rpms/selinux-policy/F-11 policy-20090521.patch, 1.12, 1.13 selinux-policy.spec, 1.872, 1.873
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Jun 15 20:05:04 UTC 2009
- Previous message (by thread): rpms/selinux-policy/devel policy-F12.patch, 1.9, 1.10 selinux-policy.spec, 1.863, 1.864
- Next message (by thread): rpms/hyphen-eu/devel hyph-eu.tex, NONE, 1.1 hyphen-eu-cleantex.patch, NONE, 1.1 hyphen-eu.spec, NONE, 1.1 import.log, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20140
Modified Files:
policy-20090521.patch selinux-policy.spec
Log Message:
* Mon Jun 15 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-52
- Allow kpropd to create krb5_lock_t files in krb5_conf_t directory
policy-20090521.patch:
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -p -r1.12 -r1.13
--- policy-20090521.patch 12 Jun 2009 18:42:12 -0000 1.12
+++ policy-20090521.patch 15 Jun 2009 20:04:32 -0000 1.13
@@ -1,8 +1,13 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-05-29 11:08:06.000000000 -0400
-@@ -72,6 +72,8 @@
- files_read_etc_runtime_files(prelink_t)
++++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-06-15 08:33:15.000000000 -0400
+@@ -68,10 +68,11 @@
+ files_list_all(prelink_t)
+ files_getattr_all_files(prelink_t)
+ files_write_non_security_dirs(prelink_t)
+-files_read_etc_files(prelink_t)
+-files_read_etc_runtime_files(prelink_t)
++auth_read_all_files_except_shadow(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
+# Delta RPMS
@@ -10,7 +15,7 @@ diff -b -B --ignore-all-space --exclude-
files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
-@@ -102,5 +104,9 @@
+@@ -102,5 +103,9 @@
')
optional_policy(`
@@ -79,8 +84,17 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-06-09 06:55:30.000000000 -0400
-@@ -93,6 +93,7 @@
++++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-06-12 14:53:46.000000000 -0400
+@@ -88,11 +88,16 @@
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(qemu_t)
++')
++
++optional_policy(`
+ samba_domtrans_smb(qemu_t)
+ ')
optional_policy(`
virt_manage_images(qemu_t)
@@ -393,7 +407,7 @@ diff -b -B --ignore-all-space --exclude-
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-06-11 14:03:01.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-06-15 08:32:29.000000000 -0400
@@ -1953,6 +1953,7 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
@@ -402,7 +416,15 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -5224,6 +5225,7 @@
+@@ -3734,6 +3735,7 @@
+ allow $1 usr_t:dir list_dir_perms;
+ read_files_pattern($1, usr_t, usr_t)
+ read_lnk_files_pattern($1, usr_t, usr_t)
++ files_read_usr_src_files($1)
+ ')
+
+ ########################################
+@@ -5224,6 +5226,7 @@
attribute file_type;
')
@@ -481,7 +503,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-22 05:49:21.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-06-15 15:37:33.000000000 -0400
@@ -52,6 +52,8 @@
init_system_domain(unconfined_execmem_t, execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
@@ -491,6 +513,17 @@ diff -b -B --ignore-all-space --exclude-
type unconfined_notrans_t;
type unconfined_notrans_exec_t;
+@@ -253,6 +255,10 @@
+ ')
+
+ optional_policy(`
++ ppp_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ qemu_role_notrans(unconfined_r, unconfined_t)
+ qemu_unconfined_role(unconfined_r)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-05-26 15:13:01.000000000 -0400
@@ -613,6 +646,41 @@ diff -b -B --ignore-all-space --exclude-
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.12/policy/modules/services/ddclient.if
+--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-04-07 15:54:45.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ddclient.if 2009-06-15 15:36:48.000000000 -0400
+@@ -21,6 +21,31 @@
+
+ ########################################
+ ## <summary>
++## Execute ddclient daemon on behalf of a user or staff type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the ppp domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ddclient_run',`
++ gen_require(`
++ type ddclient_t;
++ ')
++
++ ddclient_domtrans($1)
++ role $2 types ddclient_t;
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an ddclient environment
+ ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-11 08:32:09.000000000 -0400
@@ -682,6 +750,17 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
+--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-06-15 15:00:15.000000000 -0400
+@@ -287,6 +287,7 @@
+
+ manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
+ manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
++filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
+
+ corecmd_exec_bin(kpropd_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-06-01 08:22:04.000000000 -0400
