7 @@
%define loadminpolicy() \
( cd /usr/share/selinux/%1; \
-semodule -b base.pp.bz2 -i unconfined.pp.bz2 -s %1; \
+semodule -b base.pp.bz2 -i unconfined.pp.bz2 unconfineduser.pp.bz2 -s %1; \
); \
%define loadpolicy() \
@@ -313,14 +313,10 @@
%post targeted
if [ $1 -eq 1 ]; then
%loadpolicy targeted
-#semanage -S targeted -i - << __eof
-#login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
-#login -m -s unconfined_u -r s0-s0:c0.c1023 root
-#__eof
restorecon -R /root /var/log /var/run 2> /dev/null
else
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
-%loadpolicy targeted
+%loadpolicy targeted unconfined.pp unconfineduser.pp
%relabel targeted
fi
exit 0
@@ -444,6 +440,9 @@
%endif
%changelog
+* Thu Apr 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-3
+- Separate out the ucnonfined user from the unconfined.pp package
+
* Wed Apr 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-2
- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.
- Previous message (by thread): rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.413, 1.414 policycoreutils.spec, 1.600, 1.601
- Next message (by thread): rpms/mono/devel mono-24-ppc-glocks.patch, NONE, 1.1 import.log, 1.45, 1.46 mono.spec, 1.122, 1.123
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list