rpms/selinux-policy/F-11 booleans-targeted.conf, 1.46, 1.47 policy-20090105.patch, 1.89, 1.90 selinux-policy.spec, 1.827, 1.828
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Apr 17 15:15:13 UTC 2009
- Previous message (by thread): rpms/rubygem-hoe/F-9 .cvsignore, 1.13, 1.14 rubygem-hoe.spec, 1.13, 1.14 sources, 1.13, 1.14
- Next message (by thread): rpms/maxima/devel .cvsignore, 1.29, 1.30 maxima.spec, 1.127, 1.128 sources, 1.27, 1.28 maxima-5.9.4-gcl_setarch.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28999
Modified Files:
booleans-targeted.conf policy-20090105.patch
selinux-policy.spec
Log Message:
* Fri Apr 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-7
- Turn off nsplugin transition
- Remove Konsole leaked file descriptors for release
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/booleans-targeted.conf,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- booleans-targeted.conf 10 Feb 2009 16:08:36 -0000 1.46
+++ booleans-targeted.conf 17 Apr 2009 15:14:42 -0000 1.47
@@ -241,7 +241,7 @@
# Allow unconfined domain to transition to confined domain
#
-allow_unconfined_nsplugin_transition=true
+allow_unconfined_nsplugin_transition=false
# Allow unconfined domains mmap low kernel memory
#
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- policy-20090105.patch 17 Apr 2009 14:19:05 -0000 1.89
+++ policy-20090105.patch 17 Apr 2009 15:14:42 -0000 1.90
@@ -3001,8 +3001,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-07 16:01:44.000000000 -0400
-@@ -0,0 +1,292 @@
++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-17 11:13:07.000000000 -0400
+@@ -0,0 +1,293 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3138,6 +3138,7 @@
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
++miscfiles_dontaudit_write_fonts(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
@@ -6552,7 +6553,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-14 14:12:12.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-17 11:03:25.000000000 -0400
@@ -0,0 +1,638 @@
+## <summary>Unconfiend user role</summary>
+
@@ -25303,8 +25304,8 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-16 10:03:08.000000000 -0400
-@@ -280,6 +280,29 @@
++++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-17 11:04:53.000000000 -0400
+@@ -280,6 +280,36 @@
kernel_dontaudit_use_fds($1)
')
')
@@ -25330,11 +25331,18 @@
+ optional_policy(`
+ xserver_rw_xdm_home_files($1)
+ ')
++
++ optional_policy(`
++ unconfined_dontaudit_rw_pipes($1)
++ unconfined_dontaudit_rw_stream($1)
++ userdom_dontaudit_read_user_tmp_files($1)
++ ')
++
+ init_rw_script_stream_sockets($1)
')
########################################
-@@ -546,7 +569,7 @@
+@@ -546,7 +576,7 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
@@ -25343,7 +25351,7 @@
')
')
-@@ -619,18 +642,19 @@
+@@ -619,18 +649,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -25367,7 +25375,7 @@
')
')
-@@ -646,23 +670,43 @@
+@@ -646,23 +677,43 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -25415,7 +25423,7 @@
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -1291,6 +1335,25 @@
+@@ -1291,6 +1342,25 @@
########################################
## <summary>
@@ -25441,7 +25449,7 @@
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1521,3 +1584,51 @@
+@@ -1521,3 +1591,51 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -25495,7 +25503,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 07:33:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 11:04:04.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -25714,7 +25722,7 @@
')
optional_policy(`
-@@ -516,6 +560,31 @@
+@@ -516,6 +560,33 @@
')
')
@@ -25741,12 +25749,14 @@
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
++ unconfined_dontaudit_rw_stream(daemon)
++ userdom_dontaudit_read_user_tmp_files(daemon)
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +639,10 @@
+@@ -570,6 +641,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -25757,7 +25767,7 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -591,6 +664,10 @@
+@@ -591,6 +666,10 @@
')
optional_policy(`
@@ -25768,7 +25778,7 @@
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,6 +724,11 @@
+@@ -647,6 +726,11 @@
')
optional_policy(`
@@ -25780,7 +25790,7 @@
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
-@@ -655,12 +737,6 @@
+@@ -655,12 +739,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -25793,7 +25803,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -721,6 +797,9 @@
+@@ -721,6 +799,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -25803,7 +25813,7 @@
')
optional_policy(`
-@@ -733,10 +812,12 @@
+@@ -733,10 +814,12 @@
squid_manage_logs(initrc_t)
')
@@ -25816,7 +25826,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +835,11 @@
+@@ -754,6 +837,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -25828,7 +25838,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -761,6 +847,8 @@
+@@ -761,6 +849,8 @@
# system-config-services causes avc messages that should be dontaudited
unconfined_dontaudit_rw_pipes(daemon)
')
@@ -25837,7 +25847,7 @@
optional_policy(`
mono_domtrans(initrc_t)
-@@ -768,6 +856,10 @@
+@@ -768,6 +858,10 @@
')
optional_policy(`
@@ -25848,7 +25858,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +882,25 @@
+@@ -790,3 +884,25 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29135,7 +29145,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-16 11:03:07.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-17 11:03:40.000000000 -0400
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.827
retrieving revision 1.828
diff -u -r1.827 -r1.828
--- selinux-policy.spec 17 Apr 2009 14:19:05 -0000 1.827
+++ selinux-policy.spec 17 Apr 2009 15:14:43 -0000 1.828
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
%endif
%changelog
+* Fri Apr 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-7
+- Turn off nsplugin transition
+- Remove Konsole leaked file descriptors for release
* Fri Apr 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-6
- Allow cupsd_t to create link files in print_spool_t
- Previous message (by thread): rpms/rubygem-hoe/F-9 .cvsignore, 1.13, 1.14 rubygem-hoe.spec, 1.13, 1.14 sources, 1.13, 1.14
- Next message (by thread): rpms/maxima/devel .cvsignore, 1.29, 1.30 maxima.spec, 1.127, 1.128 sources, 1.27, 1.28 maxima-5.9.4-gcl_setarch.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list