@@ -706,6 +785,29 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-06-15 10:55:27.000000000 -0400
+@@ -473,6 +473,7 @@
+ ')
+
+ write_files_pattern($1, etc_mail_t, etc_mail_t)
++ allow $1 etc_mail_t:file setattr;
+ ')
+
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc
+--- nsaserefpolicy/policy/modules/services/polkit.fc 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/polkit.fc 2009-06-15 11:00:10.000000000 -0400
+@@ -2,7 +2,7 @@
+ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
+ /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
+ /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
+-/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
++/usr/libexec/polkitd.* -- gen_context(system_u:object_r:polkit_exec_t,s0)
+
+ /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+ /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-06-03 08:38:18.000000000 -0400
@@ -735,6 +837,34 @@ diff -b -B --ignore-all-space --exclude-
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if
+--- nsaserefpolicy/policy/modules/services/ppp.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-06-15 15:36:01.000000000 -0400
+@@ -181,6 +181,11 @@
+
+ ppp_domtrans($1)
+ role $2 types pppd_t;
++ role $2 types pptp_t;
++
++ optional_policy(`
++ ddclient_run(pppd_t, $2)
++ ')
+ ')
+
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
+--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/privoxy.te 2009-06-15 15:20:45.000000000 -0400
+@@ -48,8 +48,7 @@
+ files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
+
+ kernel_read_kernel_sysctls(privoxy_t)
+-kernel_list_proc(privoxy_t)
+-kernel_read_proc_symlinks(privoxy_t)
++kernel_read_system_state(privoxy_t)
+
+ corenet_all_recvfrom_unlabeled(privoxy_t)
+ corenet_all_recvfrom_netlabel(privoxy_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-05-21 08:32:24.000000000 -0400
@@ -916,7 +1046,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-06-01 13:14:14.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-06-15 15:31:05.000000000 -0400
@@ -77,6 +77,8 @@
# for SSP/ProPolice
@@ -926,11 +1056,12 @@ diff -b -B --ignore-all-space --exclude-
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
-@@ -147,6 +149,10 @@
+@@ -147,6 +149,11 @@
')
optional_policy(`
+ kerberos_manage_host_rcache($1)
++ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
@@ -949,6 +1080,25 @@ diff -b -B --ignore-all-space --exclude-
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-06-15 10:44:05.000000000 -0400
+@@ -285,6 +285,7 @@
+ kernel_dontaudit_getattr_message_if(initrc_t)
+ kernel_stream_connect(initrc_t)
+ files_read_kernel_modules(initrc_t)
++files_read_config_files(initrc_t)
+
+ files_read_kernel_symbol_table(initrc_t)
+ files_exec_etc_files(initrc_t)
+@@ -750,6 +751,7 @@
+
+ mysql_stream_connect(initrc_t)
+ mysql_write_log(initrc_t)
++ mysql_read_config(initrc_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-06-12 11:35:19.000000000 -0400
@@ -1168,7 +1318,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-06-08 09:19:35.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-06-12 14:53:26.000000000 -0400
@@ -38,6 +38,7 @@
dev_read_sound(virtualdomain)
dev_write_sound(virtualdomain)
@@ -1177,6 +1327,17 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_qemu(virtualdomain)
domain_use_interactive_fds(virtualdomain)
+@@ -63,10 +64,6 @@
+ miscfiles_read_localization(virtualdomain)
+
+ optional_policy(`
+- dbus_system_bus_client(virtualdomain)
+-')
+-
+-optional_policy(`
+ virt_read_config(virtualdomain)
+ virt_read_lib_files(virtualdomain)
+ virt_read_content(virtualdomain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-06-04 14:47:25.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.872
retrieving revision 1.873
diff -u -p -r1.872 -r1.873
--- selinux-policy.spec 12 Jun 2009 18:42:12 -0000 1.872
+++ selinux-policy.spec 15 Jun 2009 20:04:32 -0000 1.873
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 51%{?dist}
+Release: 52%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
%endif
%changelog
+* Mon Jun 15 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-52
+- Allow kpropd to create krb5_lock_t files in krb5_conf_t directory
+
* Fri Jun 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-51
- Remove some privs from svirt to tighten the policy
- Previous message (by thread): rpms/selinux-policy/devel policy-F12.patch, 1.9, 1.10 selinux-policy.spec, 1.863, 1.864
- Next message (by thread): rpms/hyphen-eu/devel hyph-eu.tex, NONE, 1.1 hyphen-eu-cleantex.patch, NONE, 1.1 hyphen-eu.spec, NONE, 1.1 import.log, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list