rpms/selinux-policy/devel policy-20090105.patch, 1.35, 1.36 selinux-policy.spec, 1.785, 1.786
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Feb 9 14:20:39 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16047
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Sun Feb 8 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-5
- Allow xdm to create user_tmp_t sockets for switch user to work
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- policy-20090105.patch 6 Feb 2009 17:48:28 -0000 1.35
+++ policy-20090105.patch 9 Feb 2009 14:20:38 -0000 1.36
@@ -1483,8 +1483,33 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.4/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/admin/usermanage.if 2009-02-03 22:57:29.000000000 -0500
-@@ -138,6 +138,7 @@
++++ serefpolicy-3.6.4/policy/modules/admin/usermanage.if 2009-02-07 07:19:49.000000000 -0500
+@@ -117,6 +117,24 @@
+
+ ########################################
+ ## <summary>
++## Send sigkills to passwd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`usermanage_passwd_sigkill',`
++ gen_require(`
++ type passwd_t;
++ ')
++
++ allow $1 passwd_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Execute passwd in the passwd domain, and
+ ## allow the specified role the passwd domain.
+ ## </summary>
+@@ -138,6 +156,7 @@
usermanage_domtrans_passwd($1)
role $2 types passwd_t;
@@ -4634,7 +4659,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.4/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/devices.if 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/kernel/devices.if 2009-02-09 09:03:10.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -5410,7 +5435,7 @@
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.4/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/files.if 2009-02-04 10:53:13.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/kernel/files.if 2009-02-09 09:04:21.000000000 -0500
@@ -110,6 +110,11 @@
## </param>
#
@@ -8851,7 +8876,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-06 16:08:00.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -9072,8 +9097,7 @@
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+')
+
@@ -9084,7 +9108,8 @@
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@@ -9358,20 +9383,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -655,6 +809,12 @@
- fs_exec_nfs_files(httpd_suexec_t)
- ')
-
-+tunable_policy(`httpd_use_cifs',`
-+ fs_manage_cifs_files(httpd_suexec_t)
-+ fs_manage_cifs_symlinks(httpd_suexec_t)
-+ fs_exec_cifs_files(httpd_suexec_t)
-+')
-+
- tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(httpd_suexec_t)
- fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -672,15 +832,14 @@
+@@ -672,15 +826,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -9390,7 +9402,7 @@
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +858,24 @@
+@@ -699,12 +852,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -9408,16 +9420,16 @@
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
-+')
++ fs_exec_nfs_files(httpd_sys_script_t)
+
-+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
++ fs_exec_nfs_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +883,35 @@
+@@ -712,6 +877,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -9447,13 +9459,13 @@
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
++ fs_exec_cifs_files(httpd_suexec_t)
+')
+
-+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +924,10 @@
+@@ -724,6 +918,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -9464,7 +9476,7 @@
')
optional_policy(`
-@@ -735,6 +939,8 @@
+@@ -735,6 +933,8 @@
# httpd_rotatelogs local policy
#
@@ -9473,7 +9485,7 @@
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +960,12 @@
+@@ -754,6 +954,12 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -9486,7 +9498,7 @@
')
# allow accessing files/dirs below the users home dir
-@@ -762,3 +974,66 @@
+@@ -762,3 +968,66 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
@@ -20074,7 +20086,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:05:45.000000000 -0500
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -20100,15 +20112,27 @@
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -135,6 +137,7 @@
+@@ -135,11 +137,19 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
+ userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
++ dev_getattr_all_blk_files(nfsd_t)
++ dev_getattr_all_chr_files(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,6 +173,7 @@
+ fs_read_noxattr_fs_files(nfsd_t)
++ auth_read_all_dirs_except_shadow(nfsd_t)
+ auth_read_all_files_except_shadow(nfsd_t)
++ files_getattr_all_pipes(nfsd_t)
++ files_getattr_all_sockets(nfsd_t)
++ dev_getattr_all_blk_files(nfsd_t)
++ dev_getattr_all_chr_files(nfsd_t)
+ ')
+
+ ########################################
+@@ -170,6 +180,7 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@@ -20116,7 +20140,7 @@
miscfiles_read_certs(gssd_t)
-@@ -180,8 +184,7 @@
+@@ -180,8 +191,7 @@
')
optional_policy(`
@@ -20582,7 +20606,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-07 07:19:23.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -20736,7 +20760,13 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -338,20 +365,27 @@
+@@ -333,25 +360,33 @@
+
