rpms/selinux-policy/devel booleans-minimum.conf, 1.4, 1.5 booleans-targeted.conf, 1.46, 1.47 policy-20090105.patch, 1.89, 1.90 selinux-policy.spec, 1.826, 1.827

Sat Apr 18 12:14:07 UTC 2009

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12368

Modified Files:
	booleans-minimum.conf booleans-targeted.conf 
	policy-20090105.patch selinux-policy.spec 
Log Message:
* Sat Apr 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-8
- Fixes for podsleuth



Index: booleans-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-minimum.conf,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5

--- booleans-minimum.conf	10 Feb 2009 16:08:36 -0000	1.4
+++ booleans-minimum.conf	18 Apr 2009 12:13:35 -0000	1.5
@@ -8,7 +8,7 @@
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+allow_execstack = false
 
 # Allow ftpd to read cifs directories.
 # 
@@ -56,7 +56,7 @@
 
 # Allow zebra to write it own configuration files
 # 
-allow_zebra_write_config = true
+allow_zebra_write_config = false
 
 # Enable extra rules in the cron domainto support fcron.
 # 
@@ -96,7 +96,7 @@
 
 # Allow httpd to read home directories
 # 
-httpd_enable_homedirs = true
+httpd_enable_homedirs = false
 
 # Run SSI execs in system CGI script domain.
 # 
@@ -104,11 +104,11 @@
 
 # Allow http daemon to communicate with the TTY
 # 
-httpd_tty_comm = true
+httpd_tty_comm = false
 
 # Run CGI in the main httpd domain
 # 
-httpd_unified = true
+httpd_unified = false
 
 # Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
 # 
@@ -128,7 +128,7 @@
 
 # Allow reading of default_t files.
 # 
-read_default_t = true
+read_default_t = false
 
 # Allow samba to export user home directories.
 # 
@@ -148,7 +148,7 @@
 
 # Control users use of ping and traceroute
 # 
-user_ping = true
+user_ping = false
 
 # allow host key based authentication
 # 
@@ -164,7 +164,7 @@
 
 # Allow spamd to write to users homedirs
 # 
-spamd_enable_home_dirs = true
+spamd_enable_home_dirs = false
 
 # Allow regular users direct mouse access
 # 
@@ -192,7 +192,7 @@
 
 # Allow all domains to talk to ttys
 # 
-allow_daemons_use_tty = true
+allow_daemons_use_tty = false
 
 # Allow login domains to polyinstatiate directories
 # 
@@ -208,11 +208,11 @@
 
 # Allow samba to export user home directories.
 # 
-samba_run_unconfined = true
+samba_run_unconfined = false
 
 # Allows XServer to execute writable memory
 # 
-allow_xserver_execmem = true
+allow_xserver_execmem = false
 
 # disallow guest accounts to execute files that they can create 
 # 
@@ -225,7 +225,7 @@
 
 # Allow postfix locat to write to mail spool
 # 
-allow_postfix_local_write_mail_spool=true
+allow_postfix_local_write_mail_spool=false
 
 # Allow common users to read/write noexattrfile systems
 # 


Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- booleans-targeted.conf	10 Feb 2009 16:08:36 -0000	1.46
+++ booleans-targeted.conf	18 Apr 2009 12:13:36 -0000	1.47
@@ -8,7 +8,7 @@
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+allow_execstack = false
 
 # Allow ftpd to read cifs directories.
 # 
@@ -56,7 +56,7 @@
 
 # Allow zebra to write it own configuration files
 # 
-allow_zebra_write_config = true
+allow_zebra_write_config = false
 
 # Enable extra rules in the cron domainto support fcron.
 # 
@@ -96,7 +96,7 @@
 
 # Allow httpd to read home directories
 # 
-httpd_enable_homedirs = true
+httpd_enable_homedirs = false
 
 # Run SSI execs in system CGI script domain.
 # 
@@ -104,11 +104,11 @@
 
 # Allow http daemon to communicate with the TTY
 # 
-httpd_tty_comm = true
+httpd_tty_comm = false
 
 # Run CGI in the main httpd domain
 # 
-httpd_unified = true
+httpd_unified = false
 
 # Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
 # 
@@ -128,7 +128,7 @@
 
 # Allow reading of default_t files.
 # 
-read_default_t = true
+read_default_t = false
 
 # Allow samba to export user home directories.
 # 
@@ -148,7 +148,7 @@
 
 # Control users use of ping and traceroute
 # 
-user_ping = true
+user_ping = false
 
 # allow host key based authentication
 # 
@@ -164,7 +164,7 @@
 
 # Allow spamd to write to users homedirs
 # 
-spamd_enable_home_dirs = true
+spamd_enable_home_dirs = false
 
 # Allow regular users direct mouse access
 # 
@@ -192,7 +192,7 @@
 
 # Allow all domains to talk to ttys
 # 
-allow_daemons_use_tty = true
+allow_daemons_use_tty = false
 
 # Allow login domains to polyinstatiate directories
 # 
@@ -208,11 +208,11 @@
 
 # Allow samba to export user home directories.
 # 
-samba_run_unconfined = true
+samba_run_unconfined = false
 
 # Allows XServer to execute writable memory
 # 
-allow_xserver_execmem = true
+allow_xserver_execmem = false
 
 # disallow guest accounts to execute files that they can create 
 # 
@@ -225,7 +225,7 @@
 
 # Allow postfix locat to write to mail spool
 # 
-allow_postfix_local_write_mail_spool=true
+allow_postfix_local_write_mail_spool=false
 
