rpms/selinux-policy/devel policy-20090105.patch, 1.44, 1.45 selinux-policy.spec, 1.793, 1.794

Daniel J Walsh dwalsh at fedoraproject.org
Wed Feb 18 14:27:37 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13248

Modified Files:
	policy-20090105.patch selinux-policy.spec 
Log Message:
* Tue Feb 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.6-4
- Allow rpcd_t to send signal to mount_t
- Allow libvirtd to run ranged


policy-20090105.patch:

Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- policy-20090105.patch	17 Feb 2009 16:21:41 -0000	1.44
+++ policy-20090105.patch	18 Feb 2009 14:27:36 -0000	1.45
@@ -3551,17 +3551,17 @@
  dbus_system_bus_client(podsleuth_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.6/policy/modules/apps/qemu.fc
 --- nsaserefpolicy/policy/modules/apps/qemu.fc	2008-08-07 11:15:02.000000000 -0400
-+++ serefpolicy-3.6.6/policy/modules/apps/qemu.fc	2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/apps/qemu.fc	2009-02-17 15:43:19.000000000 -0500
 @@ -1,2 +1,6 @@
  /usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
  /usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
 +
-+/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0)
++/var/cache/libvirt(/.*)?	gen_context(system_u:object_r:qemu_cache_t,s0)
 +
-+/var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0)
++/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.6/policy/modules/apps/qemu.if
 --- nsaserefpolicy/policy/modules/apps/qemu.if	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/apps/qemu.if	2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/apps/qemu.if	2009-02-17 17:18:08.000000000 -0500
 @@ -40,6 +40,93 @@
  
  	qemu_domtrans($1)
@@ -3748,7 +3748,7 @@
  ## </summary>
  ## <param name="domain">
  ## <summary>
-@@ -127,84 +290,73 @@
+@@ -127,84 +290,85 @@
  #
  template(`qemu_domain_template',`
  
@@ -3773,6 +3773,9 @@
 -	#
 +	type $1_tmpfs_t;
 +	files_tmpfs_file($1_tmpfs_t)
++
++	type $1_image_t;
++	virt_image($1_image_t)
  
 -	allow $1_t self:capability { dac_read_search dac_override };
 -	allow $1_t self:process { execstack execmem signal getsched };
@@ -3780,8 +3783,8 @@
 -	allow $1_t self:shm create_shm_perms;
 -	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 -	allow $1_t self:tcp_socket create_stream_socket_perms;
-+	type $1_image_t;
-+	virt_image($1_image_t)
++	allow $1_t self:capability kill;
++	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
 +
 +	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
 +	manage_files_pattern($1_t, $1_image_t, $1_image_t)
@@ -3790,6 +3793,7 @@
  
  	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
  	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++	manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
  	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
  
 -	kernel_read_system_state($1_t)
@@ -3820,6 +3824,10 @@
 +	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
 +	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
 +	fs_getattr_tmpfs($1_t)
++
++	userdom_read_user_tmpfs_files($1_t)
++	userdom_signull_unpriv_users($1_t)
++	userdom_admin_home_dir_filetrans($1_t, $1_tmp_t, {file dir })
  
 -	storage_raw_write_removable_device($1_t)
 -	storage_raw_read_removable_device($1_t)
@@ -3831,11 +3839,14 @@
 -	miscfiles_read_localization($1_t)
 -
 -	sysnet_read_config($1_t)
--
--	userdom_use_user_terminals($1_t)
 +	optional_policy(`
 +		xserver_common_x_domain_template(user, $1_t)
 +	')
+ 
+-	userdom_use_user_terminals($1_t)
++	optional_policy(`
++		dbus_system_bus_client($1_t)
++	')
 +')
  
 -#	optional_policy(`
@@ -3887,7 +3898,7 @@
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.6/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/apps/qemu.te	2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/apps/qemu.te	2009-02-17 16:14:43.000000000 -0500
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -7271,8 +7282,8 @@
 -')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.6/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/roles/staff.te	2009-02-16 13:18:06.000000000 -0500
-@@ -15,156 +15,87 @@
++++ serefpolicy-3.6.6/policy/modules/roles/staff.te	2009-02-17 13:42:06.000000000 -0500
+@@ -15,156 +15,88 @@
  # Local policy
  #
  
