rpms/selinux-policy/F-11 policy-20090521.patch, 1.28, 1.29 selinux-policy.spec, 1.884, 1.885
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jul 8 19:31:18 UTC 2009
- Previous message (by thread): rpms/kernel/devel kernel.spec, 1.1618, 1.1619 drm-no-gem-on-i8xx.patch, 1.2, NONE
- Next message (by thread): rpms/python-docutils/EL-5 .cvsignore, 1.4, 1.5 python-docutils.spec, 1.9, 1.10 sources, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9125
Modified Files:
policy-20090521.patch selinux-policy.spec
Log Message:
- Fixes for xguest
policy-20090521.patch:
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -p -r1.28 -r1.29
--- policy-20090521.patch 7 Jul 2009 07:55:53 -0000 1.28
+++ policy-20090521.patch 8 Jul 2009 19:31:17 -0000 1.29
@@ -1,12 +1,12 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-06-25 10:19:43.000000000 +0200
-+++ serefpolicy-3.6.12/policy/mcs 2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/mcs 2009-07-08 21:09:33.000000000 +0200
@@ -66,7 +66,7 @@
#
# Note that getattr on files is always permitted.
#
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
-+mlsconstrain { file chr_file blk_file sock_file lnk_file fifo_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
++mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
@@ -628,8 +628,27 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-06-25 10:19:43.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if 2009-06-26 15:48:23.000000000 +0200
-@@ -64,6 +64,7 @@
++++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if 2009-07-08 21:12:05.000000000 +0200
+@@ -45,6 +45,18 @@
+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
++
++ mozilla_dbus_chat($2)
++
++ userdom_manage_tmp_role($1, mozilla_t)
++
++ optional_policy(`
++ nsplugin_role($1, mozilla_t)
++ ')
++
++ optional_policy(`
++ pulseaudio_role($1, mozilla_t)
++ ')
+ ')
+
+ ########################################
+@@ -64,6 +76,7 @@
allow $1 mozilla_home_t:dir list_dir_perms;
allow $1 mozilla_home_t:file read_file_perms;
@@ -637,17 +656,68 @@ diff -b -B --ignore-all-space --exclude-
userdom_search_user_home_dirs($1)
')
+@@ -82,7 +95,8 @@
+ type mozilla_home_t;
+ ')
+
+- write_files_pattern($1, mozilla_home_t, mozilla_home_t)
++ allow $1 mozilla_home_t:dir list_dir_perms;
++ allow $1 mozilla_home_t:file write_file_perms;
+ userdom_search_user_home_dirs($1)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-06-25 10:19:43.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te 2009-06-25 10:21:01.000000000 +0200
-@@ -145,6 +145,7 @@
- userdom_manage_user_tmp_dirs(mozilla_t)
- userdom_manage_user_tmp_files(mozilla_t)
- userdom_manage_user_tmp_sockets(mozilla_t)
++++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te 2009-07-08 21:12:10.000000000 +0200
+@@ -59,6 +59,7 @@
+ manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs(mozilla_t)
++userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
+
+ # Mozpluggerrc
+ allow mozilla_t mozilla_conf_t:file read_file_perms;
+@@ -97,6 +98,7 @@
+ corenet_tcp_connect_ftp_port(mozilla_t)
+ corenet_tcp_connect_ipp_port(mozilla_t)
+ corenet_tcp_connect_generic_port(mozilla_t)
++corenet_tcp_connect_soundd_port(mozilla_t)
+ corenet_sendrecv_http_client_packets(mozilla_t)
+ corenet_sendrecv_http_cache_client_packets(mozilla_t)
+ corenet_sendrecv_ftp_client_packets(mozilla_t)
+@@ -114,6 +116,8 @@
+ dev_dontaudit_rw_dri(mozilla_t)
+ dev_getattr_sysfs_dirs(mozilla_t)
+
++domain_dontaudit_read_all_domains_state(mozilla_t)
++
+ files_read_etc_runtime_files(mozilla_t)
+ files_read_usr_files(mozilla_t)
+ files_read_etc_files(mozilla_t)
+@@ -139,12 +143,7 @@
+ # Browse the web, connect to printer
+ sysnet_dns_name_resolve(mozilla_t)
+
+-userdom_manage_user_home_content_dirs(mozilla_t)
+-userdom_manage_user_home_content_files(mozilla_t)
+-userdom_manage_user_home_content_symlinks(mozilla_t)
+-userdom_manage_user_tmp_dirs(mozilla_t)
+-userdom_manage_user_tmp_files(mozilla_t)
+-userdom_manage_user_tmp_sockets(mozilla_t)
+userdom_use_user_ptys(mozilla_t)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+@@ -241,6 +240,9 @@
+ optional_policy(`
+ dbus_system_bus_client(mozilla_t)
+ dbus_session_bus_client(mozilla_t)
++ optional_policy(`
++ networkmanager_dbus_chat(mozilla_t)
++ ')
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-07-07 08:51:57.000000000 +0200
@@ -1785,6 +1855,27 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
