rpms/selinux-policy/devel policy-20090105.patch, 1.52, 1.53 selinux-policy.spec, 1.799, 1.800
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Mar 4 19:41:17 UTC 2009
- Previous message (by thread): rpms/DeviceKit-disks/devel devkit-disks-dump-option.patch, NONE, 1.1 devkit-disks-fstab-unmount.patch, NONE, 1.1 DeviceKit-disks.spec, 1.6, 1.7
- Next message (by thread): rpms/srecord/devel .cvsignore, 1.17, 1.18 sources, 1.17, 1.18 srecord.spec, 1.22, 1.23
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12606
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Wed Mar 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.7-2
- Fixes for libvirt
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- policy-20090105.patch 3 Mar 2009 23:53:42 -0000 1.52
+++ policy-20090105.patch 4 Mar 2009 19:41:16 -0000 1.53
@@ -5643,7 +5643,7 @@
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.7/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.7/policy/modules/kernel/files.if 2009-03-03 17:11:59.000000000 -0500
++++ serefpolicy-3.6.7/policy/modules/kernel/files.if 2009-03-04 08:43:36.000000000 -0500
@@ -110,6 +110,11 @@
## </param>
#
@@ -9914,7 +9914,7 @@
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.7/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.7/policy/modules/services/avahi.te 2009-03-03 17:11:59.000000000 -0500
++++ serefpolicy-3.6.7/policy/modules/services/avahi.te 2009-03-04 14:39:26.000000000 -0500
@@ -33,6 +33,7 @@
allow avahi_t self:tcp_socket create_stream_socket_perms;
allow avahi_t self:udp_socket create_socket_perms;
@@ -14371,7 +14371,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.7/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.7/policy/modules/services/kerneloops.te 2009-03-03 17:11:59.000000000 -0500
++++ serefpolicy-3.6.7/policy/modules/services/kerneloops.te 2009-03-04 14:40:13.000000000 -0500
@@ -13,6 +13,9 @@
type kerneloops_initrc_exec_t;
init_script_file(kerneloops_initrc_exec_t)
@@ -14392,6 +14392,14 @@
kernel_read_ring_buffer(kerneloops_t)
# Init script handling
+@@ -46,6 +52,5 @@
+ sysnet_dns_name_resolve(kerneloops_t)
+
+ optional_policy(`
+- dbus_system_bus_client(kerneloops_t)
+- dbus_connect_system_bus(kerneloops_t)
++ dbus_system_domain(kerneloops_t, kerneloops_exec_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.7/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.7/policy/modules/services/ktalk.te 2009-03-03 17:11:59.000000000 -0500
@@ -16728,10 +16736,32 @@
+optional_policy(`
+ prelude_manage_spool(pads_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.6.7/policy/modules/services/pcscd.fc
+--- nsaserefpolicy/policy/modules/services/pcscd.fc 2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.7/policy/modules/services/pcscd.fc 2009-03-04 08:18:35.000000000 -0500
+@@ -1,5 +1,6 @@
+ /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
++/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
+
+ /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.7/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.7/policy/modules/services/pcscd.te 2009-03-03 17:11:59.000000000 -0500
-@@ -57,6 +57,14 @@
++++ serefpolicy-3.6.7/policy/modules/services/pcscd.te 2009-03-04 08:18:14.000000000 -0500
+@@ -27,9 +27,10 @@
+ allow pcscd_t self:unix_dgram_socket create_socket_perms;
+ allow pcscd_t self:tcp_socket create_stream_socket_perms;
+
++manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+-files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file })
++files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+
+ corenet_all_recvfrom_unlabeled(pcscd_t)
+ corenet_all_recvfrom_netlabel(pcscd_t)
+@@ -57,6 +58,14 @@
sysnet_dns_name_resolve(pcscd_t)
optional_policy(`
@@ -22945,7 +22975,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.7/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.7/policy/modules/services/ssh.te 2009-03-03 17:11:59.000000000 -0500
++++ serefpolicy-3.6.7/policy/modules/services/ssh.te 2009-03-04 12:12:58.000000000 -0500
@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
@@ -23016,7 +23046,7 @@
term_use_all_user_ptys(sshd_t)
term_setattr_all_user_ptys(sshd_t)
term_relabelto_all_user_ptys(sshd_t)
-@@ -318,6 +328,13 @@
+@@ -318,16 +328,30 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -23030,22 +23060,26 @@
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -331,6 +348,14 @@
- ')
-
- optional_policy(`
-+ kerberos_keytab_template(sshd, sshd_t)
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+- userdom_spec_domtrans_all_users(sshd_t)
+ userdom_signal_all_users(sshd_t)
+-',`
+')
+
+ userdom_spec_domtrans_unpriv_users(sshd_t)
+ userdom_signal_unpriv_users(sshd_t)
++
+optional_policy(`
-+ xserver_getattr_xauth(sshd_t)
++ kerberos_keytab_template(sshd, sshd_t)
+')
+
+optional_policy(`
- daemontools_service_domain(sshd_t, sshd_exec_t)
++ xserver_getattr_xauth(sshd_t)
')
-@@ -349,7 +374,11 @@
