rpms/selinux-policy/devel .cvsignore, 1.171, 1.172 policy-F12.patch, 1.15, 1.16 selinux-policy.spec, 1.868, 1.869 sources, 1.191, 1.192
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Jun 22 22:28:28 UTC 2009
- Previous message (by thread): rpms/selinux-policy/F-11 policy-20090521.patch, 1.18, 1.19 selinux-policy.spec, 1.877, 1.878
- Next message (by thread): rpms/setroubleshoot/devel .cvsignore, 1.103, 1.104 setroubleshoot.spec, 1.137, 1.138 sources, 1.115, 1.116
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2624
Modified Files:
.cvsignore policy-F12.patch selinux-policy.spec sources
Log Message:
* Sat Jun 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.19-1
- Update to upstream
* add sssd
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.171
retrieving revision 1.172
diff -u -p -r1.171 -r1.172
--- .cvsignore 20 Jun 2009 13:44:57 -0000 1.171
+++ .cvsignore 22 Jun 2009 22:27:57 -0000 1.172
@@ -173,3 +173,4 @@ serefpolicy-3.6.15.tgz
serefpolicy-3.6.16.tgz
serefpolicy-3.6.17.tgz
serefpolicy-3.6.18.tgz
+serefpolicy-3.6.19.tgz
policy-F12.patch:
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -p -r1.15 -r1.16
--- policy-F12.patch 20 Jun 2009 13:59:00 -0000 1.15
+++ policy-F12.patch 22 Jun 2009 22:27:57 -0000 1.16
@@ -1,3 +1,14 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.6.18/Changelog
+--- nsaserefpolicy/Changelog 2009-06-22 17:07:19.000000000 -0400
++++ serefpolicy-3.6.18/Changelog 2009-06-20 06:26:58.000000000 -0400
+@@ -29,7 +29,6 @@
+ pingd (Dan Walsh)
+ psad (Dan Walsh)
+ portreserve (Dan Walsh)
+- sssd (Dan Walsh)
+ ulogd (Dan Walsh)
+ webadm (Dan Walsh)
+ xguest (Dan Walsh)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.18/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.18/config/appconfig-mcs/default_contexts 2009-06-20 06:49:47.000000000 -0400
@@ -742,13 +753,17 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.18/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/admin/rpm.fc 2009-06-20 06:55:20.000000000 -0400
-@@ -9,9 +9,12 @@
- /usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
++++ serefpolicy-3.6.18/policy/modules/admin/rpm.fc 2009-06-22 16:05:55.000000000 -0400
+@@ -4,14 +4,12 @@
+ /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+
+
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
@@ -757,7 +772,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
-@@ -21,15 +24,22 @@
+@@ -21,15 +19,22 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -5380,7 +5395,7 @@ diff -b -B --ignore-all-space --exclude-
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.18/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/kernel/corecommands.fc 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/kernel/corecommands.fc 2009-06-22 16:05:49.000000000 -0400
@@ -139,6 +139,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -5762,18 +5777,43 @@ diff -b -B --ignore-all-space --exclude-
type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.18/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/kernel/domain.if 2009-06-20 06:49:47.000000000 -0400
-@@ -65,7 +65,8 @@
- ')
-
- optional_policy(`
++++ serefpolicy-3.6.18/policy/modules/kernel/domain.if 2009-06-22 17:30:27.000000000 -0400
+@@ -44,34 +44,6 @@
+ interface(`domain_type',`
+ # start with basic domain
+ domain_base_type($1)
+-
+- ifdef(`distro_redhat',`
+- optional_policy(`
+- unconfined_use_fds($1)
+- ')
+- ')
+-
+- # send init a sigchld and signull
+- optional_policy(`
+- init_sigchld($1)
+- init_signull($1)
+- ')
+-
+- # these seem questionable:
+-
+- optional_policy(`
+- rpm_use_fds($1)
+- rpm_read_pipes($1)
+- ')
+-
+- optional_policy(`
- selinux_dontaudit_getattr_fs($1)
-+ selinux_getattr_fs($1)
-+ selinux_search_fs($1)
- selinux_dontaudit_read_fs($1)
- ')
+- selinux_dontaudit_read_fs($1)
+- ')
+-
+- optional_policy(`
+- seutil_dontaudit_read_config($1)
+- ')
+ ')
-@@ -1248,18 +1249,34 @@
+ ########################################
+@@ -1248,18 +1220,34 @@
## </summary>
## </param>
#
@@ -5811,7 +5851,7 @@ diff -b -B --ignore-all-space --exclude-
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
-@@ -1280,6 +1297,24 @@
+@@ -1280,6 +1268,24 @@
########################################
## <summary>
@@ -5838,7 +5878,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.18/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/kernel/domain.te 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/kernel/domain.te 2009-06-22 17:32:55.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5909,11 +5949,34 @@ diff -b -B --ignore-all-space --exclude-
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,50 @@
+@@ -153,3 +174,73 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
++selinux_getattr_fs(domain)
