rpms/selinux-policy/devel policy-20090105.patch, 1.91, 1.92 selinux-policy.spec, 1.828, 1.829
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Apr 22 19:18:33 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18010
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Wed Apr 22 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-12
- Allow sshd to read var_lib symlinks for freenx
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.91
retrieving revision 1.92
diff -u -r1.91 -r1.92
--- policy-20090105.patch 21 Apr 2009 20:31:51 -0000 1.91
+++ policy-20090105.patch 22 Apr 2009 19:18:29 -0000 1.92
@@ -459,10 +459,41 @@
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.12/policy/modules/admin/dmesg.fc
+--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2008-08-07 11:15:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/dmesg.fc 2009-04-22 14:17:05.000000000 -0400
+@@ -1,2 +1,4 @@
+
+ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++
++/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-07 16:01:44.000000000 -0400
-@@ -35,7 +35,7 @@
++++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-22 14:39:11.000000000 -0400
+@@ -9,6 +9,7 @@
+ type dmesg_t;
+ type dmesg_exec_t;
+ init_system_domain(dmesg_t, dmesg_exec_t)
++cron_system_entry(dmesg_t, dmesg_exec_t)
+
+ ########################################
+ #
+@@ -20,12 +21,14 @@
+
+ allow dmesg_t self:process signal_perms;
+
++kernel_read_system_state(dmesg_t)
+ kernel_read_kernel_sysctls(dmesg_t)
+ kernel_read_ring_buffer(dmesg_t)
+ kernel_clear_ring_buffer(dmesg_t)
+ kernel_change_ring_buffer_level(dmesg_t)
+ kernel_list_proc(dmesg_t)
+ kernel_read_proc_symlinks(dmesg_t)
++dev_read_kmsg(dmesg_t)
+
+ dev_read_sysfs(dmesg_t)
+
+@@ -35,7 +38,7 @@
domain_use_interactive_fds(dmesg_t)
@@ -3055,8 +3086,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-17 11:13:07.000000000 -0400
-@@ -0,0 +1,293 @@
++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-22 13:50:31.000000000 -0400
+@@ -0,0 +1,294 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3086,7 +3117,8 @@
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
-+files_type(nsplugin_rw_t)
++files_poly_member(nsplugin_rw_t)
++userdom_user_home_content(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
@@ -3611,7 +3643,7 @@
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if 2009-04-22 13:29:00.000000000 -0400
@@ -0,0 +1,148 @@
+
+## <summary>policy for pulseaudio</summary>
@@ -5229,7 +5261,7 @@
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-20 12:17:02.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-22 13:33:02.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -9697,6 +9729,20 @@
libs_legacy_use_shared_libs(bitlbee_t)
miscfiles_read_localization(bitlbee_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-03-23 13:47:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2009-04-22 13:29:27.000000000 -0400
+@@ -152,6 +152,10 @@
+ optional_policy(`
+ hal_dbus_chat(bluetooth_t)
+ ')
++
++ optional_policy(`
++ pulseaudio_dbus_chat(bluetooth_t)
++ ')
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.12/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/certmaster.fc 2009-04-07 16:01:44.000000000 -0400
@@ -10693,7 +10739,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-21 16:03:54.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-22 14:41:00.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10756,7 +10802,7 @@
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
-@@ -146,22 +163,23 @@
+@@ -146,20 +163,20 @@
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
@@ -10781,11 +10827,8 @@
+kernel_read_fs_sysctls(crond_t)
kernel_search_key(crond_t)
-+dev_read_kmsg(crond_t)
dev_read_sysfs(crond_t)
- selinux_get_fs_mount(crond_t)
- selinux_validate_context(crond_t)
-@@ -174,6 +192,7 @@
+@@ -174,6 +191,7 @@
fs_getattr_all_fs(crond_t)
fs_search_auto_mountpoints(crond_t)
@@ -10793,7 +10836,7 @@
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
-@@ -183,7 +202,11 @@
+@@ -183,7 +201,11 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -10805,7 +10848,7 @@
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
-@@ -192,10 +215,15 @@
+@@ -192,10 +214,15 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
@@ -10821,7 +10864,7 @@
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -208,6 +236,7 @@
+@@ -208,6 +235,7 @@
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
@@ -10829,7 +10872,7 @@
ifdef(`distro_debian',`
# pam_limits is used
-@@ -227,21 +256,44 @@
+@@ -227,21 +255,44 @@
')
')
@@ -10875,7 +10918,7 @@
')
optional_policy(`
-@@ -268,8 +320,8 @@
+@@ -268,8 +319,8 @@
# System cron process domain
#
@@ -10886,7 +10929,7 @@
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -283,7 +335,14 @@
+@@ -283,7 +334,14 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -10901,7 +10944,7 @@
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -303,6 +362,7 @@
+@@ -303,6 +361,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -10909,7 +10952,7 @@
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -314,9 +374,13 @@
+@@ -314,9 +373,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -10924,7 +10967,7 @@
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -345,6 +409,7 @@
+@@ -345,6 +408,7 @@
fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -10932,7 +10975,7 @@
# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_cronjob_t)
-@@ -370,7 +435,8 @@
+@@ -370,7 +434,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -10942,7 +10985,7 @@
auth_use_nsswitch(system_cronjob_t)
-@@ -378,6 +444,7 @@
+@@ -378,6 +443,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -10950,7 +10993,7 @@
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -418,6 +485,10 @@
+@@ -418,6 +484,10 @@
')
optional_policy(`
@@ -10961,7 +11004,7 @@
ftp_read_log(system_cronjob_t)
')
-@@ -428,11 +499,20 @@
+@@ -428,11 +498,20 @@
')
optional_policy(`
@@ -10982,7 +11025,7 @@
')
optional_policy(`
-@@ -447,6 +527,7 @@
+@@ -447,6 +526,7 @@
prelink_read_cache(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
@@ -10990,7 +11033,7 @@
')
optional_policy(`
-@@ -460,8 +541,7 @@
+@@ -460,8 +540,7 @@
')
optional_policy(`
@@ -11000,7 +11043,7 @@
')
optional_policy(`
-@@ -469,24 +549,17 @@
+@@ -469,24 +548,17 @@
')
optional_policy(`
@@ -11028,7 +11071,7 @@
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +643,9 @@
+@@ -570,6 +642,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@@ -21997,7 +22040,7 @@
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-21 13:22:50.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-22 11:47:12.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -22065,18 +22108,16 @@
dev_read_urand($1_ssh_t)
-@@ -132,6 +132,10 @@
- files_read_etc_runtime_files($1_ssh_t)
+@@ -133,6 +133,8 @@
files_read_etc_files($1_ssh_t)
files_read_var_files($1_ssh_t)
-+ # Required for FreeNX
-+ files_read_var_lib_symlinks($1_t)
-+
-+ auth_use_nsswitch($1_ssh_t)
++ auth_use_nsswitch($1_ssh_t)
++
logging_send_syslog_msg($1_ssh_t)
logging_read_generic_logs($1_ssh_t)
-@@ -140,9 +144,6 @@
+
+@@ -140,9 +142,6 @@
seutil_read_config($1_ssh_t)
@@ -22086,7 +22127,7 @@
tunable_policy(`read_default_t',`
files_list_default($1_ssh_t)
files_read_default_files($1_ssh_t)
-@@ -154,14 +155,6 @@
+@@ -154,14 +153,6 @@
optional_policy(`
kerberos_use($1_ssh_t)
')
@@ -22101,7 +22142,7 @@
')
#######################################
-@@ -194,13 +187,14 @@
+@@ -194,13 +185,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -22117,7 +22158,7 @@
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -214,6 +208,7 @@
+@@ -214,6 +206,7 @@
allow $1_t sshd_key_t:file read_file_perms;
kernel_read_kernel_sysctls($1_t)
@@ -22125,7 +22166,7 @@
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -229,7 +224,12 @@
+@@ -229,7 +222,12 @@
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
@@ -22138,6 +22179,15 @@
fs_dontaudit_getattr_all_fs($1_t)
+@@ -245,6 +243,8 @@
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
++ # Required for FreeNX
++ files_read_var_lib_symlinks($1_t)
+
+ logging_search_logs($1_t)
+
@@ -254,9 +254,14 @@
userdom_dontaudit_relabelfrom_user_ptys($1_t)
@@ -26090,7 +26140,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-22 14:41:22.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(ipsec, 1.9.1)
@@ -26098,6 +26148,24 @@
########################################
#
+@@ -55,7 +55,7 @@
+
+ allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+ dontaudit ipsec_t self:capability sys_tty_config;
+-allow ipsec_t self:process { signal setsched };
++allow ipsec_t self:process { getsched signal setsched };
+ allow ipsec_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_t self:udp_socket create_socket_perms;
+ allow ipsec_t self:key_socket create_socket_perms;
+@@ -67,7 +67,7 @@
+ read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
+
+ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
+-read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
++rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+ read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+
+ manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -103,11 +103,13 @@
corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
@@ -26113,7 +26181,16 @@
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
-@@ -167,6 +169,8 @@
+@@ -127,6 +129,8 @@
+ domain_use_interactive_fds(ipsec_t)
+
+ files_read_etc_files(ipsec_t)
++files_read_usr_files(ipsec_t)
++files_search_tmp(ipsec_t)
+
+ init_use_fds(ipsec_t)
+ init_use_script_ptys(ipsec_t)
+@@ -167,6 +171,8 @@
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
@@ -26122,7 +26199,7 @@
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
-@@ -242,8 +246,6 @@
+@@ -242,8 +248,6 @@
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -26131,7 +26208,7 @@
miscfiles_read_localization(ipsec_mgmt_t)
modutils_domtrans_insmod(ipsec_mgmt_t)
-@@ -298,13 +300,10 @@
+@@ -298,13 +302,10 @@
kernel_read_network_state(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.828
retrieving revision 1.829
diff -u -r1.828 -r1.829
--- selinux-policy.spec 21 Apr 2009 20:31:51 -0000 1.828
+++ selinux-policy.spec 22 Apr 2009 19:18:30 -0000 1.829
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
%endif
%changelog
+* Wed Apr 22 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-12
+- Allow sshd to read var_lib symlinks for freenx
+
* Tue Apr 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-11
- Allow nsplugin unix_read and write on users shm and sem
- Allow sysadm_t to execute su
More information about the fedora-extras-commits
mailing list