rpms/selinux-policy/F-11 policy-20090105.patch, 1.108, 1.109 selinux-policy.spec, 1.845, 1.846
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Apr 28 15:49:49 UTC 2009
- Previous message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.102, 1.103 selinux-policy.spec, 1.839, 1.840
- Next message (by thread): rpms/tcsh/devel .cvsignore, 1.7, 1.8 sources, 1.7, 1.8 tcsh.spec, 1.60, 1.61 tcsh-6.14.00-config.patch, 1.1, NONE tcsh-6.14.00-octal.patch, 1.1, NONE tcsh-6.14.00-read.patch, 1.1, NONE tcsh-6.14.00-remotehost.patch, 1.1, NONE tcsh-6.14.00-sigint.patch, 1.1, NONE tcsh-6.14.00-spell-crash.patch, 1.1, NONE tcsh-6.15.00-var-sub.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9006
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Tue Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-23
- Fix uml files to be owned by users
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.108
retrieving revision 1.109
diff -u -p -r1.108 -r1.109
--- policy-20090105.patch 27 Apr 2009 18:57:23 -0000 1.108
+++ policy-20090105.patch 28 Apr 2009 15:49:48 -0000 1.109
@@ -360,7 +360,7 @@ diff -b -B --ignore-all-space --exclude-
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500
-+++ serefpolicy-3.6.12/policy/global_tunables 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/global_tunables 2009-04-28 11:36:39.000000000 -0400
@@ -61,15 +61,6 @@
## <desc>
@@ -377,7 +377,7 @@ diff -b -B --ignore-all-space --exclude-
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
-@@ -111,3 +102,12 @@
+@@ -111,3 +102,18 @@
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
@@ -389,6 +389,12 @@ diff -b -B --ignore-all-space --exclude-
+## </desc>
+gen_tunable(allow_console_login,false)
+
++## <desc>
++## <p>
++## Allow unconfined domain to map low memory in the kernel
++## </p>
++## </desc>
++gen_tunable(allow_unconfined_mmap_low, false)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-02-03 22:50:50.000000000 -0500
@@ -4459,6 +4465,26 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+permissive sambagui_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
+--- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/uml.te 2009-04-28 11:42:33.000000000 -0400
+@@ -16,14 +16,12 @@
+ type uml_ro_t;
+ typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
+ typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
+-files_type(uml_ro_t)
+-ubac_constrained(uml_ro_t)
++userdom_user_home_content(uml_ro_t)
+
+ type uml_rw_t;
+ typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
+ typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
+-files_type(uml_rw_t)
+-ubac_constrained(uml_rw_t)
++userdom_user_home_content(uml_rw_t)
+
+ type uml_tmp_t;
+ typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-04-23 09:44:57.000000000 -0400
@@ -7402,8 +7428,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-24 00:00:31.000000000 -0400
-@@ -0,0 +1,400 @@
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-27 15:35:55.000000000 -0400
+@@ -0,0 +1,393 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -7428,13 +7454,6 @@ diff -b -B --ignore-all-space --exclude-
+
+## <desc>
+## <p>
-+## Allow unconfined domain to map low memory in the kernel
-+## </p>
-+## </desc>
-+gen_tunable(allow_unconfined_mmap_low, false)
-+
-+## <desc>
-+## <p>
+## Transition to confined qemu domains from unconfined user
+## </p>
+## </desc>
@@ -19356,6 +19375,52 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
mysql_search_db(httpd_prewikka_script_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
+--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/privoxy.te 2009-04-28 11:40:52.000000000 -0400
+@@ -6,6 +6,14 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow privoxy to connect to all ports, not just
++## HTTP, FTP, and Gopher ports.