++selinux_search_fs(domain)
++selinux_dontaudit_read_fs(domain)
++
++seutil_dontaudit_read_config(domain)
++
++init_sigchld(domain)
++init_signull(domain)
++
++ifdef(`distro_redhat',`
++ optional_policy(`
++ unconfined_use_fds(domain)
++ ')
++')
++
++# these seem questionable:
++
++optional_policy(`
++ rpm_use_fds(domain)
++ rpm_read_pipes(domain)
++')
++
++
+tunable_policy(`allow_domain_fd_use',`
+ # Allow all domains to use fds past to them
+ allow domain domain:fd use;
@@ -6512,7 +6575,7 @@ diff -b -B --ignore-all-space --exclude-
+permissive kernel_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.18/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/kernel/selinux.if 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/kernel/selinux.if 2009-06-22 17:16:37.000000000 -0400
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -12744,8 +12807,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.18/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/devicekit.te 2009-06-20 06:49:47.000000000 -0400
-@@ -0,0 +1,235 @@
++++ serefpolicy-3.6.18/policy/modules/services/devicekit.te 2009-06-21 08:58:27.000000000 -0400
+@@ -0,0 +1,237 @@
+policy_module(devicekit,1.0.0)
+
+########################################
@@ -12893,6 +12956,7 @@ diff -b -B --ignore-all-space --exclude-
+
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
++allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
@@ -12945,6 +13009,7 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
++ polkit_dbus_chat(devicekit_disk_t)
+ polkit_domtrans_auth(devicekit_disk_t)
+ polkit_read_lib(devicekit_disk_t)
+ polkit_read_reload(devicekit_disk_t)
@@ -15087,6 +15152,27 @@ diff -b -B --ignore-all-space --exclude-
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.18/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te 2009-05-21 08:43:08.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/services/mysql.te 2009-06-22 17:04:01.000000000 -0400
+@@ -136,6 +136,8 @@
+
+ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+
++allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
++
+ allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+
+@@ -152,7 +154,7 @@
+
+ miscfiles_read_localization(mysqld_safe_t)
+
+-mysql_append_db_files(mysqld_safe_t)
++mysql_manage_db_files(mysqld_safe_t)
+ mysql_read_config(mysqld_safe_t)
+ mysql_search_pid_files(mysqld_safe_t)
+ mysql_write_log(mysqld_safe_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.18/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/nagios.fc 2009-06-20 06:49:47.000000000 -0400
@@ -22119,41 +22205,39 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.18/policy/modules/services/sssd.fc
---- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500
+--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-06-22 17:07:19.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/sssd.fc 2009-06-20 06:49:47.000000000 -0400
-@@ -0,0 +1,6 @@
-+
-+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
-+
+@@ -1,6 +1,6 @@
+-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+
+ /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+
+-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+ /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.18/policy/modules/services/sssd.if
---- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500
+--- nsaserefpolicy/policy/modules/services/sssd.if 2009-06-22 17:07:19.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/sssd.if 2009-06-20 06:49:47.000000000 -0400
-@@ -0,0 +1,249 @@
+@@ -1,4 +1,5 @@
+-## <summary>System Security Services Daemon</summary>
+
+## <summary>policy for sssd</summary>
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run sssd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`sssd_domtrans',`
-+ gen_require(`
+
+ ########################################
+ ## <summary>
+@@ -12,12 +13,32 @@
+ #
+ interface(`sssd_domtrans',`
+ gen_require(`
+- type sssd_t, sssd_exec_t;
+ type sssd_t;
+ type sssd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1,sssd_exec_t,sssd_t)
-+')
-+
+ ')
+
+ domtrans_pattern($1, sssd_exec_t, sssd_t)
+ ')
+
+
+########################################
+## <summary>
@@ -22173,106 +22257,32 @@ diff -b -B --ignore-all-space --exclude-
+ init_labeled_script_domtrans($1,sssd_initrc_exec_t)
+')
+
-+########################################
-+## <summary>
-+## Read sssd PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sssd_read_pid_files',`
-+ gen_require(`
-+ type sssd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 sssd_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Manage sssd var_run files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ########################################
+ ## <summary>
+ ## Read sssd PID files.