setroubleshoot_dontaudit_stream_connect(user_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.12/policy/modules/roles/xguest.te
+--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/roles/xguest.te 2009-07-08 21:12:15.000000000 +0200
+@@ -36,11 +36,17 @@
+ # Local policy
+ #
+
++# Dontaudit fusermount
++dontaudit xguest_t self:capability sys_admin;
++
+ # Allow mounting of file systems
+ optional_policy(`
+ tunable_policy(`xguest_mount_media',`
+ kernel_read_fs_sysctls(xguest_t)
+
++ # allow fusermount
++ allow xguest_t self:capability sys_admin;
++
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-06-25 10:21:01.000000000 +0200
@@ -2527,6 +2618,17 @@ diff -b -B --ignore-all-space --exclude-
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.12/policy/modules/services/openvpn.te
+--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-04-07 21:54:45.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/openvpn.te 2009-07-08 21:10:15.000000000 +0200
+@@ -86,6 +86,7 @@
+ corenet_udp_bind_openvpn_port(openvpn_t)
+ corenet_tcp_connect_openvpn_port(openvpn_t)
+ corenet_tcp_connect_http_port(openvpn_t)
++corenet_tcp_connect_http_cache_port(openvpn_t)
+ corenet_rw_tun_tap_dev(openvpn_t)
+ corenet_sendrecv_openvpn_server_packets(openvpn_t)
+ corenet_sendrecv_openvpn_client_packets(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pcscd.te 2009-06-25 10:21:01.000000000 +0200
@@ -2609,7 +2711,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/postgresql.te 2009-06-29 16:24:29.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/postgresql.te 2009-07-08 21:12:21.000000000 +0200
@@ -202,6 +202,7 @@
corenet_tcp_bind_generic_node(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
@@ -2618,6 +2720,14 @@ diff -b -B --ignore-all-space --exclude-
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)
+@@ -237,6 +238,7 @@
+ init_read_utmp(postgresql_t)
+
+ logging_send_syslog_msg(postgresql_t)
++logging_send_audit_msgs(postgresql_t)
+
+ miscfiles_read_localization(postgresql_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-06-25 10:21:01.000000000 +0200
@@ -2725,7 +2835,7 @@ diff -b -B --ignore-all-space --exclude-
auth_read_all_symlinks_except_shadow(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-07-08 21:12:27.000000000 +0200
@@ -148,6 +148,7 @@
optional_policy(`
@@ -2734,6 +2844,14 @@ diff -b -B --ignore-all-space --exclude-
postfix_domtrans_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
+@@ -186,6 +187,6 @@
+
+ optional_policy(`
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
+- unconfined_domain(unconfined_sendmail_t)
++ unconfined_domain_noaudit(unconfined_sendmail_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te 2009-06-25 10:21:01.000000000 +0200
@@ -3221,7 +3339,7 @@ diff -b -B --ignore-all-space --exclude-
allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-07-08 21:12:32.000000000 +0200
@@ -370,8 +370,9 @@
manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -3249,7 +3367,15 @@ diff -b -B --ignore-all-space --exclude-
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -839,7 +842,6 @@
+@@ -652,6 +655,7 @@
+
+ optional_policy(`
+ pulseaudio_exec(xdm_t)
++ pulseaudio_dbus_chat(xdm_t)
+ ')
+
+ # On crash gdm execs gdb to dump stack
+@@ -839,7 +843,6 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -3257,7 +3383,7 @@ diff -b -B --ignore-all-space --exclude-
fs_rw_tmpfs_files(xserver_t)
mls_xwin_read_to_clearance(xserver_t)
-@@ -931,6 +933,10 @@
+@@ -931,6 +934,10 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.884
retrieving revision 1.885
diff -u -p -r1.884 -r1.885
--- selinux-policy.spec 7 Jul 2009 07:55:53 -0000 1.884
+++ selinux-policy.spec 8 Jul 2009 19:31:17 -0000 1.885
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 64%{?dist}
+Release: 65%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
%endif
%changelog
+* Wed Jul 8 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-65
+- Fixes for xguest
+
* Tue Jul 7 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-64
- Fixes for kpropd
- Fix up kismet policy
- Previous message (by thread): rpms/kernel/devel kernel.spec, 1.1618, 1.1619 drm-no-gem-on-i8xx.patch, 1.2, NONE
- Next message (by thread): rpms/python-docutils/EL-5 .cvsignore, 1.4, 1.5 python-docutils.spec, 1.9, 1.10 sources, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list