++## </p>
++## </desc>
++gen_tunable(privoxy_connect_any, false)
++
+ type privoxy_t; # web_client_domain
+ type privoxy_exec_t;
+ init_daemon_domain(privoxy_t, privoxy_exec_t)
+@@ -72,21 +80,19 @@
+
+ logging_send_syslog_msg(privoxy_t)
+
+-miscfiles_read_localization(privoxy_t)
++auth_use_nsswitch(privoxy_t)
+
+-sysnet_dns_name_resolve(privoxy_t)
++miscfiles_read_localization(privoxy_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
+ userdom_dontaudit_search_user_home_dirs(privoxy_t)
+ # cjp: this should really not be needed
+ userdom_use_user_terminals(privoxy_t)
+
+-optional_policy(`
+- nis_use_ypbind(privoxy_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(privoxy_t)
++tunable_policy(`privoxy_connect_any',`
++ corenet_tcp_connect_all_ports(privoxy_t)
++ corenet_tcp_bind_all_ports(privoxy_t)
++ corenet_sendrecv_all_packets(privoxy_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-04-23 09:44:57.000000000 -0400
@@ -22219,7 +22284,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/squid.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/squid.te 2009-04-28 11:39:57.000000000 -0400
@@ -118,6 +118,9 @@
fs_getattr_all_fs(squid_t)
@@ -29430,8 +29495,13 @@ diff -b -B --ignore-all-space --exclude-
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.12/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/unconfined.te 2009-04-23 09:44:57.000000000 -0400
-@@ -5,227 +5,6 @@
++++ serefpolicy-3.6.12/policy/modules/system/unconfined.te 2009-04-28 09:51:35.000000000 -0400
+@@ -1,231 +1,9 @@
+
+-policy_module(unconfined, 3.0.0)
++policy_module(unconfined, 3.0.1)
+
+ ########################################
#
# Declarations
#
@@ -29444,7 +29514,7 @@ diff -b -B --ignore-all-space --exclude-
-userdom_manage_home_role(unconfined_r, unconfined_t)
-userdom_manage_tmp_role(unconfined_r, unconfined_t)
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-
+-
-type unconfined_exec_t;
-init_system_domain(unconfined_t, unconfined_exec_t)
-
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.845
retrieving revision 1.846
diff -u -p -r1.845 -r1.846
--- selinux-policy.spec 28 Apr 2009 15:13:22 -0000 1.845
+++ selinux-policy.spec 28 Apr 2009 15:49:48 -0000 1.846
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 22%{?dist}
+Release: 23%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -314,7 +314,8 @@ SELinux Reference policy targeted base m
function get_unconfined() {
# We only want to upgrade unconfined.pp and unconfineduser if they are
# currently installed. If you have a version 3.0.0 or less of unconfined
-# installed, you will need to install both.
+# installed, you will need to install both, since unconfineduser did not exist
+# prior to this.
both="unconfined.pp.bz2 unconfineduser.pp.bz2"
packages=""
ctr=0
@@ -338,11 +339,11 @@ if [ $ctr -lt 2 -a "$version" != "" ]; t
packages=$both
else
if [ $f1 -eq 3 ]; then
- f2=`echo $version | cut -s -d. -f2`
- f3=`echo $version | cut -s -d. -f3`
- if [ \( -z "$f2" \) -o \( \( "$f2" -eq 0 \) -a \( -z "f3" -o "$f3" -eq 0 \) \) ]; then
- packages=$both
- fi
+ f2=`echo $version | cut -s -d. -f2`
+ f3=`echo $version | cut -s -d. -f3`
+ if [ \( -z "$f2" \) -o \( \( "$f2" -eq 0 \) -a \( -z "f3" -o "$f3" -eq 0 \) \) ]; then
+ packages=$both
+ fi
fi
fi
fi
@@ -479,6 +480,9 @@ exit 0
%endif
%changelog
+* Tue Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-23
+- Fix uml files to be owned by users
+
* Tue Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-22
- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less
- Previous message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.102, 1.103 selinux-policy.spec, 1.839, 1.840
- Next message (by thread): rpms/tcsh/devel .cvsignore, 1.7, 1.8 sources, 1.7, 1.8 tcsh.spec, 1.60, 1.61 tcsh-6.14.00-config.patch, 1.1, NONE tcsh-6.14.00-octal.patch, 1.1, NONE tcsh-6.14.00-read.patch, 1.1, NONE tcsh-6.14.00-remotehost.patch, 1.1, NONE tcsh-6.14.00-sigint.patch, 1.1, NONE tcsh-6.14.00-spell-crash.patch, 1.1, NONE tcsh-6.15.00-var-sub.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list