rpms/selinux-policy/F-11 policy-20090521.patch, 1.23, 1.24 selinux-policy.spec, 1.880, 1.881
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jun 29 14:47:19 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv318
Modified Files:
policy-20090521.patch selinux-policy.spec
Log Message:
- Allow avahi net_admin capability
policy-20090521.patch:
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- policy-20090521.patch 25 Jun 2009 09:18:40 -0000 1.23
+++ policy-20090521.patch 29 Jun 2009 14:46:48 -0000 1.24
@@ -580,6 +580,17 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ ssh_rw_pipes(gitosis_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
+--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if 2009-06-26 15:48:23.000000000 +0200
+@@ -64,6 +64,7 @@
+
+ allow $1 mozilla_home_t:dir list_dir_perms;
+ allow $1 mozilla_home_t:file read_file_perms;
++ allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te 2009-06-25 10:21:01.000000000 +0200
@@ -1403,7 +1414,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-06-26 15:48:29.000000000 +0200
@@ -91,6 +91,9 @@
kernel_read_proc_symlinks(domain)
kernel_read_crypto_sysctls(domain)
@@ -1466,9 +1477,11 @@ diff -b -B --ignore-all-space --exclude-
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -186,6 +209,7 @@
+@@ -185,7 +208,9 @@
+
ifdef(`hide_broken_symptoms',`
fs_list_inotifyfs(domain)
++ dontaudit domain self:udp_socket listen;
allow domain domain:key { link search };
+ dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
')
@@ -1711,6 +1724,18 @@ diff -b -B --ignore-all-space --exclude-
## Execute automount in the caller domain.
## </summary>
## <param name="domain">
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2009-06-29 13:28:59.000000000 +0200
+@@ -24,7 +24,7 @@
+ # Local policy
+ #
+
+-allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
++allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin setuid sys_chroot };
+ dontaudit avahi_t self:capability sys_tty_config;
+ allow avahi_t self:process { setrlimit signal_perms getcap setcap };
+ allow avahi_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2009-06-25 10:21:01.000000000 +0200
@@ -1909,6 +1934,18 @@ diff -b -B --ignore-all-space --exclude-
tftp_read_content(dnsmasq_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te
+--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te 2009-06-29 16:22:53.000000000 +0200
+@@ -60,6 +60,8 @@
+ corenet_tcp_connect_all_ports(fetchmail_t)
+ corenet_sendrecv_all_client_packets(fetchmail_t)
+
++corecmd_exec_shell(fetchmail_t)
++
+ dev_read_sysfs(fetchmail_t)
+ dev_read_rand(fetchmail_t)
+ dev_read_urand(fetchmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-06-25 10:21:01.000000000 +0200
@@ -1943,8 +1980,18 @@ diff -b -B --ignore-all-space --exclude-
permissive fprintd_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-06-25 10:21:01.000000000 +0200
-@@ -129,8 +129,7 @@
++++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-06-29 16:23:40.000000000 +0200
+@@ -91,6 +91,9 @@
+ #
+
+ allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
++ifdef(`hide_broken_symptoms', `
++allow ftpd_t self:capability { sys_admin };
++')
+ dontaudit ftpd_t self:capability sys_tty_config;
+ allow ftpd_t self:process signal_perms;
+ allow ftpd_t self:process { getcap setcap setsched setrlimit };
+@@ -129,8 +132,7 @@
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog.
@@ -2110,6 +2157,19 @@ diff -b -B --ignore-all-space --exclude-
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te
+--- nsaserefpolicy/policy/modules/services/nis.te 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/nis.te 2009-06-26 15:48:39.000000000 +0200
+@@ -72,8 +72,7 @@
+ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
+
+ kernel_read_kernel_sysctls(ypbind_t)
+-kernel_list_proc(ypbind_t)
+-kernel_read_proc_symlinks(ypbind_t)
++kernel_read_system_state(ypbind_t)
+
+ corenet_all_recvfrom_unlabeled(ypbind_t)
+ corenet_all_recvfrom_netlabel(ypbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.12/policy/modules/services/nslcd.fc
--- nsaserefpolicy/policy/modules/services/nslcd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.fc 2009-06-25 10:21:01.000000000 +0200
@@ -2401,6 +2461,17 @@ diff -b -B --ignore-all-space --exclude-
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te
+--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/postgresql.te 2009-06-29 16:24:29.000000000 +0200
+@@ -202,6 +202,7 @@
+ corenet_tcp_bind_generic_node(postgresql_t)
+ corenet_tcp_bind_postgresql_port(postgresql_t)
+ corenet_tcp_connect_auth_port(postgresql_t)
++corenet_tcp_connect_postgresql_port(postgresql_t)
+ corenet_sendrecv_postgresql_server_packets(postgresql_t)
+ corenet_sendrecv_auth_client_packets(postgresql_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-06-25 10:21:01.000000000 +0200
@@ -3575,7 +3646,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-29 14:16:57.000000000 +0200
@@ -139,6 +139,7 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -3592,7 +3663,15 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -366,9 +368,10 @@
+@@ -284,6 +286,7 @@
+ /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # vmware
++HOME_DIR/\.mozilla(/.*)?/plugins/np-vmware-vmrc-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -366,9 +369,10 @@
/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.880
retrieving revision 1.881
diff -u -p -r1.880 -r1.881
--- selinux-policy.spec 25 Jun 2009 09:18:40 -0000 1.880
+++ selinux-policy.spec 29 Jun 2009 14:46:48 -0000 1.881
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 60%{?dist}
+Release: 61%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
%endif
%changelog
+* Mon Jun 29 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-61
+- Allow avahi net_admin capability
+
* Thu Jun 25 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-60
- Fix up gpsd policy
More information about the fedora-extras-commits
mailing list