rpms/selinux-policy/F-11 policy-20090521.patch,1.20,1.21
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Jun 24 20:45:36 UTC 2009
- Previous message (by thread): rpms/selinux-policy/devel policy-F12.patch, 1.18, 1.19 selinux-policy.spec, 1.871, 1.872
- Next message (by thread): rpms/liveusb-creator/F-10 .cvsignore, 1.11, 1.12 liveusb-creator.spec, 1.16, 1.17 sources, 1.14, 1.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6827
Modified Files:
policy-20090521.patch
Log Message:
* Wed Jun 24 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-59
- Fix up xguest policy
policy-20090521.patch:
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -p -r1.20 -r1.21
--- policy-20090521.patch 24 Jun 2009 13:11:58 -0000 1.20
+++ policy-20090521.patch 24 Jun 2009 20:45:35 -0000 1.21
@@ -38,6 +38,25 @@ diff -b -B --ignore-all-space --exclude-
( h1 dom h2 );
') dnl end enable_mcs
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.12/policy/modules/admin/certwatch.te
+--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/certwatch.te 2009-06-24 09:13:00.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(certwatch, 1.3.0)
++policy_module(certwatch, 1.3.1)
+
+ ########################################
+ #
+@@ -28,7 +28,7 @@
+ fs_list_inotifyfs(certwatch_t)
+
+ auth_manage_cache(certwatch_t)
+-auth_filetrans_cache(certwatch_t)
++auth_var_filetrans_cache(certwatch_t)
+
+ logging_send_syslog_msg(certwatch_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-06-15 08:33:15.000000000 -0400
@@ -1232,7 +1251,7 @@ diff -b -B --ignore-all-space --exclude-
## Read and write the controlling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-06-01 08:41:46.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-06-24 09:17:25.000000000 -0400
@@ -44,6 +44,10 @@
')
@@ -1244,9 +1263,65 @@ diff -b -B --ignore-all-space --exclude-
secadm_role_change(staff_r)
')
+@@ -95,6 +99,10 @@
+ ')
+
+ optional_policy(`
++ sandbox_transition(staff_t, staff_r)
++')
++
++optional_policy(`
+ screen_manage_var_run(staff_t)
+ ')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if
+--- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if 2009-06-24 09:17:15.000000000 -0400
+@@ -116,6 +116,41 @@
+
+ ########################################
+ ## <summary>
++## Allow sysadm to execute all entrypoint files in
++## a specified domain. This is an explicit transition,
++## requiring the caller to use setexeccon().
++## </summary>
++## <desc>
++## <p>
++## Allow sysadm to execute all entrypoint files in
++## a specified domain. This is an explicit transition,
++## requiring the caller to use setexeccon().
++## </p>
++## <p>
++## This is a interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysadm_entry_spec_domtrans_to',`
++ gen_require(`
++ type sysadm_t;
++ ')
++
++ domain_entry_file_spec_domtrans(sysadm_t, $1)
++ allow $1 sysadm_t:fd use;
++ allow $1 sysadm_t:fifo_file rw_file_perms;
++ allow $1 sysadm_t:process sigchld;
++')
++
++########################################
++## <summary>
+ ## Allow sysadm to execute a generic bin program in
+ ## a specified domain. This is an explicit transition,
+ ## requiring the caller to use setexeccon().
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-05-21 15:11:07.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-06-24 09:17:38.000000000 -0400
@@ -334,6 +334,10 @@
')
@@ -1260,7 +1335,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-06-15 15:37:33.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-06-24 09:16:27.000000000 -0400
@@ -52,6 +52,8 @@
init_system_domain(unconfined_execmem_t, execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
@@ -1281,6 +1356,28 @@ diff -b -B --ignore-all-space --exclude-
qemu_role_notrans(unconfined_r, unconfined_t)
qemu_unconfined_role(unconfined_r)
+@@ -277,7 +283,7 @@
+ ')
+
+ optional_policy(`
+- sandbox_run(unconfined_t, unconfined_r)
++ sandbox_transition(unconfined_t, unconfined_r)
+ ')
+
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te
+--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-06-24 09:16:51.000000000 -0400
+@@ -22,5 +22,9 @@
+ ')
+
+ optional_policy(`
++ sandbox_transition(user_t, user_r)
++')
++
++optional_policy(`
+ setroubleshoot_dontaudit_stream_connect(user_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-05-26 15:13:01.000000000 -0400
@@ -1917,8 +2014,16 @@ diff -b -B --ignore-all-space --exclude-
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/polkit.if 2009-06-24 08:28:38.000000000 -0400
-@@ -217,6 +217,7 @@
++++ serefpolicy-3.6.12/policy/modules/services/polkit.if 2009-06-24 16:24:18.000000000 -0400
+@@ -194,6 +195,7 @@
+
+ polkit_domtrans_auth($1)
+ role $2 types polkit_auth_t;
++ polkit_dbus_chat($1)
+ ')
+
+ #######################################
+@@ -217,6 +219,7 @@
polkit_run_grant($2, $1)
polkit_read_lib($2)
polkit_read_reload($2)
- Previous message (by thread): rpms/selinux-policy/devel policy-F12.patch, 1.18, 1.19 selinux-policy.spec, 1.871, 1.872
- Next message (by thread): rpms/liveusb-creator/F-10 .cvsignore, 1.11, 1.12 liveusb-creator.spec, 1.16, 1.17 sources, 1.14, 1.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list