@@ -7354,6 +7365,7 @@
 -	mozilla_role(staff_r, staff_t)
 -')
 +seutil_run_newrole(staff_t, staff_r)
++netutils_run_ping(staff_t, staff_r)
  
  optional_policy(`
 -	mplayer_role(staff_r, staff_t)
@@ -9049,7 +9061,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.6/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/apache.te	2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/services/apache.te	2009-02-17 16:09:12.000000000 -0500
 @@ -19,6 +19,8 @@
  # Declarations
  #
@@ -11575,7 +11587,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.6/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/cups.te	2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/services/cups.te	2009-02-17 15:28:51.000000000 -0500
 @@ -20,9 +20,18 @@
  type cupsd_etc_t;
  files_config_file(cupsd_etc_t)
@@ -12028,7 +12040,7 @@
  /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.6/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/dbus.if	2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/services/dbus.if	2009-02-17 16:08:31.000000000 -0500
 @@ -44,6 +44,7 @@
  
  		attribute session_bus_type;
@@ -18513,7 +18525,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.6/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/postfix.te	2009-02-17 08:27:34.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/services/postfix.te	2009-02-17 12:58:06.000000000 -0500
 @@ -6,6 +6,15 @@
  # Declarations
  #
@@ -18829,7 +18841,7 @@
  	mailman_read_data_files(postfix_smtpd_t)
  ')
  
-@@ -572,12 +666,13 @@
+@@ -572,15 +666,21 @@
  files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
  
  # connect to master process
@@ -18844,6 +18856,14 @@
  
  mta_read_aliases(postfix_virtual_t)
  mta_delete_spool(postfix_virtual_t)
+ # For reading spamassasin
+ mta_read_config(postfix_virtual_t)
+ mta_manage_spool(postfix_virtual_t)
++
++userdom_manage_user_home_dirs(postfix_virtual_t)
++userdom_manage_user_home_content(postfix_virtual_t)
++userdom_home_filetrans_user_home_dir(postfix_virtual_t)
++userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.6/policy/modules/services/postgresql.fc
 --- nsaserefpolicy/policy/modules/services/postgresql.fc	2008-08-14 13:08:27.000000000 -0400
 +++ serefpolicy-3.6.6/policy/modules/services/postgresql.fc	2009-02-16 13:18:06.000000000 -0500
@@ -20479,7 +20499,7 @@
  /usr/sbin/rpc\.nfsd	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.6/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/rpc.if	2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/services/rpc.if	2009-02-17 11:57:20.000000000 -0500
 @@ -88,8 +88,11 @@
  	# bind to arbitary unused ports
  	corenet_tcp_bind_generic_port($1_t)
@@ -20493,7 +20513,7 @@
  
  	fs_rw_rpc_named_pipes($1_t) 
  	fs_search_auto_mountpoints($1_t)
-@@ -205,6 +208,24 @@
+@@ -205,6 +208,25 @@
  
  ########################################
  ## <summary>
@@ -20511,6 +20531,7 @@
 +	')
 +
 +	domtrans_pattern($1, rpcd_exec_t, rpcd_t)
++	allow rpcd_t $1:process signal;
 +')
 +
 +########################################
@@ -20518,7 +20539,7 @@
  ##	Read NFS exported content.
  ## </summary>
  ## <param name="domain">
-@@ -335,3 +356,22 @@
+@@ -335,3 +357,22 @@
  	files_search_var_lib($1)
  	read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
  ')
@@ -23273,7 +23294,7 @@
  ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.6/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/virt.te	2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/services/virt.te	2009-02-17 15:29:03.000000000 -0500
 @@ -32,6 +32,10 @@
  type virt_image_t, virt_image_type; # customizable
  virt_image(virt_image_t)
@@ -23285,7 +23306,20 @@
  type virt_log_t;
  logging_log_file(virt_log_t)
  