+@@ -47,15 +68,17 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`sssd_manage_pids',`
+interface(`sssd_manage_var_run',`
-+ gen_require(`
-+ type sssd_var_run_t;
-+ ')
-+
-+ manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t)
-+ manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
+ gen_require(`
+ type sssd_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Search sssd lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sssd_search_lib',`
-+ gen_require(`
-+ type sssd_var_lib_t;
-+ ')
-+
-+ allow $1 sssd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read sssd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sssd_read_lib_files',`
-+ gen_require(`
-+ type sssd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete
-+## sssd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sssd_manage_lib_files',`
-+ gen_require(`
-+ type sssd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
-+')
+ ')
+
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+ ## Search sssd lib directories.
+@@ -116,6 +139,27 @@
+
+ ########################################
+ ## <summary>
+## Manage sssd var_lib files.
+## </summary>
+## <param name="domain">
@@ -22294,125 +22304,58 @@ diff -b -B --ignore-all-space --exclude-
+
+########################################
+## <summary>
-+## Send and receive messages from
-+## sssd over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sssd_dbus_chat',`
-+ gen_require(`
-+ type sssd_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 sssd_t:dbus send_msg;
-+ allow sssd_t $1:dbus send_msg;
-+')
-+
-+
-+########################################
-+## <summary>
-+## Connect to sssd over an unix stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sssd_stream_connect',`
-+ gen_require(`
-+ type sssd_t, sssd_var_lib_t;
-+ ')
-+
-+ files_search_pids($1)
+ ## Send and receive messages from
+ ## sssd over dbus.
+ ## </summary>
+@@ -151,7 +196,8 @@
+ ')
+
+ files_search_pids($1)
+- stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
+ write_sock_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ allow $1 sssd_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an sssd environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the sssd domain.
