rpms/selinux-policy/devel modules-targeted.conf, 1.130, 1.131 policy-F12.patch, 1.17, 1.18 selinux-policy.spec, 1.870, 1.871

Wed Jun 24 13:15:57 UTC 2009

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21841

Modified Files:
	modules-targeted.conf policy-F12.patch selinux-policy.spec 
Log Message:
* Tue Jun 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.19-3
- Allow kpropd to create tmp files



Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.130
retrieving revision 1.131
diff -u -p -r1.130 -r1.131

--- modules-targeted.conf	20 Jun 2009 13:44:57 -0000	1.130
+++ modules-targeted.conf	24 Jun 2009 13:15:55 -0000	1.131
@@ -836,6 +836,13 @@ mount = base
 # 
 mozilla = module
 
+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+# 
+nslcd = module
+
 # Layer: apps
 # Module: nsplugin
 #

policy-F12.patch:

Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -p -r1.17 -r1.18
--- policy-F12.patch	23 Jun 2009 13:23:52 -0000	1.17
+++ policy-F12.patch	24 Jun 2009 13:15:55 -0000	1.18
@@ -2832,7 +2832,7 @@ diff -b -B --ignore-all-space --exclude-
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.18/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te	2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te	2009-06-24 08:35:55.000000000 -0400
 @@ -105,6 +105,7 @@
  # Should not need other ports
  corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
@@ -2849,7 +2849,15 @@ diff -b -B --ignore-all-space --exclude-
  
  logging_send_syslog_msg(mozilla_t)
  
-@@ -243,6 +245,8 @@
+@@ -143,6 +145,7 @@
+ userdom_manage_user_tmp_dirs(mozilla_t)
+ userdom_manage_user_tmp_files(mozilla_t)
+ userdom_manage_user_tmp_sockets(mozilla_t)
++userdom_use_user_ptys(mozilla_t)
+ 
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+@@ -243,6 +246,8 @@
  
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
@@ -2858,7 +2866,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -263,5 +267,10 @@
+@@ -263,5 +268,10 @@
  ')
  
  optional_policy(`
@@ -14343,7 +14351,7 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.18/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/services/kerberos.te	2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/services/kerberos.te	2009-06-23 16:51:48.000000000 -0400
 @@ -33,6 +33,7 @@
  type kpropd_t;
  type kpropd_exec_t;
@@ -14362,13 +14370,17 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  #
  # kadmind local policy
-@@ -281,7 +285,9 @@
+@@ -281,7 +285,13 @@
  
  allow kpropd_t krb5_keytab_t:file read_file_perms;
  
 +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
  manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
 +filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
++
++manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
++manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
++files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
  
  corecmd_exec_bin(kpropd_t)
  
@@ -16949,8 +16961,8 @@ diff -b -B --ignore-all-space --exclude-
 +/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:polkit_reload_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.18/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/polkit.if	2009-06-20 06:49:47.000000000 -0400
-@@ -0,0 +1,241 @@
++++ serefpolicy-3.6.18/policy/modules/services/polkit.if	2009-06-24 08:29:05.000000000 -0400
+@@ -0,0 +1,242 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@@ -17170,6 +17182,7 @@ diff -b -B --ignore-all-space --exclude-
 +	polkit_run_grant($2, $1)
 +	polkit_read_lib($2)
 +	polkit_read_reload($2)
++	polkit_dbus_chat($2)
 +')
 +
 +########################################
@@ -23396,7 +23409,7 @@ diff -b -B --ignore-all-space --exclude-
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.18/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/xserver.if	2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/services/xserver.if	2009-06-24 08:47:55.000000000 -0400
 @@ -90,7 +90,7 @@
  	allow $2 xauth_home_t:file manage_file_perms;
  	allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -23689,7 +23702,7 @@ diff -b -B --ignore-all-space --exclude-
  	domtrans_pattern($1, xserver_exec_t, xserver_t)
  ')
  
