rpms/selinux-policy/devel booleans-minimum.conf, 1.4, 1.5 booleans-targeted.conf, 1.46, 1.47 policy-20090105.patch, 1.89, 1.90 selinux-policy.spec, 1.826, 1.827
Daniel J Walsh
dwalsh at fedoraproject.org
Sat Apr 18 12:14:07 UTC 2009
- Previous message (by thread): rpms/systemtapguiserver/F-11 import.log, NONE, 1.1 systemtapguiserver.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/xfsprogs/devel xfsprogs.spec,1.51,1.52
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12368
Modified Files:
booleans-minimum.conf booleans-targeted.conf
policy-20090105.patch selinux-policy.spec
Log Message:
* Sat Apr 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-8
- Fixes for podsleuth
Index: booleans-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-minimum.conf,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- booleans-minimum.conf 10 Feb 2009 16:08:36 -0000 1.4
+++ booleans-minimum.conf 18 Apr 2009 12:13:35 -0000 1.5
@@ -8,7 +8,7 @@
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftpd to read cifs directories.
#
@@ -56,7 +56,7 @@
# Allow zebra to write it own configuration files
#
-allow_zebra_write_config = true
+allow_zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
@@ -96,7 +96,7 @@
# Allow httpd to read home directories
#
-httpd_enable_homedirs = true
+httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
@@ -104,11 +104,11 @@
# Allow http daemon to communicate with the TTY
#
-httpd_tty_comm = true
+httpd_tty_comm = false
# Run CGI in the main httpd domain
#
-httpd_unified = true
+httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
@@ -128,7 +128,7 @@
# Allow reading of default_t files.
#
-read_default_t = true
+read_default_t = false
# Allow samba to export user home directories.
#
@@ -148,7 +148,7 @@
# Control users use of ping and traceroute
#
-user_ping = true
+user_ping = false
# allow host key based authentication
#
@@ -164,7 +164,7 @@
# Allow spamd to write to users homedirs
#
-spamd_enable_home_dirs = true
+spamd_enable_home_dirs = false
# Allow regular users direct mouse access
#
@@ -192,7 +192,7 @@
# Allow all domains to talk to ttys
#
-allow_daemons_use_tty = true
+allow_daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
@@ -208,11 +208,11 @@
# Allow samba to export user home directories.
#
-samba_run_unconfined = true
+samba_run_unconfined = false
# Allows XServer to execute writable memory
#
-allow_xserver_execmem = true
+allow_xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
@@ -225,7 +225,7 @@
# Allow postfix locat to write to mail spool
#
-allow_postfix_local_write_mail_spool=true
+allow_postfix_local_write_mail_spool=false
# Allow common users to read/write noexattrfile systems
#
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- booleans-targeted.conf 10 Feb 2009 16:08:36 -0000 1.46
+++ booleans-targeted.conf 18 Apr 2009 12:13:36 -0000 1.47
@@ -8,7 +8,7 @@
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftpd to read cifs directories.
