rpms/selinux-policy/F-11 policy-20090521.patch, 1.4, 1.5 selinux-policy.spec, 1.865, 1.866
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Jun 1 17:08:07 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10605
Modified Files:
policy-20090521.patch selinux-policy.spec
Log Message:
* Mon Jun 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-44
- Add fish as a shell_exec_t
- Allow consolekit to search mountpoints
- Allow xdm_t to delete user_home_t
policy-20090521.patch:
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- policy-20090521.patch 27 May 2009 11:50:16 -0000 1.4
+++ policy-20090521.patch 1 Jun 2009 17:07:36 -0000 1.5
@@ -1,3 +1,53 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
+--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-05-29 11:08:06.000000000 -0400
+@@ -72,6 +72,8 @@
+ files_read_etc_runtime_files(prelink_t)
+ files_dontaudit_read_all_symlinks(prelink_t)
+ files_manage_usr_files(prelink_t)
++# Delta RPMS
++files_manage_var_files(prelink_t)
+ files_relabelfrom_usr_files(prelink_t)
+
+ fs_getattr_xattr_fs(prelink_t)
+@@ -102,5 +104,9 @@
+ ')
+
+ optional_policy(`
++ rpm_manage_tmp_files(prelink_t)
++')
++
++optional_policy(`
+ unconfined_domain(prelink_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
+--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-05-29 11:02:56.000000000 -0400
+@@ -470,6 +470,24 @@
+
+ ########################################
+ ## <summary>
++## Manage RPM tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`rpm_manage_tmp_files',`
++ gen_require(`
++ type rpm_tmp_t;
++ ')
++
++ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read,
+ ## write RPM tmp files
+ ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te 2009-05-26 13:02:40.000000000 -0400
@@ -30,9 +80,120 @@ diff -b -B --ignore-all-space --exclude-
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-06-01 07:05:29.000000000 -0400
+@@ -7,6 +7,7 @@
+ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
++/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -145,6 +146,7 @@
+ /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ /usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc 2009-06-01 08:22:04.000000000 -0400
+@@ -48,6 +48,7 @@
+ /dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
+ /dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
+ /dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
++/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
+ /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-06-01 08:22:04.000000000 -0400
+@@ -1725,6 +1725,61 @@
+ rw_chr_files_pattern($1, device_t, kvm_device_t)
+ ')
+
++######################################
++## <summary>
++## Read the lirc device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_lirc',`
++ gen_require(`
++ type device_t, lirc_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, lirc_device_t)
++')
++
++######################################
++## <summary>
++## Read and write the lirc device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_lirc',`
++ gen_require(`
++ type device_t, lirc_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, lirc_device_t)
++')
++
++######################################
++## <summary>
++## Automatic type transition to the type
++## for lirc device nodes when created in /dev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_filetrans_lirc',`
++ gen_require(`
++ type device_t, lirc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file)
++')
++
+ ########################################
+ ## <summary>
+ ## Read the lvm comtrol device.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-06-01 08:22:04.000000000 -0400
+@@ -91,6 +91,12 @@
+ dev_node(kvm_device_t)
+
+ #
++# Type for /dev/lirc
++#
++type lirc_device_t;
++dev_node(lirc_device_t)
++
++#
+ # Type for /dev/mapper/control
+ #
+ type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-26 13:02:25.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-29 11:03:57.000000000 -0400
@@ -5224,6 +5224,7 @@
attribute file_type;
')
@@ -53,6 +214,20 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
+--- nsaserefpolicy/policy/modules/roles/staff.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-06-01 08:41:46.000000000 -0400
+@@ -44,6 +44,10 @@
+ ')
+
+ optional_policy(`
