rpms/selinux-policy/F-11 policy-20090521.patch, 1.23, 1.24 selinux-policy.spec, 1.880, 1.881

Miroslav Grepl mgrepl at fedoraproject.org
Mon Jun 29 14:47:19 UTC 2009 

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv318

Modified Files:
	policy-20090521.patch selinux-policy.spec 
Log Message:
- Allow avahi net_admin capability



policy-20090521.patch:

Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- policy-20090521.patch	25 Jun 2009 09:18:40 -0000	1.23
+++ policy-20090521.patch	29 Jun 2009 14:46:48 -0000	1.24
@@ -580,6 +580,17 @@ diff -b -B --ignore-all-space --exclude-
 +optional_policy(`
 +	ssh_rw_pipes(gitosis_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
+--- nsaserefpolicy/policy/modules/apps/mozilla.if	2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if	2009-06-26 15:48:23.000000000 +0200
+@@ -64,6 +64,7 @@
+ 
+ 	allow $1 mozilla_home_t:dir list_dir_perms;
+ 	allow $1 mozilla_home_t:file read_file_perms;
++	allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+ 	userdom_search_user_home_dirs($1)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-06-25 10:19:43.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te	2009-06-25 10:21:01.000000000 +0200
@@ -1403,7 +1414,7 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-06-26 15:48:29.000000000 +0200
 @@ -91,6 +91,9 @@
  kernel_read_proc_symlinks(domain)
  kernel_read_crypto_sysctls(domain)
@@ -1466,9 +1477,11 @@ diff -b -B --ignore-all-space --exclude-
  
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -186,6 +209,7 @@
+@@ -185,7 +208,9 @@
+ 
  ifdef(`hide_broken_symptoms',`
  	fs_list_inotifyfs(domain)
++	dontaudit domain self:udp_socket listen;
  	allow domain domain:key { link search };
 +	dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
  ')
@@ -1711,6 +1724,18 @@ diff -b -B --ignore-all-space --exclude-
  ##	Execute automount in the caller domain.
  ## </summary>
  ## <param name="domain">
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te	2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/avahi.te	2009-06-29 13:28:59.000000000 +0200
+@@ -24,7 +24,7 @@
+ # Local policy
+ #
+ 
+-allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
++allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin setuid sys_chroot };
+ dontaudit avahi_t self:capability sys_tty_config;
+ allow avahi_t self:process { setrlimit signal_perms getcap setcap };
+ allow avahi_t self:fifo_file rw_fifo_file_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te	2009-06-25 10:21:01.000000000 +0200
@@ -1909,6 +1934,18 @@ diff -b -B --ignore-all-space --exclude-
  	tftp_read_content(dnsmasq_t)
  ')
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te
+--- nsaserefpolicy/policy/modules/services/fetchmail.te	2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te	2009-06-29 16:22:53.000000000 +0200
+@@ -60,6 +60,8 @@
+ corenet_tcp_connect_all_ports(fetchmail_t)
+ corenet_sendrecv_all_client_packets(fetchmail_t)
+ 
++corecmd_exec_shell(fetchmail_t)
++
+ dev_read_sysfs(fetchmail_t)
+ dev_read_rand(fetchmail_t)
+ dev_read_urand(fetchmail_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-06-25 10:21:01.000000000 +0200
@@ -1943,8 +1980,18 @@ diff -b -B --ignore-all-space --exclude-
  permissive fprintd_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/ftp.te	2009-06-25 10:21:01.000000000 +0200
-@@ -129,8 +129,7 @@
++++ serefpolicy-3.6.12/policy/modules/services/ftp.te	2009-06-29 16:23:40.000000000 +0200
+@@ -91,6 +91,9 @@
+ #
+ 
+ allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
++ifdef(`hide_broken_symptoms', `
++allow ftpd_t self:capability { sys_admin };
++')
+ dontaudit ftpd_t self:capability sys_tty_config;
+ allow ftpd_t self:process signal_perms;
+ allow ftpd_t self:process { getcap setcap setsched setrlimit };
+@@ -129,8 +132,7 @@
  allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
  
  # Create and modify /var/log/xferlog.
@@ -2110,6 +2157,19 @@ diff -b -B --ignore-all-space --exclude-
  mysql_read_config(mysqld_safe_t)
  mysql_search_pid_files(mysqld_safe_t)
  mysql_write_log(mysqld_safe_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te
+--- nsaserefpolicy/policy/modules/services/nis.te	2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/nis.te	2009-06-26 15:48:39.000000000 +0200
+@@ -72,8 +72,7 @@
+ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
+ 
+ kernel_read_kernel_sysctls(ypbind_t)
+-kernel_list_proc(ypbind_t)
+-kernel_read_proc_symlinks(ypbind_t)
++kernel_read_system_state(ypbind_t)
+ 
+ corenet_all_recvfrom_unlabeled(ypbind_t)
+ corenet_all_recvfrom_netlabel(ypbind_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.12/policy/modules/services/nslcd.fc
 --- nsaserefpolicy/policy/modules/services/nslcd.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.6.12/policy/modules/services/nslcd.fc	2009-06-25 10:21:01.000000000 +0200
@@ -2401,6 +2461,17 @@ diff -b -B --ignore-all-space --exclude-
  ##	Execute the master postdrop in the
  ##	postfix_postdrop domain.
  ## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te
+--- nsaserefpolicy/policy/modules/services/postgresql.te	2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/postgresql.te	2009-06-29 16:24:29.000000000 +0200
+@@ -202,6 +202,7 @@
+ corenet_tcp_bind_generic_node(postgresql_t)
+ corenet_tcp_bind_postgresql_port(postgresql_t)
+ corenet_tcp_connect_auth_port(postgresql_t)
++corenet_tcp_connect_postgresql_port(postgresql_t)
+ corenet_sendrecv_postgresql_server_packets(postgresql_t)
+ corenet_sendrecv_auth_client_packets(postgresql_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/ppp.if	2009-06-25 10:21:01.000000000 +0200
@@ -3575,7 +3646,7 @@ diff -b -B --ignore-all-space --exclude-
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc	2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc	2009-06-29 14:16:57.000000000 +0200
 @@ -139,6 +139,7 @@
  /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -3592,7 +3663,15 @@ diff -b -B --ignore-all-space --exclude-
  /usr/lib/maxima/[^/]+/binary-gcl/maxima	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/nx/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -366,9 +368,10 @@
+@@ -284,6 +286,7 @@
+ /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ # vmware 
++HOME_DIR/\.mozilla(/.*)?/plugins/np-vmware-vmrc-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -366,9 +369,10 @@
  /usr/matlab.*\.so(\.[^/]*)*		gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/local/matlab.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/matlab.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.880
retrieving revision 1.881
diff -u -p -r1.880 -r1.881
--- selinux-policy.spec	25 Jun 2009 09:18:40 -0000	1.880
+++ selinux-policy.spec	29 Jun 2009 14:46:48 -0000	1.881
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 60%{?dist}
+Release: 61%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Jun 29 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-61
+- Allow avahi net_admin capability
+
 * Thu Jun 25 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-60
 - Fix up gpsd policy

More information about the fedora-extras-commits mailing list