-@@ -1159,6 +1263,275 @@
+@@ -1159,6 +1263,276 @@
  
  ########################################
  ## <summary>
@@ -23859,6 +23872,7 @@ diff -b -B --ignore-all-space --exclude-
 +	xserver_read_xdm_tmp_files($1)
 +	xserver_xdm_stream_connect($1)
 +	xserver_setattr_xdm_tmp_dirs($1)
++	xserver_read_xdm_pid($1)
 +
 +	allow $1 xdm_t:x_client { getattr destroy };
 +	allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
@@ -23965,7 +23979,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain complete control over the
  ##	display.
-@@ -1172,7 +1545,103 @@
+@@ -1172,7 +1546,103 @@
  interface(`xserver_unconfined',`
  	gen_require(`
  		attribute xserver_unconfined_type;
@@ -29177,7 +29191,7 @@ diff -b -B --ignore-all-space --exclude-
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.18/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/system/userdomain.if	2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/system/userdomain.if	2009-06-24 08:35:26.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -30100,19 +30114,29 @@ diff -b -B --ignore-all-space --exclude-
  	logging_dontaudit_send_audit_msgs($1_t)
  
  	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +961,33 @@
+@@ -899,28 +961,43 @@
  	selinux_get_enforce_mode($1_t)
  
  	optional_policy(`
 -		alsa_read_rw_config($1_t)
 +		alsa_read_rw_config($1_usertype)
++	')
++
++	optional_policy(`
++		apache_role($1_r, $1_usertype)
++	')
++
++	optional_policy(`
++		devicekit_dbus_chat($1_usertype)
++		devicekit_power_dbus_chat($1_usertype)
++		devicekit_disk_dbus_chat($1_usertype)
  	')
  
  	optional_policy(`
 -		dbus_role_template($1, $1_r, $1_t)
 -		dbus_system_bus_client($1_t)
-+		apache_role($1_r, $1_usertype)
-+	')
++		gnomeclock_dbus_chat($1_t)
++	')	  
  
  		optional_policy(`
 -			consolekit_dbus_chat($1_t)
@@ -30141,7 +30165,7 @@ diff -b -B --ignore-all-space --exclude-
  	')
  ')
  
-@@ -954,8 +1021,8 @@
+@@ -954,8 +1031,8 @@
  	# Declarations
  	#
  
@@ -30151,7 +30175,7 @@ diff -b -B --ignore-all-space --exclude-
  	userdom_common_user_template($1)
  
  	##############################
-@@ -964,11 +1031,12 @@
+@@ -964,11 +1041,12 @@
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -30166,7 +30190,7 @@ diff -b -B --ignore-all-space --exclude-
  	# cjp: why?
  	files_read_kernel_symbol_table($1_t)
  
-@@ -986,37 +1054,55 @@
+@@ -986,37 +1064,55 @@
  		')
  	')
  
@@ -30236,7 +30260,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  #######################################
-@@ -1050,7 +1136,7 @@
+@@ -1050,7 +1146,7 @@
  #
  template(`userdom_admin_user_template',`
  	gen_require(`
@@ -30245,7 +30269,7 @@ diff -b -B --ignore-all-space --exclude-
  	')
  
  	##############################
-@@ -1059,8 +1145,7 @@
+@@ -1059,8 +1155,7 @@
  	#
  
  	# Inherit rules for ordinary users.
@@ -30255,7 +30279,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	domain_obj_id_change_exemption($1_t)
  	role system_r types $1_t;
-@@ -1083,7 +1168,8 @@
+@@ -1083,7 +1178,8 @@
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -30265,7 +30289,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1099,6 +1185,7 @@
+@@ -1099,6 +1195,7 @@
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -30273,7 +30297,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1106,8 +1193,6 @@
+@@ -1106,8 +1203,6 @@
  
  	dev_getattr_generic_blk_files($1_t)
  	dev_getattr_generic_chr_files($1_t)
@@ -30282,7 +30306,7 @@ diff -b -B --ignore-all-space --exclude-
  	# Allow MAKEDEV to work
  	dev_create_all_blk_files($1_t)
  	dev_create_all_chr_files($1_t)
-@@ -1162,20 +1247,6 @@
+@@ -1162,20 +1257,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -30303,7 +30327,7 @@ diff -b -B --ignore-all-space --exclude-
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1221,6 +1292,7 @@
+@@ -1221,6 +1302,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -30311,7 +30335,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1286,11 +1358,15 @@
+@@ -1286,11 +1368,15 @@
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -30327,7 +30351,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1387,7 +1463,7 @@
+@@ -1387,7 +1473,7 @@
  