-+## </summary>
-+## </param>
-+## <param name="terminal">
-+## <summary>
-+## The type of the user terminal.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`sssd_admin',`
-+ gen_require(`
-+ type sssd_t;
-+ ')
-+
-+ allow $1 sssd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, sssd_t, sssd_t)
-+
-+
-+ gen_require(`
-+ type sssd_initrc_exec_t;
-+ ')
-+
-+ # Allow sssd_t to restart the apache service
-+ sssd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 sssd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
+ ')
+
+ ########################################
+@@ -194,7 +241,9 @@
+ role_transition $2 sssd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- sssd_manage_pids($1)
+ sssd_manage_var_run($1)
+
+ sssd_manage_var_lib($1)
-+
-+')
+
+- sssd_manage_lib_files($1)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.18/policy/modules/services/sssd.te
---- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
+--- nsaserefpolicy/policy/modules/services/sssd.te 2009-06-22 17:07:19.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/sssd.te 2009-06-20 06:49:47.000000000 -0400
-@@ -0,0 +1,74 @@
-+policy_module(sssd,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type sssd_t;
-+type sssd_exec_t;
-+init_daemon_domain(sssd_t, sssd_exec_t)
-+
+@@ -10,43 +9,54 @@
+ type sssd_exec_t;
+ init_daemon_domain(sssd_t, sssd_exec_t)
+
+permissive sssd_t;
+
-+type sssd_initrc_exec_t;
-+init_script_file(sssd_initrc_exec_t)
-+
-+type sssd_var_run_t;
-+files_pid_file(sssd_var_run_t)
-+
+ type sssd_initrc_exec_t;
+ init_script_file(sssd_initrc_exec_t)
+
+-type sssd_var_lib_t;
+-files_type(sssd_var_lib_t)
+-
+ type sssd_var_run_t;
+ files_pid_file(sssd_var_run_t)
+
+type sssd_var_lib_t;
+files_type(sssd_var_lib_t)
+
-+########################################
-+#
-+# sssd local policy
-+#
-+allow sssd_t self:capability { sys_nice setuid };
-+allow sssd_t self:process { setsched signal getsched };
+ ########################################
+ #
+ # sssd local policy
+ #
+ allow sssd_t self:capability { sys_nice setuid };
+ allow sssd_t self:process { setsched signal getsched };
+allow sssd_t tmp_t:dir { read getattr open };
+
+# Init script handling
@@ -22420,45 +22363,39 @@ diff -b -B --ignore-all-space --exclude-
+
+# internal communication is often done using fifo and unix sockets.
+allow sssd_t self:process signal;
-+allow sssd_t self:fifo_file rw_file_perms;
-+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
-+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-+files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir })
-+
+ allow sssd_t self:fifo_file rw_file_perms;
+ allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+-manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+-manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+-manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+-
+ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
+-kernel_read_system_state(sssd_t)
+manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
-+
-+corecmd_exec_bin(sssd_t)
-+
-+dev_read_urand(sssd_t)
-+
+
+ corecmd_exec_bin(sssd_t)
+
+ dev_read_urand(sssd_t)
+
+kernel_read_system_state(sssd_t)
+
-+files_list_tmp(sssd_t)
-+files_read_etc_files(sssd_t)
-+files_read_usr_files(sssd_t)
-+
+ files_list_tmp(sssd_t)
+ files_read_etc_files(sssd_t)
+ files_read_usr_files(sssd_t)
+
+fs_list_inotifyfs(sssd_t)
+
-+auth_use_nsswitch(sssd_t)
-+auth_domtrans_chk_passwd(sssd_t)
-+auth_domtrans_upd_passwd(sssd_t)
-+
-+init_read_utmp(sssd_t)
-+
-+logging_send_syslog_msg(sssd_t)
-+logging_send_audit_msgs(sssd_t)
-+
-+miscfiles_read_localization(sssd_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(sssd_t)
-+ dbus_connect_system_bus(sssd_t)
-+')
+ auth_use_nsswitch(sssd_t)
+ auth_domtrans_chk_passwd(sssd_t)
+ auth_domtrans_upd_passwd(sssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.18/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/uucp.te 2009-06-20 06:49:47.000000000 -0400
@@ -23036,7 +22973,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.18/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/virt.te 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/services/virt.te 2009-06-22 18:01:06.000000000 -0400
@@ -8,19 +8,38 @@
## <desc>
@@ -23248,9 +23185,8 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ kerberos_keytab_template(virtd, virtd_t)
+')
-
- optional_policy(`
-- qemu_domtrans(virtd_t)
++
++optional_policy(`