++ postgresql_role(staff_r, staff_t)
++')
++
++optional_policy(`
+ secadm_role_change(staff_r)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-05-21 15:11:07.000000000 -0400
@@ -90,6 +265,26 @@ diff -b -B --ignore-all-space --exclude-
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
+--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-06-01 06:47:53.000000000 -0400
+@@ -14,7 +14,7 @@
+ files_pid_file(consolekit_var_run_t)
+
+ type consolekit_log_t;
+-files_pid_file(consolekit_log_t)
++logging_log_file(consolekit_log_t)
+
+ ########################################
+ #
+@@ -50,6 +50,7 @@
+ files_read_usr_files(consolekit_t)
+ # needs to read /var/lib/dbus/machine-id
+ files_read_var_lib_files(consolekit_t)
++files_search_all_mountpoints(consolekit_t)
+
+ fs_list_inotifyfs(consolekit_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-05-26 08:38:15.000000000 -0400
@@ -157,6 +352,38 @@ diff -b -B --ignore-all-space --exclude-
files_getattr_all_mountpoints(hald_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.if 2009-06-01 08:13:05.000000000 -0400
+@@ -70,6 +70,7 @@
+ interface(`kerberos_use',`
+ gen_require(`
+ type krb5_conf_t, krb5kdc_conf_t;
++ type krb5_host_rcache_t;
+ ')
+
+ files_search_etc($1)
+@@ -101,6 +102,7 @@
+ corenet_tcp_connect_ocsp_port($1)
+ corenet_sendrecv_kerberos_client_packets($1)
+ corenet_sendrecv_ocsp_client_packets($1)
++ allow $1 krb5_host_rcache_t:file getattr;
+ ')
+
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
+--- nsaserefpolicy/policy/modules/services/lircd.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-06-01 08:22:04.000000000 -0400
+@@ -45,6 +45,9 @@
+ dev_filetrans(lircd_t, lircd_sock_t, sock_file )
+ dev_read_generic_usb_dev(lircd_t)
+
++dev_filetrans_lirc(lircd_t)
++dev_rw_lirc(lircd_t)
++
+ logging_send_syslog_msg(lircd_t)
+
+ files_read_etc_files(lircd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2009-05-26 13:53:04.000000000 -0400
@@ -259,3 +486,61 @@ diff -b -B --ignore-all-space --exclude-
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-01 08:37:12.000000000 -0400
+@@ -139,6 +139,7 @@
+ /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te
+--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-05-28 21:07:39.000000000 -0400
+@@ -211,6 +211,7 @@
+ # Sulogin local policy
+ #
+
++allow sulogin_t self:capability dac_override;
+ allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow sulogin_t self:fd use;
+ allow sulogin_t self:fifo_file rw_file_perms;
+@@ -258,7 +259,10 @@
+ # suse and debian do not use pam with sulogin...
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ ifdef(`distro_debian', `define(`sulogin_no_pam')')
+-ifdef(`distro_redhat',`define(`sulogin_no_pam')')
++ifdef(`distro_redhat',`
++ define(`sulogin_no_pam')
++ selinux_compute_user_contexts(sulogin_t)
++')
+
+ ifdef(`sulogin_no_pam', `
+ allow sulogin_t self:capability sys_tty_config;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-06-01 13:01:59.000000000 -0400
+@@ -45,7 +45,7 @@
+ # DHCP client local policy
+ #
+ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
+-dontaudit dhcpc_t self:capability sys_tty_config;
++dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+ allow dhcpc_t self:process { setfscreate ptrace signal_perms };
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-06-01 08:19:34.000000000 -0400
+@@ -1880,7 +1880,7 @@
+ type user_home_t;
+ ')
+
+- allow $1 user_home_t:dir delete_file_perms;
++ allow $1 user_home_t:file delete_file_perms;
+ ')
+
+ ########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.865
retrieving revision 1.866
diff -u -p -r1.865 -r1.866
--- selinux-policy.spec 27 May 2009 11:50:16 -0000 1.865
+++ selinux-policy.spec 1 Jun 2009 17:07:36 -0000 1.866
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 43%{?dist}
+Release: 44%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,11 @@ exit 0
%endif
%changelog
+* Mon Jun 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-44
+- Add fish as a shell_exec_t
+- Allow consolekit to search mountpoints
+- Allow xdm_t to delete user_home_t
+
* Wed May 27 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-43
- Allow fprintd to list usbfs_t
- Add listing of mailman_data_t
More information about the fedora-extras-commits
mailing list