rpms/selinux-policy/F-10 policy-20080710.patch,1.163,1.164

Miroslav Grepl mgrepl at fedoraproject.org
Thu Apr 23 15:44:07 UTC 2009 

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5699

Modified Files:
	policy-20080710.patch 
Log Message:
- Allow nfs to share removable media



policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.163
retrieving revision 1.164
diff -u -r1.163 -r1.164
--- policy-20080710.patch	16 Apr 2009 09:49:20 -0000	1.163
+++ policy-20080710.patch	23 Apr 2009 15:43:34 -0000	1.164
@@ -18576,8 +18576,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.5.13/policy/modules/services/lircd.te
 --- nsaserefpolicy/policy/modules/services/lircd.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/lircd.te	2009-04-07 09:19:24.000000000 +0200
-@@ -0,0 +1,64 @@
++++ serefpolicy-3.5.13/policy/modules/services/lircd.te	2009-04-17 10:05:39.000000000 +0200
+@@ -0,0 +1,69 @@
 +policy_module(lircd,1.0.0)
 +
 +########################################
@@ -18628,6 +18628,8 @@
 +dev_filetrans_lirc(lircd_t)
 +dev_rw_lirc(lircd_t)
 +
++dev_read_generic_usb_dev(lircd_t)
++
 +files_read_etc_files(lircd_t)
 +
 +files_list_var(lircd_t)
@@ -18638,6 +18640,9 @@
 +
 +libs_use_ld_so(lircd_t)
 +libs_use_shared_libs(lircd_t)
++
++fs_list_inotifyfs(lircd_t)
++
 +miscfiles_read_localization(lircd_t)
 +
 +permissive lircd_t;
@@ -26030,8 +26035,17 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.13/policy/modules/services/rpcbind.te
 --- nsaserefpolicy/policy/modules/services/rpcbind.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te	2009-02-10 15:07:15.000000000 +0100
-@@ -60,6 +60,7 @@
++++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te	2009-04-23 09:19:32.000000000 +0200
+@@ -31,6 +31,8 @@
+ allow rpcbind_t self:udp_socket create_socket_perms;
+ allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+ 
++fs_list_inotifyfs(rpcbind_t)
++
+ manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+ manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+ files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
+@@ -60,6 +62,7 @@
  domain_use_interactive_fds(rpcbind_t)
  
  files_read_etc_files(rpcbind_t)
@@ -26117,7 +26131,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/rpc.te	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/rpc.te	2009-04-23 09:19:05.000000000 +0200
 @@ -23,7 +23,7 @@
  gen_tunable(allow_nfsd_anon_write, false)
  
@@ -26127,7 +26141,7 @@
  
  rpc_domain_template(gssd)
  
-@@ -68,6 +68,7 @@
+@@ -68,11 +68,13 @@
  # for rpc.rquotad
  kernel_read_sysctl(rpcd_t)  
  kernel_rw_fs_sysctls(rpcd_t)
@@ -26135,7 +26149,13 @@
  
  corecmd_exec_bin(rpcd_t)
  
-@@ -101,6 +102,7 @@
+ files_manage_mounttab(rpcd_t)
+ 
++fs_list_inotifyfs(rpcd_t)
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
+ fs_read_rpc_symlinks(rpcd_t)
+@@ -101,6 +103,7 @@
  # for /proc/fs/nfs/exports - should we have a new type?
  kernel_read_system_state(nfsd_t) 
  kernel_read_network_state(nfsd_t) 
@@ -26143,7 +26163,23 @@
  
  corenet_tcp_bind_all_rpc_ports(nfsd_t)
  corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -133,13 +135,22 @@
+@@ -116,6 +119,7 @@
+ # cjp: this should really have its own type
+ files_manage_mounttab(rpcd_t)
+ 
++fs_list_inotifyfs(nfsd_t)
+ fs_mount_nfsd_fs(nfsd_t) 
+ fs_search_nfsd_fs(nfsd_t) 
+ fs_getattr_all_fs(nfsd_t) 
+@@ -123,6 +127,7 @@
+ fs_rw_nfsd_fs(nfsd_t) 
+ 
+ storage_dontaudit_read_fixed_disk(nfsd_t)
++storage_raw_read_removable_device(nfsd_t)
+ 
+ # Read access to public_content_t and public_content_rw_t
+ miscfiles_read_public_files(nfsd_t)
+@@ -133,13 +138,22 @@
  ') 
  
  tunable_policy(`nfs_export_all_rw',`
@@ -26167,7 +26203,15 @@
  ')
  
  ########################################
-@@ -170,9 +181,14 @@
+@@ -162,6 +176,7 @@
+ 
+ corecmd_exec_bin(gssd_t)
+ 
++fs_list_inotifyfs(gssd_t)
+ fs_list_rpc(gssd_t) 
+ fs_read_rpc_sockets(gssd_t) 
+ fs_read_rpc_files(gssd_t) 
+@@ -170,9 +185,14 @@
  files_read_usr_symlinks(gssd_t) 
  
  auth_use_nsswitch(gssd_t)
@@ -26182,7 +26226,7 @@
  tunable_policy(`allow_gssd_read_tmp',`
  	userdom_list_unpriv_users_tmp(gssd_t) 
  	userdom_read_unpriv_users_tmp_files(gssd_t) 
-@@ -180,8 +196,7 @@
+@@ -180,8 +200,7 @@
  ')
  
  optional_policy(`
@@ -29023,7 +29067,7 @@
  /etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.if	2009-03-20 09:28:24.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/ssh.if	2009-04-23 09:21:24.000000000 +0200
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -29243,7 +29287,15 @@
  
  	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
  	term_create_pty($1_t,$1_devpts_t)
-@@ -478,7 +484,12 @@
+@@ -462,6 +468,7 @@
+ 	# Access key files
+ 	allow $1_t sshd_key_t:file { getattr read };
+ 
++	kernel_read_network_state($1_t)
+ 	kernel_read_kernel_sysctls($1_t)
+ 
+ 	corenet_all_recvfrom_unlabeled($1_t)
+@@ -478,7 +485,12 @@
  	corenet_udp_bind_all_nodes($1_t)
  	corenet_tcp_bind_ssh_port($1_t)
  	corenet_tcp_connect_all_ports($1_t)
@@ -29256,7 +29308,7 @@
  
  	fs_dontaudit_getattr_all_fs($1_t)
  
-@@ -495,6 +506,8 @@
+@@ -495,6 +507,8 @@
  	files_read_etc_files($1_t)
  	files_read_etc_runtime_files($1_t)
  
@@ -29265,7 +29317,7 @@
  	libs_use_ld_so($1_t)
  	libs_use_shared_libs($1_t)
  
-@@ -506,9 +519,14 @@
+@@ -506,9 +520,14 @@
  
  	userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
  	userdom_search_all_users_home_dirs($1_t)
@@ -29280,7 +29332,7 @@
  	')
  
  	tunable_policy(`use_samba_home_dirs',`
-@@ -517,11 +535,7 @@
+@@ -517,11 +536,7 @@
  
  	optional_policy(`
  		kerberos_use($1_t)
@@ -29293,7 +29345,7 @@
  	')
  
  	optional_policy(`
-@@ -605,6 +619,25 @@
+@@ -605,6 +620,25 @@
  	allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
  ')
  
@@ -29319,7 +29371,7 @@
  ########################################
  ## <summary>
  ##	Do not audit attempts to read and write
-@@ -710,3 +743,22 @@
+@@ -710,3 +744,22 @@
  
  	dontaudit $1 sshd_key_t:file { getattr read };
  ')

More information about the fedora-extras-commits mailing list