rpms/selinux-policy/F-11 policy-20090105.patch, 1.106, 1.107 selinux-policy.spec, 1.842, 1.843
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Apr 27 14:45:53 UTC 2009
- Previous message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.99, 1.100 selinux-policy.spec, 1.836, 1.837
- Next message (by thread): rpms/glibc/F-11 .cvsignore, 1.275, 1.276 glibc-fedora.patch, 1.309, 1.310 glibc.spec, 1.398, 1.399 import.log, 1.19, 1.20 sources, 1.300, 1.301
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23924
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Mon Apr 27 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-20
- Fix labeling on /var/lib/misc/prelink*
- Allow xserver to rw_shm_perms with all x_clients
- Allow prelink to execute files in the users home directory
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.106
retrieving revision 1.107
diff -u -r1.106 -r1.107
--- policy-20090105.patch 24 Apr 2009 19:28:42 -0000 1.106
+++ policy-20090105.patch 27 Apr 2009 14:45:51 -0000 1.107
@@ -663,16 +663,16 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.12/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.fc 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/prelink.fc 2009-04-27 08:28:48.000000000 -0400
@@ -5,3 +5,5 @@
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
+
-+/var/lib/misc/prelink\* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
++/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.12/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/prelink.if 2009-04-27 09:47:06.000000000 -0400
@@ -120,3 +120,23 @@
logging_search_logs($1)
manage_files_pattern($1, prelink_log_t, prelink_log_t)
@@ -699,7 +699,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-04-27 08:32:37.000000000 -0400
@@ -21,12 +21,15 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -750,17 +750,18 @@
fs_getattr_xattr_fs(prelink_t)
-@@ -81,6 +89,9 @@
+@@ -81,6 +89,10 @@
userdom_use_user_terminals(prelink_t)
+# prelink executables in the user homedir
+userdom_manage_home_role(system_r, prelink_t)
++userdom_exec_user_home_content_files(prelink_t)
+
optional_policy(`
amanda_manage_lib(prelink_t)
')
-@@ -88,3 +99,7 @@
+@@ -88,3 +100,7 @@
optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')
@@ -6425,7 +6426,7 @@
## requiring the caller to use setexeccon().
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-24 00:02:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-27 09:47:43.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -6578,18 +6579,16 @@
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -308,10 +250,6 @@
+@@ -308,7 +250,7 @@
')
optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- quota_run(sysadm_t, sysadm_r)
++ prelink_run(sysadm_t, sysadm_r)
')
-@@ -320,10 +258,6 @@
+ optional_policy(`
+@@ -320,10 +262,6 @@
')
optional_policy(`
@@ -6600,7 +6599,7 @@
rpc_domtrans_nfsd(sysadm_t)
')
-@@ -332,10 +266,6 @@
+@@ -332,10 +270,6 @@
')
optional_policy(`
@@ -6611,7 +6610,7 @@
rsync_exec(sysadm_t)
')
-@@ -345,10 +275,6 @@
+@@ -345,10 +279,6 @@
')
optional_policy(`
@@ -6622,7 +6621,7 @@
secadm_role_change(sysadm_r)
')
-@@ -358,35 +284,15 @@
+@@ -358,35 +288,15 @@
')
optional_policy(`
@@ -6658,7 +6657,7 @@
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +300,10 @@
+@@ -394,18 +304,10 @@
')
optional_policy(`
@@ -6677,7 +6676,7 @@
unconfined_domtrans(sysadm_t)
')
-@@ -418,20 +316,12 @@
+@@ -418,20 +320,12 @@
')
optional_policy(`
@@ -6698,7 +6697,7 @@
vpn_run(sysadm_t, sysadm_r)
')
-@@ -440,13 +330,7 @@
+@@ -440,13 +334,7 @@
')
optional_policy(`
@@ -14840,7 +14839,7 @@
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-24 07:20:31.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 10:00:53.000000000 -0400
@@ -1,6 +1,8 @@
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
@@ -20707,7 +20706,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-04-27 08:59:49.000000000 -0400
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -20833,7 +20832,14 @@
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -256,7 +278,7 @@
+@@ -250,13 +272,14 @@
+ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+
+ allow smbd_t nmbd_var_run_t:file rw_file_perms;
++allow smbd_t nmbd_t:process { signal signull };
+
+ manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
@@ -20842,7 +20848,7 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -298,6 +320,7 @@
+@@ -298,6 +321,7 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
@@ -20850,7 +20856,7 @@
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,6 +344,10 @@
+@@ -321,6 +345,10 @@
userdom_use_unpriv_users_fds(smbd_t)
userdom_dontaudit_search_user_home_dirs(smbd_t)
@@ -20861,7 +20867,7 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -333,25 +360,33 @@
+@@ -333,25 +361,33 @@
tunable_policy(`samba_domain_controller',`
usermanage_domtrans_passwd(smbd_t)
@@ -20901,7 +20907,7 @@
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -359,6 +394,16 @@
+@@ -359,6 +395,16 @@
optional_policy(`
kerberos_use(smbd_t)
@@ -20918,7 +20924,7 @@
')
optional_policy(`
-@@ -376,13 +421,15 @@
+@@ -376,13 +422,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -20935,7 +20941,7 @@
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -391,8 +438,8 @@
+@@ -391,8 +439,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -20945,7 +20951,7 @@
########################################
#
-@@ -417,14 +464,11 @@
+@@ -417,14 +465,11 @@
files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -20961,7 +20967,7 @@