  ########################################
  ## <summary>
@@ -30336,7 +30360,7 @@ diff -b -B --ignore-all-space --exclude-
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1420,6 +1496,14 @@
+@@ -1420,6 +1506,14 @@
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -30351,7 +30375,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1435,9 +1519,11 @@
+@@ -1435,9 +1529,11 @@
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -30363,7 +30387,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1494,6 +1580,25 @@
+@@ -1494,6 +1590,25 @@
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -30389,7 +30413,7 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1568,6 +1673,8 @@
+@@ -1568,6 +1683,8 @@
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -30398,7 +30422,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1643,6 +1750,7 @@
+@@ -1643,6 +1760,7 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -30406,7 +30430,7 @@ diff -b -B --ignore-all-space --exclude-
  	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
  	files_search_home($1)
  ')
-@@ -1741,30 +1849,80 @@
+@@ -1741,30 +1859,80 @@
  
  ########################################
  ## <summary>
@@ -30497,7 +30521,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1787,6 +1945,46 @@
+@@ -1787,6 +1955,46 @@
  
  ########################################
  ## <summary>
@@ -30544,7 +30568,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Create, read, write, and delete files
  ##	in a user home subdirectory.
  ## </summary>
-@@ -1799,6 +1997,7 @@
+@@ -1799,6 +2007,7 @@
  interface(`userdom_manage_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -30552,7 +30576,7 @@ diff -b -B --ignore-all-space --exclude-
  	')
  
  	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2527,7 @@
+@@ -2328,7 +2537,7 @@
  
  ########################################
  ## <summary>
@@ -30561,7 +30585,7 @@ diff -b -B --ignore-all-space --exclude-
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2682,16 +2881,17 @@
+@@ -2682,11 +2891,32 @@
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -30573,35 +30597,11 @@ diff -b -B --ignore-all-space --exclude-
  	files_list_home($1)
 -	allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
 +	allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Send general signals to unprivileged user domains.
-+##	List users home directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2699,12 +2899,32 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_signal_unpriv_users',`
-+interface(`userdom_list_user_home_content',`
- 	gen_require(`
--		attribute unpriv_userdomain;
-+		type user_home_dir_t;
-+		attribute user_home_type;
- 	')
- 
--	allow $1 unpriv_userdomain:process signal;
-+	files_list_home($1)
-+	allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Send general signals to unprivileged user domains.
++##	List users home directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -30609,16 +30609,18 @@ diff -b -B --ignore-all-space --exclude-
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_signal_unpriv_users',`
++interface(`userdom_list_user_home_content',`
 +	gen_require(`
-+		attribute unpriv_userdomain;
++		type user_home_dir_t;
++		attribute user_home_type;
 +	')
 +
-+	allow $1 unpriv_userdomain:process signal;
++	files_list_home($1)
++	allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
  ')
  
  ########################################
-@@ -2814,7 +3034,25 @@
+@@ -2814,7 +3044,25 @@
  		type user_tmp_t;
  	')
  
@@ -30645,7 +30647,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -2851,6 +3089,7 @@
+@@ -2851,6 +3099,7 @@
  	')
  
  	read_files_pattern($1,userdomain,userdomain)
@@ -30653,7 +30655,7 @@ diff -b -B --ignore-all-space --exclude-
  	kernel_search_proc($1)
  ')
  
-@@ -2981,3 +3220,481 @@
+@@ -2981,3 +3230,481 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.870
retrieving revision 1.871
diff -u -p -r1.870 -r1.871
--- selinux-policy.spec	23 Jun 2009 13:23:52 -0000	1.870
+++ selinux-policy.spec	24 Jun 2009 13:15:55 -0000	1.871
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.19
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -295,7 +295,7 @@ Summary: SELinux targeted base policy
 Provides: selinux-policy-base
 Group: System Environment/Base
 Obsoletes: selinux-policy-targeted-sources < 2
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}
 Conflicts:  audispd-plugins <= 1.7.7-1
@@ -381,7 +381,7 @@ exit 0
 Summary: SELinux minimum base policy
 Provides: selinux-policy-base
 Group: System Environment/Base
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}
 
@@ -415,7 +415,7 @@ exit 0
 Summary: SELinux olpc base policy
 Group: System Environment/Base
 Provides: selinux-policy-base
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}
 
@@ -446,7 +446,7 @@ Group: System Environment/Base
 Provides: selinux-policy-base
 Obsoletes: selinux-policy-mls-sources < 2
 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}
 
@@ -473,6 +473,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Jun 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.19-3
+- Allow kpropd to create tmp files
+
 * Tue Jun 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.19-2
 - Fix last duplicate /var/log/rpmpkgs
 