+ tunable_policy(`samba_domain_controller',`
+ usermanage_domtrans_passwd(smbd_t)
++ usermanage_passwd_sigkill(smbd_t)
+ usermanage_domtrans_useradd(smbd_t)
+ usermanage_domtrans_groupadd(smbd_t)
')
tunable_policy(`samba_enable_home_dirs',`
@@ -20770,7 +20800,7 @@
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -359,6 +393,16 @@
+@@ -359,6 +394,16 @@
optional_policy(`
kerberos_use(smbd_t)
@@ -20787,7 +20817,7 @@
')
optional_policy(`
-@@ -381,8 +425,10 @@
+@@ -381,8 +426,10 @@
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
@@ -20798,7 +20828,7 @@
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -454,6 +500,7 @@
+@@ -454,6 +501,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -20806,7 +20836,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -553,19 +600,33 @@
+@@ -553,19 +601,33 @@
userdom_use_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
@@ -20843,7 +20873,7 @@
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -585,6 +646,9 @@
+@@ -585,6 +647,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -20853,7 +20883,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -609,15 +673,18 @@
+@@ -609,15 +674,18 @@
dev_read_urand(swat_t)
@@ -20872,7 +20902,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -635,6 +702,17 @@
+@@ -635,6 +703,17 @@
kerberos_use(swat_t)
')
@@ -20890,7 +20920,7 @@
########################################
#
# Winbind local policy
-@@ -642,7 +720,7 @@
+@@ -642,7 +721,7 @@
allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
@@ -20899,7 +20929,7 @@
allow winbind_t self:fifo_file rw_fifo_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +761,10 @@
+@@ -683,9 +762,10 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@@ -20912,7 +20942,7 @@
corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +788,12 @@
+@@ -709,10 +789,12 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -20925,7 +20955,7 @@
logging_send_syslog_msg(winbind_t)
-@@ -768,8 +849,13 @@
+@@ -768,8 +850,13 @@
userdom_use_user_terminals(winbind_helper_t)
optional_policy(`
@@ -20939,7 +20969,7 @@
')
########################################
-@@ -778,6 +864,16 @@
+@@ -778,6 +865,16 @@
#
optional_policy(`
@@ -20956,7 +20986,7 @@
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -788,9 +884,43 @@
+@@ -788,9 +885,43 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -23547,7 +23577,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-05 18:20:04.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-08 17:11:40.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -23903,7 +23933,7 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
-+userdom_write_user_tmp_files(xdm_t)
++userdom_manage_user_tmp_sockets(xdm_t)
xserver_rw_session(xdm_t,xdm_tmpfs_t)
xserver_unconfined(xdm_t)
@@ -24394,7 +24424,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.4/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/authlogin.if 2009-02-04 10:32:13.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/system/authlogin.if 2009-02-07 07:22:59.000000000 -0500
@@ -43,20 +43,38 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -24509,11 +24539,11 @@
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
- optional_policy(`
+- optional_policy(`
- kerberos_use($1)
- ')
-
-- optional_policy(`
+ optional_policy(`
- nis_use_ypbind($1)
+ kerberos_read_keytab($1)
+ kerberos_connect_524($1)
@@ -24600,10 +24630,14 @@
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1297,6 +1395,10 @@
+@@ -1297,6 +1395,14 @@
')
optional_policy(`
++ ldap_stream_connect($1)
++ ')
++
++ optional_policy(`
+ kerberos_use($1)
+ ')
+
@@ -24611,7 +24645,7 @@
nis_use_ypbind($1)
')
-@@ -1307,6 +1409,7 @@
+@@ -1307,6 +1413,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -24619,7 +24653,7 @@
')
')
-@@ -1341,3 +1444,99 @@
+@@ -1341,3 +1448,99 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -25561,7 +25595,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.4/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/libraries.fc 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/system/libraries.fc 2009-02-09 08:38:58.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -25599,7 +25633,7 @@
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -115,9 +120,17 @@
+@@ -115,24 +120,34 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25617,7 +25651,10 @@
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -127,12 +140,14 @@
+ /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -28621,7 +28658,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-05 18:26:44.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-08 17:11:31.000000000 -0500
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.785
retrieving revision 1.786
diff -u -r1.785 -r1.786
--- selinux-policy.spec 6 Feb 2009 17:48:29 -0000 1.785
+++ selinux-policy.spec 9 Feb 2009 14:20:38 -0000 1.786
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.4
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
%endif
%changelog
+* Sun Feb 8 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-5
+- Allow xdm to create user_tmp_t sockets for switch user to work
+
* Thu Feb 5 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-4
- Fix staff_t domain
More information about the fedora-extras-commits
mailing list