rpms/selinux-policy/F-11 policy-20090521.patch, 1.10, 1.11 selinux-policy.spec, 1.870, 1.871

Fri Jun 12 13:08:57 UTC 2009

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13111

Modified Files:
	policy-20090521.patch selinux-policy.spec 
Log Message:
* Fri Jun 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-50
- Allow udev to transition to bluetooth


policy-20090521.patch:

Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11

--- policy-20090521.patch	10 Jun 2009 17:46:51 -0000	1.10
+++ policy-20090521.patch	12 Jun 2009 13:08:56 -0000	1.11
@@ -109,6 +109,29 @@ diff -b -B --ignore-all-space --exclude-
  
  /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
  /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
+--- nsaserefpolicy/policy/modules/apps/vmware.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/vmware.te	2009-06-12 08:42:20.000000000 -0400
+@@ -136,7 +136,7 @@
+ 
+ miscfiles_read_localization(vmware_host_t)
+ 
+-sysnet_dns_name_resolve(vmware_host_t)
++auth_use_nsswitch(vmware_host_t)
+ 
+ storage_getattr_fixed_disk_dev(vmware_host_t)
+ 
+@@ -160,6 +160,10 @@
+         xserver_common_app(vmware_host_t)
+ ')
+ 
++optional_policy(`
++	unconfined_domain(vmware_host_t)
++	unconfined_domain(vmware_t)
++')
+ 
+ ifdef(`TODO',`
+ # VMWare need access to pcmcia devices for network
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc	2009-06-08 08:49:07.000000000 -0400
@@ -360,8 +383,16 @@ diff -b -B --ignore-all-space --exclude-
  # a keyring
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-05-29 11:03:57.000000000 -0400
-@@ -5224,6 +5224,7 @@
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-06-11 14:03:01.000000000 -0400
+@@ -1953,6 +1953,7 @@
+ 	allow $1 etc_t:dir list_dir_perms;
+ 	read_files_pattern($1, etc_t, etc_t)
+ 	read_lnk_files_pattern($1, etc_t, etc_t)
++	files_read_etc_runtime_files($1)
+ ')
+ 
+ ########################################
+@@ -5224,6 +5225,7 @@
  		attribute file_type;
  	')
  
@@ -381,6 +412,35 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if	2009-06-11 10:02:45.000000000 -0400
+@@ -571,6 +571,25 @@
+ 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ ')
+ 
++#######################################
++## <summary>
++##      Set the attributes of the tty device
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`term_setattr_controlling_term',`
++       gen_require(`
++               type devtty_t;
++       ')
++
++	dev_list_all_dev_nodes($1)
++	allow $1 devtty_t:chr_file setattr;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write the controlling
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/roles/staff.te	2009-06-01 08:41:46.000000000 -0400
@@ -545,7 +605,7 @@ diff -b -B --ignore-all-space --exclude-
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te	2009-05-21 12:57:07.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/devicekit.te	2009-06-11 08:32:09.000000000 -0400
 @@ -55,7 +55,7 @@
  #
  # DeviceKit-Power local policy
@@ -555,6 +615,14 @@ diff -b -B --ignore-all-space --exclude-
  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
  
+@@ -77,6 +77,7 @@
+ kernel_rw_kernel_sysctl(devicekit_power_t)
+ kernel_write_proc_files(devicekit_power_t)
+ 
++dev_read_input(devicekit_power_t)
+ dev_rw_generic_usb_dev(devicekit_power_t)
+ dev_rw_netcontrol(devicekit_power_t)
+ dev_rw_sysfs(devicekit_power_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-06-04 13:23:04.000000000 -0400
@@ -743,6 +811,17 @@ diff -b -B --ignore-all-space --exclude-
  	dbus_system_bus_client(setroubleshootd_t)
  	dbus_connect_system_bus(setroubleshootd_t)
  	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te
+--- nsaserefpolicy/policy/modules/services/shorewall.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/shorewall.te	2009-06-12 07:59:58.000000000 -0400
+@@ -35,6 +35,7 @@
+ 
+ allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
+ dontaudit shorewall_t self:capability sys_tty_config;
++allow shorewall_t self:process signal;
+ 
+ allow shorewall_t self:fifo_file rw_fifo_file_perms;
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc	2009-05-21 08:31:58.000000000 -0400
@@ -751,6 +830,18 @@ diff -b -B --ignore-all-space --exclude-
  HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
  
  /etc/rc\.d/init\.d/spamd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/uucp.te	2009-06-10 16:13:54.000000000 -0400
+@@ -95,6 +95,8 @@
+ files_search_home(uucpd_t)
+ files_search_spool(uucpd_t)
+ 
++term_setattr_controlling_term(uucpd_t)
++
+ auth_use_nsswitch(uucpd_t)
+ 
+ logging_send_syslog_msg(uucpd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-06-09 06:54:00.000000000 -0400
@@ -866,7 +957,7 @@ diff -b -B --ignore-all-space --exclude-
  ipsec_setcontext_default_spd(setkey_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc	2009-06-08 08:45:27.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc	2009-06-12 09:03:04.000000000 -0400
 @@ -139,6 +139,7 @@
  /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -875,7 +966,15 @@ diff -b -B --ignore-all-space --exclude-
  /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -366,6 +367,7 @@
+@@ -190,6 +191,7 @@
+ /usr/lib/firefox-[^/]*/plugins/nppdf.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib64/maxima/[^/]+/binary-gcl/maxima	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/maxima/[^/]+/binary-gcl/maxima	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nx/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -366,9 +368,10 @@
  /usr/matlab.*\.so(\.[^/]*)*		gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/local/matlab.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/matlab.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -883,6 +982,10 @@ diff -b -B --ignore-all-space --exclude-
  
  /usr/lib/libcncpmslld328\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
+ /usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+-
++/usr/lib(64)?/midori/.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/system/locallogin.te	2009-05-28 21:07:39.000000000 -0400
@@ -918,6 +1021,20 @@ diff -b -B --ignore-all-space --exclude-
  # for access("/etc/bashrc", X_OK) on Red Hat
  dontaudit dhcpc_t self:capability { dac_read_search sys_module };
  allow dhcpc_t self:process { setfscreate ptrace signal_perms };
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
+--- nsaserefpolicy/policy/modules/system/udev.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/udev.te	2009-06-12 07:55:17.000000000 -0400
+@@ -196,6 +196,10 @@
+ ')
+ 
+ optional_policy(`
++	bluetooth_domtrans(udev_t)
++')
++
++optional_policy(`
+ 	brctl_domtrans(udev_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-06-01 08:19:34.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.870
retrieving revision 1.871
diff -u -p -r1.870 -r1.871
--- selinux-policy.spec	10 Jun 2009 17:46:51 -0000	1.870
+++ selinux-policy.spec	12 Jun 2009 13:08:57 -0000	1.871
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 48%{?dist}
+Release: 50%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,12 @@ exit 0
 %endif
 
 %changelog
+* Fri Jun 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-50
+- Allow udev to transition to bluetooth
+
+* Thu Jun 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-49
+- Add labeling for midori shared libraries
+
 * Thu Jun 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-48
 - Allow setroubleshoot to run mlocate
 


