rpms/selinux-policy/devel policy-20090105.patch, 1.102, 1.103 selinux-policy.spec, 1.839, 1.840

Daniel J Walsh dwalsh at fedoraproject.org
Tue Apr 28 15:49:43 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8973

Modified Files:
	policy-20090105.patch selinux-policy.spec 
Log Message:
* Tue Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-23
- Fix uml files to be owned by users


policy-20090105.patch:

Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.102
retrieving revision 1.103
diff -u -p -r1.102 -r1.103
--- policy-20090105.patch	28 Apr 2009 15:13:35 -0000	1.102
+++ policy-20090105.patch	28 Apr 2009 15:49:42 -0000	1.103
@@ -358,24 +358,9 @@ diff -b -B --ignore-all-space --exclude-
  .SH BOOLEANS
  .TP
  You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-3.6.12/policy/global_booleans
---- nsaserefpolicy/policy/global_booleans	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.12/policy/global_booleans	2009-04-28 09:51:52.000000000 -0400
-@@ -28,3 +28,11 @@
- ## </p>
- ## </desc>
- gen_bool(secure_mode_policyload,false)
-+
-+## <desc>
-+## <p>
-+## Allow unconfined domain to map low memory in the kernel
-+## </p>
-+## </desc>
-+gen_tunable(allow_unconfined_mmap_low, false)
-+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2008-11-11 16:13:50.000000000 -0500
-+++ serefpolicy-3.6.12/policy/global_tunables	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/global_tunables	2009-04-28 11:36:39.000000000 -0400
 @@ -61,15 +61,6 @@
  
  ## <desc>
@@ -392,7 +377,7 @@ diff -b -B --ignore-all-space --exclude-
  ## Allow any files/directories to be exported read/write via NFS.
  ## </p>
  ## </desc>
-@@ -111,3 +102,12 @@
+@@ -111,3 +102,18 @@
  ## </p>
  ## </desc>
  gen_tunable(user_tcp_server,false)
@@ -404,6 +389,12 @@ diff -b -B --ignore-all-space --exclude-
 +## </desc>
 +gen_tunable(allow_console_login,false)
 +
++## <desc>
++## <p>
++## Allow unconfined domain to map low memory in the kernel
++## </p>
++## </desc>
++gen_tunable(allow_unconfined_mmap_low, false)
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
 --- nsaserefpolicy/policy/mcs	2009-02-03 22:50:50.000000000 -0500
@@ -4474,6 +4465,26 @@ diff -b -B --ignore-all-space --exclude-
 +')
 +
 +permissive sambagui_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
+--- nsaserefpolicy/policy/modules/apps/uml.te	2009-01-19 11:03:28.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/uml.te	2009-04-28 11:42:33.000000000 -0400
+@@ -16,14 +16,12 @@
+ type uml_ro_t;
+ typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
+ typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
+-files_type(uml_ro_t)
+-ubac_constrained(uml_ro_t)
++userdom_user_home_content(uml_ro_t)
+ 
+ type uml_rw_t;
+ typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
+ typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
+-files_type(uml_rw_t)
+-ubac_constrained(uml_rw_t)
++userdom_user_home_content(uml_rw_t)
+ 
+ type uml_tmp_t;
+ typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2009-01-19 11:03:28.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/vmware.te	2009-04-23 09:44:57.000000000 -0400
@@ -19364,6 +19375,52 @@ diff -b -B --ignore-all-space --exclude-
  
  	optional_policy(`
  		mysql_search_db(httpd_prewikka_script_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
+--- nsaserefpolicy/policy/modules/services/privoxy.te	2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/privoxy.te	2009-04-28 11:40:52.000000000 -0400
+@@ -6,6 +6,14 @@
+ # Declarations
+ #
+ 
++## <desc>
++## <p>
++## Allow privoxy to connect to all ports, not just
++## HTTP, FTP, and Gopher ports.
++## </p>
++## </desc>
++gen_tunable(privoxy_connect_any, false)
++
+ type privoxy_t; # web_client_domain
+ type privoxy_exec_t;
+ init_daemon_domain(privoxy_t, privoxy_exec_t)
+@@ -72,21 +80,19 @@
+ 
+ logging_send_syslog_msg(privoxy_t)
+ 
+-miscfiles_read_localization(privoxy_t)
++auth_use_nsswitch(privoxy_t)
+ 
+-sysnet_dns_name_resolve(privoxy_t)
++miscfiles_read_localization(privoxy_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
+ userdom_dontaudit_search_user_home_dirs(privoxy_t)
+ # cjp: this should really not be needed
+ userdom_use_user_terminals(privoxy_t)
+ 
+-optional_policy(`
+-	nis_use_ypbind(privoxy_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(privoxy_t)
++tunable_policy(`privoxy_connect_any',`
++	corenet_tcp_connect_all_ports(privoxy_t)
++	corenet_tcp_bind_all_ports(privoxy_t)
++	corenet_sendrecv_all_packets(privoxy_t)
+ ')
+ 
+ optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/procmail.te	2009-04-23 09:44:57.000000000 -0400
@@ -22227,7 +22284,7 @@ diff -b -B --ignore-all-space --exclude-
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/squid.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/squid.te	2009-04-28 11:39:57.000000000 -0400
 @@ -118,6 +118,9 @@
  
  fs_getattr_all_fs(squid_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.839
retrieving revision 1.840
diff -u -p -r1.839 -r1.840
--- selinux-policy.spec	28 Apr 2009 15:13:35 -0000	1.839
+++ selinux-policy.spec	28 Apr 2009 15:49:42 -0000	1.840
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -480,6 +480,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-23
+- Fix uml files to be owned by users
+
 * Tue Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-22
 - Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less

More information about the fedora-extras-commits mailing list