#
@@ -56,7 +56,7 @@
# Allow zebra to write it own configuration files
#
-allow_zebra_write_config = true
+allow_zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
@@ -96,7 +96,7 @@
# Allow httpd to read home directories
#
-httpd_enable_homedirs = true
+httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
@@ -104,11 +104,11 @@
# Allow http daemon to communicate with the TTY
#
-httpd_tty_comm = true
+httpd_tty_comm = false
# Run CGI in the main httpd domain
#
-httpd_unified = true
+httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
@@ -128,7 +128,7 @@
# Allow reading of default_t files.
#
-read_default_t = true
+read_default_t = false
# Allow samba to export user home directories.
#
@@ -148,7 +148,7 @@
# Control users use of ping and traceroute
#
-user_ping = true
+user_ping = false
# allow host key based authentication
#
@@ -164,7 +164,7 @@
# Allow spamd to write to users homedirs
#
-spamd_enable_home_dirs = true
+spamd_enable_home_dirs = false
# Allow regular users direct mouse access
#
@@ -192,7 +192,7 @@
# Allow all domains to talk to ttys
#
-allow_daemons_use_tty = true
+allow_daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
@@ -208,11 +208,11 @@
# Allow samba to export user home directories.
#
-samba_run_unconfined = true
+samba_run_unconfined = false
# Allows XServer to execute writable memory
#
-allow_xserver_execmem = true
+allow_xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
@@ -225,7 +225,7 @@
# Allow postfix locat to write to mail spool
#
-allow_postfix_local_write_mail_spool=true
+allow_postfix_local_write_mail_spool=false
# Allow common users to read/write noexattrfile systems
#
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- policy-20090105.patch 17 Apr 2009 14:19:16 -0000 1.89
+++ policy-20090105.patch 18 Apr 2009 12:13:36 -0000 1.90
@@ -3001,8 +3001,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-07 16:01:44.000000000 -0400
-@@ -0,0 +1,292 @@
++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-17 11:13:07.000000000 -0400
+@@ -0,0 +1,293 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3138,6 +3138,7 @@
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
++miscfiles_dontaudit_write_fonts(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
@@ -3462,8 +3463,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.12/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te 2009-04-07 16:01:44.000000000 -0400
-@@ -11,21 +11,68 @@
++++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te 2009-04-18 06:04:47.000000000 -0400
+@@ -11,25 +11,80 @@
application_domain(podsleuth_t, podsleuth_exec_t)
role system_r types podsleuth_t;
@@ -3483,7 +3484,7 @@
#
-
-allow podsleuth_t self:process { signal getsched execheap execmem };
-+allow podsleuth_t self:capability { sys_admin sys_rawio };
++allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
@@ -3533,7 +3534,21 @@
+
miscfiles_read_localization(podsleuth_t)
- dbus_system_bus_client(podsleuth_t)
+-dbus_system_bus_client(podsleuth_t)
++userdom_signal_all_users(podsleuth_t)
+
+-mono_exec(podsleuth_t)
++optional_policy(`
++ dbus_system_bus_client(podsleuth_t)
++')
+
++optional_policy(`
+ hal_dbus_chat(podsleuth_t)
++')
++
++optional_policy(`
++ mono_exec(podsleuth_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc
--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc 2009-04-07 16:01:44.000000000 -0400
@@ -4923,7 +4938,7 @@
type urandom_device_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-15 08:01:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-18 06:12:57.000000000 -0400
@@ -525,7 +525,7 @@
')
@@ -6552,7 +6567,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-14 14:12:12.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-18 06:06:56.000000000 -0400
@@ -0,0 +1,638 @@
+## <summary>Unconfiend user role</summary>
+
@@ -22979,7 +22994,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-17 11:32:56.000000000 -0400
@@ -8,19 +8,24 @@
## <desc>
@@ -23190,7 +23205,7 @@
')
optional_policy(`
-@@ -198,5 +271,78 @@
+@@ -198,5 +271,80 @@
')
optional_policy(`
@@ -23226,6 +23241,8 @@
+
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
++dontaudit svirt_t virt_content_t:file write_file_perms;
++dontaudit svirt_t virt_content_t:dir write;
+
+storage_raw_write_removable_device(svirt_t)
+storage_raw_read_removable_device(svirt_t)
@@ -25303,8 +25320,8 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-16 10:03:08.000000000 -0400
-@@ -280,6 +280,29 @@
++++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-17 11:04:53.000000000 -0400
+@@ -280,6 +280,36 @@
kernel_dontaudit_use_fds($1)
')
')
@@ -25330,11 +25347,18 @@
+ optional_policy(`
+ xserver_rw_xdm_home_files($1)
+ ')
++
++ optional_policy(`
++ unconfined_dontaudit_rw_pipes($1)
++ unconfined_dontaudit_rw_stream($1)
++ userdom_dontaudit_read_user_tmp_files($1)