 # Allow common users to read/write noexattrfile systems
 # 

policy-20090105.patch:

Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- policy-20090105.patch	17 Apr 2009 14:19:16 -0000	1.89
+++ policy-20090105.patch	18 Apr 2009 12:13:36 -0000	1.90
@@ -3001,8 +3001,8 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te	2009-04-07 16:01:44.000000000 -0400
-@@ -0,0 +1,292 @@
++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te	2009-04-17 11:13:07.000000000 -0400
+@@ -0,0 +1,293 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@@ -3138,6 +3138,7 @@
 +
 +miscfiles_read_localization(nsplugin_t)
 +miscfiles_read_fonts(nsplugin_t)
++miscfiles_dontaudit_write_fonts(nsplugin_t)
 +
 +userdom_manage_user_tmp_dirs(nsplugin_t)
 +userdom_manage_user_tmp_files(nsplugin_t)
@@ -3462,8 +3463,8 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.12/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te	2009-04-07 16:01:44.000000000 -0400
-@@ -11,21 +11,68 @@
++++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te	2009-04-18 06:04:47.000000000 -0400
+@@ -11,25 +11,80 @@
  application_domain(podsleuth_t, podsleuth_exec_t)
  role system_r types podsleuth_t;
  
@@ -3483,7 +3484,7 @@
  #
 -
 -allow podsleuth_t self:process { signal getsched execheap execmem };
-+allow podsleuth_t self:capability { sys_admin sys_rawio };
++allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
 +allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
  allow podsleuth_t self:fifo_file rw_file_perms;
  allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
@@ -3533,7 +3534,21 @@
 +
  miscfiles_read_localization(podsleuth_t)
  
- dbus_system_bus_client(podsleuth_t)
+-dbus_system_bus_client(podsleuth_t)
++userdom_signal_all_users(podsleuth_t)
+ 
+-mono_exec(podsleuth_t)
++optional_policy(`
++	dbus_system_bus_client(podsleuth_t)
++')
+ 
++optional_policy(`
+ hal_dbus_chat(podsleuth_t)
++')
++
++optional_policy(`
++	mono_exec(podsleuth_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc	2009-04-07 16:01:44.000000000 -0400
@@ -4923,7 +4938,7 @@
  type urandom_device_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2009-04-15 08:01:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2009-04-18 06:12:57.000000000 -0400
 @@ -525,7 +525,7 @@
  	')
  
@@ -6552,7 +6567,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if	2009-04-14 14:12:12.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if	2009-04-18 06:06:56.000000000 -0400
 @@ -0,0 +1,638 @@
 +## <summary>Unconfiend user role</summary>
 +
@@ -22979,7 +22994,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-04-17 11:32:56.000000000 -0400
 @@ -8,19 +8,24 @@
  
  ## <desc>
@@ -23190,7 +23205,7 @@
  ')
  
  optional_policy(`
-@@ -198,5 +271,78 @@
+@@ -198,5 +271,80 @@
  ')
  
  optional_policy(`
@@ -23226,6 +23241,8 @@
 +
 +list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
 +read_files_pattern(svirt_t, virt_content_t, virt_content_t)
++dontaudit svirt_t virt_content_t:file write_file_perms;
++dontaudit svirt_t virt_content_t:dir write;
 +
 +storage_raw_write_removable_device(svirt_t)
 +storage_raw_read_removable_device(svirt_t)
@@ -25303,8 +25320,8 @@
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.if	2009-04-16 10:03:08.000000000 -0400
-@@ -280,6 +280,29 @@
++++ serefpolicy-3.6.12/policy/modules/system/init.if	2009-04-17 11:04:53.000000000 -0400
+@@ -280,6 +280,36 @@
  			kernel_dontaudit_use_fds($1)
  		')
  	')
@@ -25330,11 +25347,18 @@
 +	 optional_policy(`
 +	 	xserver_rw_xdm_home_files($1)
 +	')
++
++	optional_policy(`
++		unconfined_dontaudit_rw_pipes($1)
++		unconfined_dontaudit_rw_stream($1)
++		userdom_dontaudit_read_user_tmp_files($1)
++	')
++
 +	init_rw_script_stream_sockets($1)
  ')
  
  ########################################
-@@ -546,7 +569,7 @@
+@@ -546,7 +576,7 @@
  
  		# upstart uses a datagram socket instead of initctl pipe
  		allow $1 self:unix_dgram_socket create_socket_perms;
@@ -25343,7 +25367,7 @@
  	')
  ')
  