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-@@ -454,6 +498,7 @@
+@@ -454,6 +499,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -20969,7 +20975,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -553,21 +598,36 @@
+@@ -553,21 +599,36 @@
userdom_use_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
@@ -21009,7 +21015,7 @@
append_files_pattern(swat_t, samba_log_t, samba_log_t)
-@@ -585,6 +645,9 @@
+@@ -585,6 +646,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -21019,7 +21025,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -609,15 +672,18 @@
+@@ -609,15 +673,18 @@
dev_read_urand(swat_t)
@@ -21038,7 +21044,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -635,6 +701,17 @@
+@@ -635,6 +702,17 @@
kerberos_use(swat_t)
')
@@ -21056,7 +21062,7 @@
########################################
#
# Winbind local policy
-@@ -642,7 +719,7 @@
+@@ -642,7 +720,7 @@
allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
@@ -21065,7 +21071,7 @@
allow winbind_t self:fifo_file rw_fifo_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +760,10 @@
+@@ -683,9 +761,10 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@@ -21078,7 +21084,7 @@
corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +787,12 @@
+@@ -709,10 +788,12 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -21091,7 +21097,7 @@
logging_send_syslog_msg(winbind_t)
-@@ -768,8 +848,13 @@
+@@ -768,8 +849,13 @@
userdom_use_user_terminals(winbind_helper_t)
optional_policy(`
@@ -21105,7 +21111,7 @@
')
########################################
-@@ -778,6 +863,16 @@
+@@ -778,6 +864,16 @@
#
optional_policy(`
@@ -21122,7 +21128,7 @@
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -788,9 +883,43 @@
+@@ -788,9 +884,43 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -24450,7 +24456,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-27 08:35:28.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -24946,7 +24952,14 @@
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -622,7 +746,7 @@
+@@ -616,13 +740,14 @@
+ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
+
+ allow xserver_t { rootwindow_t x_domain }:x_drawable send;
++allow xserver_t x_domain:shm rw_shm_perms;
+
+ manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+ manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -24955,7 +24968,7 @@
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +759,19 @@
+@@ -635,9 +760,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24975,7 +24988,7 @@
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +814,14 @@
+@@ -680,9 +815,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -24990,7 +25003,7 @@
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +836,13 @@
+@@ -697,8 +837,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25004,7 +25017,7 @@
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -720,6 +864,7 @@
+@@ -720,6 +865,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -25012,7 +25025,7 @@
modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +887,7 @@
+@@ -742,7 +888,7 @@
')
ifdef(`enable_mls',`
@@ -25021,7 +25034,7 @@
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,12 +919,16 @@
+@@ -774,12 +920,16 @@
')
optional_policy(`
@@ -25039,7 +25052,7 @@
unconfined_domtrans(xserver_t)
')
-@@ -806,7 +955,7 @@
+@@ -806,7 +956,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -25048,7 +25061,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +976,14 @@
+@@ -827,9 +977,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -25063,7 +25076,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +998,14 @@
+@@ -844,11 +999,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -25079,7 +25092,7 @@
')
optional_policy(`
-@@ -856,6 +1013,11 @@
+@@ -856,6 +1014,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -25091,7 +25104,7 @@
########################################
#
# Rules common to all X window domains
-@@ -881,6 +1043,8 @@
+@@ -881,6 +1044,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -25100,7 +25113,7 @@
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1069,8 @@
+@@ -905,6 +1070,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25109,7 +25122,7 @@
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1138,49 @@
+@@ -972,17 +1139,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -29642,7 +29655,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-23 23:55:27.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-27 08:32:47.000000000 -0400
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.842
retrieving revision 1.843
diff -u -r1.842 -r1.843
--- selinux-policy.spec 24 Apr 2009 19:28:42 -0000 1.842
+++ selinux-policy.spec 27 Apr 2009 14:45:52 -0000 1.843
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,11 @@
%endif
%changelog
+* Mon Apr 27 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-20
+- Fix labeling on /var/lib/misc/prelink*
+- Allow xserver to rw_shm_perms with all x_clients
+- Allow prelink to execute files in the users home directory
+
* Fri Apr 24 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-19
- Allow initrc_t to delete dev_null
- Allow readahead to configure auditing
- Previous message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.99, 1.100 selinux-policy.spec, 1.836, 1.837
- Next message (by thread): rpms/glibc/F-11 .cvsignore, 1.275, 1.276 glibc-fedora.patch, 1.309, 1.310 glibc.spec, 1.398, 1.399 import.log, 1.19, 1.20 sources, 1.300, 1.301
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list