+ lvm_domtrans(virtd_t)
+')
+
@@ -23259,8 +23195,9 @@ diff -b -B --ignore-all-space --exclude-
+ polkit_domtrans_resolve(virtd_t)
+ polkit_read_lib(virtd_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- qemu_domtrans(virtd_t)
+ qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t)
qemu_signal(virtd_t)
@@ -23269,7 +23206,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -195,8 +287,92 @@
+@@ -195,8 +287,94 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -23302,6 +23239,8 @@ diff -b -B --ignore-all-space --exclude-
+manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
+files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
+
++read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
++
+allow svirt_t svirt_image_t:dir search_dir_perms;
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
@@ -26536,7 +26475,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.18/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/system/logging.te 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/system/logging.te 2009-06-22 13:05:34.000000000 -0400
@@ -126,7 +126,7 @@
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
@@ -28368,7 +28307,7 @@ diff -b -B --ignore-all-space --exclude-
/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.18/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/system/udev.te 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/system/udev.te 2009-06-22 13:05:54.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -28377,7 +28316,15 @@ diff -b -B --ignore-all-space --exclude-
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -140,6 +141,7 @@
+@@ -111,6 +112,7 @@
+
+ fs_getattr_all_fs(udev_t)
+ fs_list_inotifyfs(udev_t)
++fs_rw_anon_inodefs_files(udev_t)
+
+ mcs_ptrace_all(udev_t)
+
+@@ -140,6 +142,7 @@
logging_send_audit_msgs(udev_t)
miscfiles_read_localization(udev_t)
@@ -28385,7 +28332,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
-@@ -182,9 +184,11 @@
+@@ -182,9 +185,11 @@
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
@@ -28400,7 +28347,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -194,6 +198,10 @@
+@@ -194,6 +199,10 @@
')
optional_policy(`
@@ -28411,7 +28358,7 @@ diff -b -B --ignore-all-space --exclude-
brctl_domtrans(udev_t)
')
-@@ -202,6 +210,10 @@
+@@ -202,6 +211,10 @@
')
optional_policy(`
@@ -28422,7 +28369,7 @@ diff -b -B --ignore-all-space --exclude-
consoletype_exec(udev_t)
')
-@@ -210,6 +222,11 @@
+@@ -210,6 +223,11 @@
')
optional_policy(`
@@ -28434,7 +28381,7 @@ diff -b -B --ignore-all-space --exclude-
lvm_domtrans(udev_t)
')
-@@ -219,6 +236,7 @@
+@@ -219,6 +237,7 @@
optional_policy(`
hal_dgram_send(udev_t)
@@ -28442,7 +28389,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -228,6 +246,10 @@
+@@ -228,6 +247,10 @@
')
optional_policy(`
@@ -28453,7 +28400,7 @@ diff -b -B --ignore-all-space --exclude-
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -242,6 +264,10 @@
+@@ -242,6 +265,10 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.868
retrieving revision 1.869
diff -u -p -r1.868 -r1.869
--- selinux-policy.spec 20 Jun 2009 13:44:58 -0000 1.868
+++ selinux-policy.spec 22 Jun 2009 22:27:57 -0000 1.869
@@ -19,7 +19,7 @@
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.6.18
+Version: 3.6.19
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
@@ -183,7 +183,7 @@ fi;
%description
SELinux Reference Policy - modular.
-Based off of reference policy: Checked out revision 3000.
+Based off of reference policy: Checked out revision 3002.
%build
@@ -473,6 +473,10 @@ exit 0
%endif
%changelog
+* Sat Jun 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.19-1
+- Update to upstream
+ * add sssd
+
* Sat Jun 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.18-1
- Update to upstream
* cleanup
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/sources,v
retrieving revision 1.191
retrieving revision 1.192
diff -u -p -r1.191 -r1.192
--- sources 20 Jun 2009 13:44:58 -0000 1.191
+++ sources 22 Jun 2009 22:27:58 -0000 1.192
@@ -1 +1 @@
-2513cf1675a62086dbd60387d6a74861 serefpolicy-3.6.18.tgz
+c0dc13f604297fb85fc945cffae899e0 serefpolicy-3.6.19.tgz
- Previous message (by thread): rpms/selinux-policy/F-11 policy-20090521.patch, 1.18, 1.19 selinux-policy.spec, 1.877, 1.878
- Next message (by thread): rpms/setroubleshoot/devel .cvsignore, 1.103, 1.104 setroubleshoot.spec, 1.137, 1.138 sources, 1.115, 1.116
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list