-@@ -619,18 +642,19 @@
+@@ -619,18 +649,19 @@
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -25367,7 +25391,7 @@
  	')
  ')
  
-@@ -646,23 +670,43 @@
+@@ -646,23 +677,43 @@
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -25415,7 +25439,7 @@
  ##	Execute a init script in a specified domain.
  ## </summary>
  ## <desc>
-@@ -1291,6 +1335,25 @@
+@@ -1291,6 +1342,25 @@
  
  ########################################
  ## <summary>
@@ -25441,7 +25465,7 @@
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1521,3 +1584,51 @@
+@@ -1521,3 +1591,51 @@
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -25495,7 +25519,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te	2009-04-17 07:33:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te	2009-04-17 11:41:15.000000000 -0400
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart,false)
@@ -25714,7 +25738,7 @@
  	')
  
  	optional_policy(`
-@@ -516,6 +560,31 @@
+@@ -516,6 +560,33 @@
  	')
  ')
  
@@ -25741,12 +25765,14 @@
 +
 +optional_policy(`
 +	unconfined_dontaudit_rw_pipes(daemon)
++	unconfined_dontaudit_rw_stream(daemon)
++	userdom_dontaudit_read_user_tmp_files(daemon)
 +')
 + 
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +639,10 @@
+@@ -570,6 +641,10 @@
  	dbus_read_config(initrc_t)
  
  	optional_policy(`
@@ -25757,7 +25783,7 @@
  		networkmanager_dbus_chat(initrc_t)
  	')
  ')
-@@ -591,6 +664,10 @@
+@@ -591,6 +666,10 @@
  ')
  
  optional_policy(`
@@ -25768,7 +25794,7 @@
  	dev_read_usbfs(initrc_t)
  
  	# init scripts run /etc/hotplug/usb.rc
-@@ -647,6 +724,11 @@
+@@ -647,6 +726,11 @@
  ')
  
  optional_policy(`
@@ -25780,7 +25806,7 @@
  	mailman_list_data(initrc_t)
  	mailman_read_data_symlinks(initrc_t)
  ')
-@@ -655,12 +737,6 @@
+@@ -655,12 +739,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -25793,7 +25819,7 @@
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -721,6 +797,9 @@
+@@ -721,6 +799,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -25803,7 +25829,7 @@
  ')
  
  optional_policy(`
-@@ -733,10 +812,12 @@
+@@ -733,10 +814,12 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -25816,7 +25842,7 @@
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +835,11 @@
+@@ -754,6 +837,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -25828,7 +25854,7 @@
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -761,6 +847,8 @@
+@@ -761,6 +849,8 @@
  		# system-config-services causes avc messages that should be dontaudited
  		unconfined_dontaudit_rw_pipes(daemon)
  	')
@@ -25837,7 +25863,7 @@
  
  	optional_policy(`
  		mono_domtrans(initrc_t)
-@@ -768,6 +856,10 @@
+@@ -768,6 +858,10 @@
  ')
  
  optional_policy(`
@@ -25848,7 +25874,7 @@
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
-@@ -790,3 +882,25 @@
+@@ -790,3 +884,25 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -29135,7 +29161,7 @@
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-16 11:03:07.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-18 06:14:35.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -30542,7 +30568,7 @@
  	kernel_search_proc($1)
  ')
  
-@@ -2981,3 +3187,482 @@
+@@ -2981,3 +3187,481 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -31024,7 +31050,6 @@
 +
 +	dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
 +')
-+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.12/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2009-01-19 11:07:34.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.te	2009-04-07 16:01:44.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.826
retrieving revision 1.827
diff -u -r1.826 -r1.827
--- selinux-policy.spec	17 Apr 2009 14:19:17 -0000	1.826
+++ selinux-policy.spec	18 Apr 2009 12:13:36 -0000	1.827
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 6%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -311,9 +311,9 @@
 %saveFileContext targeted
 
 %post targeted
-set -x
 if [ $1 -eq 1 ]; then
-%loadpolicy targeted "unconfined.pp.bz2 unconfineduser.pp.bz2"
+packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy targeted $packages
 restorecon -R /root /var/log /var/run 2> /dev/null
 else
 semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
@@ -401,7 +401,7 @@
 %saveFileContext olpc
 
 %post olpc 
-%loadpolicy olpc
+%loadpolicy olpc ""
 
 if [ $1 -ne 1 ]; then
 %relabel olpc
@@ -432,7 +432,7 @@
 
 %post mls 
 semodule -n -s mls -r mailscanner 2>/dev/null
-%loadpolicy mls
+%loadpolicy mls ""
 
 if [ $1 != 1 ]; then
 %relabel mls
@@ -446,6 +446,12 @@
 %endif
 
 %changelog
+* Sat Apr 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-8
+- Fixes for podsleuth
+
+* Fri Apr 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-7
+- Turn off nsplugin transition
+- Remove Konsole leaked file descriptors for release
 
 * Fri Apr 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-6
 - Allow cupsd_t to create link files in print_spool_t


