rpms/selinux-policy/F-11 policy-20090521.patch, 1.29, 1.30 selinux-policy.spec, 1.885, 1.886
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jul 15 09:30:43 UTC 2009
- Previous message (by thread): rpms/perl-TAP-Formatter-HTML/devel perl-TAP-Formatter-HTML.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/hunspell-kn/F-11 hunspell-kn.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8361
Modified Files:
policy-20090521.patch selinux-policy.spec
Log Message:
- Allow dhcpc to read users files
policy-20090521.patch:
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -p -r1.29 -r1.30
--- policy-20090521.patch 8 Jul 2009 19:31:17 -0000 1.29
+++ policy-20090521.patch 15 Jul 2009 09:30:43 -0000 1.30
@@ -130,8 +130,14 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-06-25 10:19:43.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-06-25 10:21:01.000000000 +0200
-@@ -55,6 +55,7 @@
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-07-13 11:23:45.000000000 +0200
+@@ -50,11 +50,13 @@
+ domain_use_interactive_fds(readahead_t)
+ domain_read_all_domains_state(readahead_t)
+
++files_getattr_all_pipes(readahead_t)
+ files_dontaudit_getattr_all_sockets(readahead_t)
+ files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
files_dontaudit_read_security_files(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
@@ -1939,6 +1945,27 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.12/policy/modules/services/clamav.te
+--- nsaserefpolicy/policy/modules/services/clamav.te 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/clamav.te 2009-07-13 11:33:25.000000000 +0200
+@@ -106,6 +106,8 @@
+ corenet_tcp_bind_generic_port(clamd_t)
+ corenet_tcp_connect_generic_port(clamd_t)
+
++auth_use_nsswitch(clamd_t)
++
+ dev_read_rand(clamd_t)
+ dev_read_urand(clamd_t)
+
+@@ -179,6 +181,8 @@
+ corenet_tcp_connect_http_port(freshclam_t)
+ corenet_sendrecv_http_client_packets(freshclam_t)
+
++auth_use_nsswitch(freshclam_t)
++
+ dev_read_rand(freshclam_t)
+ dev_read_urand(freshclam_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-06-25 10:21:01.000000000 +0200
@@ -1961,7 +1988,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-07-13 10:01:22.000000000 +0200
@@ -163,27 +163,14 @@
#
interface(`cron_unconfined_role',`
@@ -1992,6 +2019,15 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
gen_require(`
class dbus send_msg;
+@@ -282,6 +269,8 @@
+ allow $1 crond_t:fd use;
+ allow $1 crond_t:process sigchld;
+
++ dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;
++
+ userdom_dontaudit_list_admin_dir($1)
+ role system_r types $1;
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-06-25 10:21:01.000000000 +0200
@@ -3178,6 +3214,45 @@ diff -b -B --ignore-all-space --exclude-
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-07-13 11:32:30.000000000 +0200
+@@ -263,6 +263,7 @@
+ corenet_tcp_sendrecv_generic_node(spamc_t)
+ corenet_tcp_connect_spamd_port(spamc_t)
+
++can_exec(spamc_t, spamc_exec_t)
+
+ manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+ manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
+--- nsaserefpolicy/policy/modules/services/ssh.if 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-07-13 11:36:29.000000000 +0200
+@@ -685,3 +685,24 @@
+ can_exec($1, ssh_agent_exec_t)
+ ')
+
++#######################################
++## <summary>
++## Read ssh home directory content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_read_user_home_files',`
++ gen_require(`
++ type home_ssh_t;
++ ')
++
++ allow $1 home_ssh_t:dir list_dir_perms;
++ read_files_pattern($1, home_ssh_t, home_ssh_t)
++ read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
++ userdom_search_user_home_dirs($1)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-06-29 22:52:07.000000000 +0200
@@ -3413,7 +3488,7 @@ diff -b -B --ignore-all-space --exclude-
-/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-07-13 11:37:53.000000000 +0200
@@ -42,8 +42,7 @@
#
interface(`auth_login_pgm_domain',`
@@ -3445,7 +3520,15 @@ diff -b -B --ignore-all-space --exclude-
fprintd_dbus_chat($1)
')
-@@ -238,6 +244,96 @@
+@@ -153,6 +159,7 @@
+ optional_policy(`
+ ssh_agent_exec($1)
+ userdom_read_user_home_content_files($1)
++ ssh_read_user_home_files($1)
+ ')
+
+ ')
+@@ -238,6 +245,96 @@
########################################
## <summary>
@@ -3542,7 +3625,7 @@ diff -b -B --ignore-all-space --exclude-
## Run unix_chkpwd to check a password.
## </summary>
## <param name="domain">
-@@ -726,7 +822,7 @@
+@@ -726,7 +823,7 @@
########################################
## <summary>
@@ -3551,7 +3634,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1258,6 +1354,25 @@
+@@ -1258,6 +1355,25 @@
########################################
## <summary>
@@ -3577,7 +3660,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to write to
## login records files.
## </summary>
-@@ -1415,6 +1530,10 @@
+@@ -1415,6 +1531,10 @@
')
optional_policy(`
@@ -3588,7 +3671,7 @@ diff -b -B --ignore-all-space --exclude-
sssd_stream_connect($1)
')
-@@ -1456,99 +1575,3 @@
+@@ -1456,99 +1576,3 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -3955,7 +4038,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-07-07 09:20:48.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-07-15 09:44:42.000000000 +0200
@@ -139,6 +139,7 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -4026,8 +4109,16 @@ diff -b -B --ignore-all-space --exclude-
allow sulogin_t self:capability sys_tty_config;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-06-25 10:21:01.000000000 +0200
-@@ -45,7 +45,7 @@
++++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-07-13 11:39:27.000000000 +0200
+@@ -18,6 +18,7 @@
+ type dhcpc_t;
+ type dhcpc_exec_t;
+ init_daemon_domain(dhcpc_t,dhcpc_exec_t)
++domain_obj_id_change_exemption(dhcpc_t)
+ role system_r types dhcpc_t;
+
+ type dhcpc_helper_exec_t;
+@@ -45,7 +46,7 @@
# DHCP client local policy
#
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
@@ -4036,6 +4127,14 @@ diff -b -B --ignore-all-space --exclude-
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
allow dhcpc_t self:process { setfscreate ptrace signal_perms };
+@@ -125,6 +126,7 @@
+
+ files_read_etc_files(dhcpc_t)
+ files_read_etc_runtime_files(dhcpc_t)
++files_read_usr_files(dhcpc_t)
+ files_search_home(dhcpc_t)
+ files_search_var_lib(dhcpc_t)
+ files_dontaudit_search_locks(dhcpc_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-06-25 10:21:01.000000000 +0200
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.885
retrieving revision 1.886
diff -u -p -r1.885 -r1.886
--- selinux-policy.spec 8 Jul 2009 19:31:17 -0000 1.885
+++ selinux-policy.spec 15 Jul 2009 09:30:43 -0000 1.886
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 65%{?dist}
+Release: 66%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
%endif
%changelog
+* Wed Jul 15 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-66
+- Allow dhcpc to read users files
+
* Wed Jul 8 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-65
- Fixes for xguest
- Previous message (by thread): rpms/perl-TAP-Formatter-HTML/devel perl-TAP-Formatter-HTML.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/hunspell-kn/F-11 hunspell-kn.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list