-@@ -53,7 +57,7 @@
+@@ -48,12 +52,20 @@
+ type virtd_initrc_exec_t;
+ init_script_file(virtd_initrc_exec_t)
+ 
++ifdef(`enable_mcs',`
++	init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mcs_systemhigh)
++')
++
++ifdef(`enable_mls',`
++	init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mls_systemhigh)
++')
++
+ ########################################
+ #
  # virtd local policy
  #
  
@@ -23294,7 +23328,7 @@
  allow virtd_t self:process { getsched sigkill signal execmem };
  allow virtd_t self:fifo_file rw_file_perms;
  allow virtd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -69,6 +73,9 @@
+@@ -69,6 +81,9 @@
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
  
@@ -23304,7 +23338,7 @@
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -96,7 +103,7 @@
+@@ -96,7 +111,7 @@
  corenet_tcp_sendrecv_generic_node(virtd_t)
  corenet_tcp_sendrecv_all_ports(virtd_t)
  corenet_tcp_bind_generic_node(virtd_t)
@@ -23313,7 +23347,7 @@
  corenet_tcp_bind_vnc_port(virtd_t)
  corenet_tcp_connect_vnc_port(virtd_t)
  corenet_tcp_connect_soundd_port(virtd_t)
-@@ -110,11 +117,13 @@
+@@ -110,11 +125,13 @@
  
  files_read_usr_files(virtd_t)
  files_read_etc_files(virtd_t)
@@ -23327,7 +23361,7 @@
  
  storage_raw_write_removable_device(virtd_t)
  storage_raw_read_removable_device(virtd_t)
-@@ -129,7 +138,11 @@
+@@ -129,7 +146,11 @@
  
  logging_send_syslog_msg(virtd_t)
  
@@ -23339,7 +23373,7 @@
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -173,16 +186,17 @@
+@@ -173,16 +194,17 @@
  	iptables_domtrans(virtd_t)
  ')
  
@@ -29287,7 +29321,7 @@
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.6/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/system/userdomain.if	2009-02-16 17:24:41.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/system/userdomain.if	2009-02-17 17:06:13.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  
@@ -30753,7 +30787,32 @@
  interface(`userdom_rw_user_tmpfs_files',`
  	gen_require(`
  		type user_tmpfs_t;
-@@ -2814,7 +3043,43 @@
+@@ -2709,6 +2938,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Send signull to unprivileged user domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_signull_unpriv_users',`
++	gen_require(`
++		attribute unpriv_userdomain;
++	')
++
++	allow $1 unpriv_userdomain:process signull;
++')
++
++########################################
++## <summary>
+ ##	Inherit the file descriptors from unprivileged user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -2814,7 +3061,43 @@
  		type user_tmp_t;
  	')
  
@@ -30798,7 +30857,7 @@
  ')
  
  ########################################
-@@ -2851,6 +3116,7 @@
+@@ -2851,6 +3134,7 @@
  	')
  
  	read_files_pattern($1,userdomain,userdomain)
@@ -30806,7 +30865,7 @@
  	kernel_search_proc($1)
  ')
  
-@@ -2965,6 +3231,24 @@
+@@ -2965,6 +3249,24 @@
  
  ########################################
  ## <summary>
@@ -30831,7 +30890,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -2981,3 +3265,313 @@
+@@ -2981,3 +3283,313 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.793
retrieving revision 1.794
diff -u -r1.793 -r1.794
--- selinux-policy.spec	17 Feb 2009 16:21:42 -0000	1.793
+++ selinux-policy.spec	18 Feb 2009 14:27:36 -0000	1.794
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.6
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,10 @@
 %endif
 
 %changelog
+* Tue Feb 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.6-4
+- Allow rpcd_t to send signal to mount_t
+- Allow libvirtd to run ranged
+
 * Tue Feb 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.6-3
 - Fix sysnet/net_conf_t

More information about the fedora-extras-commits mailing list