rpms/selinux-policy/F-11 policy-20090105.patch, 1.87, 1.88 selinux-policy.spec, 1.825, 1.826
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Apr 16 14:05:05 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1011
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Tue Apr 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-6
- Allow cupsd_t to create link files in print_spool_t
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.87
retrieving revision 1.88
diff -u -r1.87 -r1.88
--- policy-20090105.patch 15 Apr 2009 12:06:09 -0000 1.87
+++ policy-20090105.patch 16 Apr 2009 14:04:33 -0000 1.88
@@ -6501,8 +6501,8 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-09 04:44:48.000000000 -0400
-@@ -0,0 +1,30 @@
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-15 10:01:33.000000000 -0400
+@@ -0,0 +1,32 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -6522,6 +6522,8 @@
+
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera/[^/]*/works -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera/[^/]*/opera -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -7177,8 +7179,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-09 05:43:27.000000000 -0400
-@@ -0,0 +1,402 @@
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-16 10:03:34.000000000 -0400
+@@ -0,0 +1,403 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -7267,6 +7269,7 @@
+
+init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t)
++init_chat(unconfined_t)
+
+libs_run_ldconfig(unconfined_t, unconfined_r)
+
@@ -12859,7 +12862,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.12/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-15 08:33:18.000000000 -0400
@@ -21,9 +21,20 @@
## </desc>
gen_tunable(exim_manage_user_files, false)
@@ -14346,8 +14349,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-04-07 16:01:44.000000000 -0400
-@@ -0,0 +1,55 @@
++++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-04-16 09:47:17.000000000 -0400
+@@ -0,0 +1,58 @@
+policy_module(lircd,1.0.0)
+
+########################################
@@ -14393,6 +14396,7 @@
+# /dev/lircd socket
+manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
+dev_filetrans(lircd_t, lircd_sock_t, sock_file )
++dev_read_generic_usb_dev(lircd_t)
+
+logging_send_syslog_msg(lircd_t)
+
@@ -14401,8 +14405,21 @@
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
+
++fs_list_inotifyfs(lircd_t)
++
+miscfiles_read_localization(lircd_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.6.12/policy/modules/services/lpd.if
+--- nsaserefpolicy/policy/modules/services/lpd.if 2009-01-05 15:39:43.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/lpd.if 2009-04-15 17:56:28.000000000 -0400
+@@ -134,6 +134,7 @@
+ files_search_spool($1)
+ manage_dirs_pattern($1, print_spool_t, print_spool_t)
+ manage_files_pattern($1, print_spool_t, print_spool_t)
++ manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.12/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/mailman.fc 2009-04-07 16:01:44.000000000 -0400
@@ -17791,7 +17808,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-13 11:44:30.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-15 08:35:07.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -17870,7 +17887,15 @@
allow postfix_master_t postfix_etc_t:file rw_file_perms;
-@@ -142,6 +159,7 @@
+@@ -132,6 +149,7 @@
+ # allow access to deferred queue and allow removing bogus incoming entries
+ manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
++files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
+
+ allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
+ allow postfix_master_t postfix_spool_bounce_t:file getattr;
+@@ -142,6 +160,7 @@
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -17878,7 +17903,7 @@
kernel_read_all_sysctls(postfix_master_t)
-@@ -153,6 +171,9 @@
+@@ -153,6 +172,9 @@
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -17888,7 +17913,7 @@
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -170,6 +191,8 @@
+@@ -170,6 +192,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -17897,7 +17922,7 @@
term_dontaudit_search_ptys(postfix_master_t)
-@@ -181,15 +204,14 @@
+@@ -181,15 +205,14 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -17917,7 +17942,7 @@
')
optional_policy(`
-@@ -202,9 +224,29 @@
+@@ -202,9 +225,29 @@
')
optional_policy(`
@@ -17947,7 +17972,21 @@
########################################
#
# Postfix bounce local policy
-@@ -245,6 +287,10 @@
+@@ -219,6 +262,7 @@
+ manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
++files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+
+ manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+ manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+@@ -240,11 +284,16 @@
+ manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
++files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+
+ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
@@ -17958,7 +17997,7 @@
########################################
#
# Postfix local local policy
-@@ -270,18 +316,29 @@
+@@ -270,18 +319,29 @@
files_read_etc_files(postfix_local_t)
@@ -17988,7 +18027,7 @@
')
optional_policy(`
-@@ -292,8 +349,7 @@
+@@ -292,8 +352,7 @@
#
# Postfix map local policy
#
@@ -17998,7 +18037,7 @@
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -340,10 +396,6 @@
+@@ -340,10 +399,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -18009,7 +18048,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -356,6 +408,11 @@
+@@ -356,6 +411,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -18021,7 +18060,7 @@
########################################
#
# Postfix pickup local policy
-@@ -380,6 +437,7 @@
+@@ -380,6 +440,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -18029,7 +18068,7 @@
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -387,6 +445,12 @@
+@@ -387,6 +448,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -18042,7 +18081,7 @@