++ ')
++
+ init_rw_script_stream_sockets($1)
')
########################################
-@@ -546,7 +569,7 @@
+@@ -546,7 +576,7 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
@@ -25343,7 +25367,7 @@
')
')
-@@ -619,18 +642,19 @@
+@@ -619,18 +649,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -25367,7 +25391,7 @@
')
')
-@@ -646,23 +670,43 @@
+@@ -646,23 +677,43 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -25415,7 +25439,7 @@
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -1291,6 +1335,25 @@
+@@ -1291,6 +1342,25 @@
########################################
## <summary>
@@ -25441,7 +25465,7 @@
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1521,3 +1584,51 @@
+@@ -1521,3 +1591,51 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -25495,7 +25519,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 07:33:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 11:41:15.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -25714,7 +25738,7 @@
')
optional_policy(`
-@@ -516,6 +560,31 @@
+@@ -516,6 +560,33 @@
')
')
@@ -25741,12 +25765,14 @@
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
++ unconfined_dontaudit_rw_stream(daemon)
++ userdom_dontaudit_read_user_tmp_files(daemon)
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +639,10 @@
+@@ -570,6 +641,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -25757,7 +25783,7 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -591,6 +664,10 @@
+@@ -591,6 +666,10 @@
')
optional_policy(`
@@ -25768,7 +25794,7 @@
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,6 +724,11 @@
+@@ -647,6 +726,11 @@
')
optional_policy(`
@@ -25780,7 +25806,7 @@
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
-@@ -655,12 +737,6 @@
+@@ -655,12 +739,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -25793,7 +25819,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -721,6 +797,9 @@
+@@ -721,6 +799,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -25803,7 +25829,7 @@
')
optional_policy(`
-@@ -733,10 +812,12 @@
+@@ -733,10 +814,12 @@
squid_manage_logs(initrc_t)
')
@@ -25816,7 +25842,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +835,11 @@
+@@ -754,6 +837,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -25828,7 +25854,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -761,6 +847,8 @@
+@@ -761,6 +849,8 @@
# system-config-services causes avc messages that should be dontaudited
unconfined_dontaudit_rw_pipes(daemon)
')
@@ -25837,7 +25863,7 @@
optional_policy(`
mono_domtrans(initrc_t)
-@@ -768,6 +856,10 @@
+@@ -768,6 +858,10 @@
')
optional_policy(`
@@ -25848,7 +25874,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +882,25 @@
+@@ -790,3 +884,25 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29135,7 +29161,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-16 11:03:07.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-18 06:14:35.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -30542,7 +30568,7 @@
kernel_search_proc($1)
')
-@@ -2981,3 +3187,482 @@
+@@ -2981,3 +3187,481 @@
allow $1 userdomain:dbus send_msg;
')
@@ -31024,7 +31050,6 @@
+
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.12/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-04-07 16:01:44.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.826
retrieving revision 1.827
diff -u -r1.826 -r1.827
--- selinux-policy.spec 17 Apr 2009 14:19:17 -0000 1.826
+++ selinux-policy.spec 18 Apr 2009 12:13:36 -0000 1.827
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 6%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -311,9 +311,9 @@
%saveFileContext targeted
%post targeted
-set -x
if [ $1 -eq 1 ]; then
-%loadpolicy targeted "unconfined.pp.bz2 unconfineduser.pp.bz2"
+packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy targeted $packages
restorecon -R /root /var/log /var/run 2> /dev/null
else
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
@@ -401,7 +401,7 @@
%saveFileContext olpc
%post olpc
-%loadpolicy olpc
+%loadpolicy olpc ""
if [ $1 -ne 1 ]; then
%relabel olpc
@@ -432,7 +432,7 @@
%post mls
semodule -n -s mls -r mailscanner 2>/dev/null
-%loadpolicy mls
+%loadpolicy mls ""
if [ $1 != 1 ]; then
%relabel mls
@@ -446,6 +446,12 @@
%endif
%changelog
+* Sat Apr 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-8
+- Fixes for podsleuth
+
+* Fri Apr 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-7
+- Turn off nsplugin transition
+- Remove Konsole leaked file descriptors for release
* Fri Apr 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-6
- Allow cupsd_t to create link files in print_spool_t
- Previous message (by thread): rpms/systemtapguiserver/F-11 import.log, NONE, 1.1 systemtapguiserver.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/xfsprogs/devel xfsprogs.spec,1.51,1.52
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list