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -396,6 +460,15 @@
+@@ -396,6 +463,15 @@
')
optional_policy(`
@@ -18058,7 +18097,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -432,8 +505,11 @@
+@@ -432,8 +508,11 @@
')
optional_policy(`
@@ -18072,7 +18111,7 @@
')
#######################################
-@@ -459,6 +535,15 @@
+@@ -459,6 +538,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -18088,7 +18127,15 @@
########################################
#
# Postfix qmgr local policy
-@@ -513,7 +598,7 @@
+@@ -472,6 +560,7 @@
+ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
++files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+
+ allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+ allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+@@ -513,7 +602,7 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -18097,7 +18144,7 @@
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -543,9 +628,18 @@
+@@ -543,9 +632,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -18116,7 +18163,7 @@
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -572,15 +666,21 @@
+@@ -572,15 +670,21 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -25240,7 +25287,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-13 10:35:22.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-16 10:03:08.000000000 -0400
@@ -280,6 +280,29 @@
kernel_dontaudit_use_fds($1)
')
@@ -25432,7 +25479,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-13 08:06:15.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-16 10:02:04.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -25570,7 +25617,12 @@
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -274,12 +312,14 @@
+@@ -270,16 +308,19 @@
+ dev_rw_sysfs(initrc_t)
+ dev_list_usbfs(initrc_t)
+ dev_read_framebuffer(initrc_t)
++dev_write_framebuffer(initrc_t)
+ dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
@@ -25586,7 +25638,7 @@
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -328,7 +368,7 @@
+@@ -328,7 +369,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -25595,7 +25647,7 @@
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -343,14 +383,13 @@
+@@ -343,14 +384,13 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -25611,7 +25663,7 @@
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -366,7 +405,9 @@
+@@ -366,7 +406,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -25621,7 +25673,7 @@
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -451,7 +492,7 @@
+@@ -451,7 +493,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -25630,7 +25682,7 @@
files_dontaudit_read_root_files(initrc_t)
selinux_set_enforce_mode(initrc_t)
-@@ -465,6 +506,7 @@
+@@ -465,6 +507,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -25638,7 +25690,7 @@
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -498,6 +540,7 @@
+@@ -498,6 +541,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -25646,7 +25698,7 @@
')
optional_policy(`
-@@ -516,6 +559,31 @@
+@@ -516,6 +560,31 @@
')
')
@@ -25678,7 +25730,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +638,10 @@
+@@ -570,6 +639,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -25689,7 +25741,7 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -647,6 +719,11 @@
+@@ -647,6 +720,11 @@
')
optional_policy(`
@@ -25701,7 +25753,7 @@
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
-@@ -655,12 +732,6 @@
+@@ -655,12 +733,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -25714,7 +25766,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -721,6 +792,9 @@
+@@ -721,6 +793,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -25724,7 +25776,7 @@
')
optional_policy(`
-@@ -733,10 +807,12 @@
+@@ -733,10 +808,12 @@
squid_manage_logs(initrc_t)
')
@@ -25737,7 +25789,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +830,11 @@
+@@ -754,6 +831,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -25749,7 +25801,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -761,6 +842,8 @@
+@@ -761,6 +843,8 @@
# system-config-services causes avc messages that should be dontaudited
unconfined_dontaudit_rw_pipes(daemon)
')
@@ -25758,7 +25810,7 @@
optional_policy(`
mono_domtrans(initrc_t)
-@@ -768,6 +851,10 @@
+@@ -768,6 +852,10 @@
')
optional_policy(`
@@ -25769,7 +25821,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +877,25 @@
+@@ -790,3 +878,25 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28315,7 +28367,7 @@
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.12/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-14 14:03:29.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-15 10:11:28.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -28373,8 +28425,8 @@
# Allow making the stack executable via mprotect;
- # execstack implies execmem;
- allow $1 self:process { execstack execmem };
-+ # execstack implies execmem; Turned off for F11
-+ allow $1 self:process { execstack };
++ # execstack implies execmem; Bugzilla #211271
++ allow $1 self:process { execmem execstack };
# auditallow $1 self:process execstack;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.825
retrieving revision 1.826
diff -u -r1.825 -r1.826
--- selinux-policy.spec 15 Apr 2009 12:08:36 -0000 1.825
+++ selinux-policy.spec 16 Apr 2009 14:04:34 -0000 1.826
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 5.1%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -440,7 +440,10 @@
%endif
%changelog
-* Tue Apr 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-5.1
+* Tue Apr 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-6
+- Allow cupsd_t to create link files in print_spool_t
+
+* Tue Apr 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-5
- Allow audioentroy to read etc files
* Mon Apr 13 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-4
More information about the fedora-extras-commits
mailing list