+ optional_policy(`
+@@ -349,7 +373,11 @@
')
optional_policy(`
@@ -23058,7 +23092,7 @@
unconfined_shell_domtrans(sshd_t)
')
-@@ -408,6 +437,8 @@
+@@ -408,6 +436,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -23558,7 +23592,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.7/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.7/policy/modules/services/virt.te 2009-03-03 18:39:13.000000000 -0500
++++ serefpolicy-3.6.7/policy/modules/services/virt.te 2009-03-04 07:37:30.000000000 -0500
@@ -8,20 +8,18 @@
## <desc>
@@ -23658,7 +23692,7 @@
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -107,18 +132,25 @@
+@@ -107,18 +132,31 @@
# Init script handling
domain_use_interactive_fds(virtd_t)
@@ -23671,7 +23705,14 @@
+files_read_usr_files(virtd_t)
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
- files_list_kernel_modules(virtd_t)
+-files_list_kernel_modules(virtd_t)
++files_read_kernel_modules(virtd_t)
++files_getattr_usr_src_files(virtd_t)
++
++# Manages /etc/sysconfig/system-config-firewall
++files_manage_etc_files(virtd_t)
++
++modutils_read_module_deps(virtd_t)
fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
@@ -23684,7 +23725,7 @@
term_getattr_pty_fs(virtd_t)
term_use_ptmx(virtd_t)
-@@ -129,7 +161,11 @@
+@@ -129,7 +167,11 @@
logging_send_syslog_msg(virtd_t)
@@ -23696,7 +23737,7 @@
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -167,22 +203,25 @@
+@@ -167,22 +209,25 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -23727,7 +23768,7 @@
')
optional_policy(`
-@@ -197,6 +236,69 @@
+@@ -197,6 +242,69 @@
xen_stream_connect_xenstore(virtd_t)
')
@@ -29385,8 +29426,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.7/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.7/policy/modules/system/unconfined.te 2009-03-03 17:11:59.000000000 -0500
-@@ -5,36 +5,86 @@
++++ serefpolicy-3.6.7/policy/modules/system/unconfined.te 2009-03-04 13:46:08.000000000 -0500
+@@ -5,6 +5,35 @@
#
# Declarations
#
@@ -29422,14 +29463,10 @@
# usage in this module of types created by these
# calls is not correct, however we dont currently
- # have another method to add access to these types
--userdom_base_user_template(unconfined)
--userdom_manage_home_role(unconfined_r, unconfined_t)
--userdom_manage_tmp_role(unconfined_r, unconfined_t)
--userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-+userdom_restricted_user_template(unconfined)
-+#userdom_common_user_template(unconfined)
-+#userdom_xwindows_client_template(unconfined)
+@@ -13,28 +42,50 @@
+ userdom_manage_home_role(unconfined_r, unconfined_t)
+ userdom_manage_tmp_role(unconfined_r, unconfined_t)
+ userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_execmod_user_home_files(unconfined_t)
type unconfined_exec_t;
@@ -29480,7 +29517,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r)
-@@ -42,26 +92,46 @@
+@@ -42,26 +93,46 @@
logging_run_auditctl(unconfined_t, unconfined_r)
mount_run_unconfined(unconfined_t, unconfined_r)
@@ -29529,7 +29566,7 @@
')
optional_policy(`
-@@ -102,12 +172,24 @@
+@@ -102,12 +173,24 @@
')
optional_policy(`
@@ -29554,7 +29591,7 @@
')
optional_policy(`
-@@ -119,31 +201,33 @@
+@@ -119,31 +202,33 @@
')
optional_policy(`
@@ -29595,7 +29632,7 @@
')
optional_policy(`
-@@ -155,36 +239,38 @@
+@@ -155,36 +240,38 @@
')
optional_policy(`
@@ -29646,7 +29683,7 @@
')
optional_policy(`
-@@ -192,7 +278,7 @@
+@@ -192,7 +279,7 @@
')
optional_policy(`
@@ -29655,7 +29692,7 @@
')
optional_policy(`
-@@ -204,11 +290,12 @@
+@@ -204,11 +291,12 @@
')
optional_policy(`
@@ -29670,7 +29707,7 @@
')
########################################
-@@ -218,14 +305,61 @@
+@@ -218,14 +306,61 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -29748,7 +29785,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.7/policy/modules/system/userdomain.if 2009-03-03 18:02:25.000000000 -0500
++++ serefpolicy-3.6.7/policy/modules/system/userdomain.if 2009-03-04 13:47:45.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -30457,22 +30494,18 @@
')
#######################################
-@@ -722,15 +736,29 @@
+@@ -722,13 +736,26 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
-+ userdom_change_password_template($1)
-+
+ userdom_manage_home_role($1_r, $1_usertype)
-
-- userdom_manage_tmp_role($1_r, $1_t)
-- userdom_manage_tmpfs_role($1_r, $1_t)
++
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
+- userdom_manage_tmp_role($1_r, $1_t)
+- userdom_manage_tmpfs_role($1_r, $1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -30483,17 +30516,17 @@
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
+ ')
-- userdom_change_password_template($1)
+ userdom_change_password_template($1)
- ##############################
- #
-@@ -746,70 +774,72 @@
+@@ -746,70 +773,71 @@
allow $1_t self:context contains;
@@ -30513,6 +30546,8 @@
- files_dontaudit_list_default($1_t)
- files_dontaudit_read_default_files($1_t)
++ files_dontaudit_list_default($1_usertype)
++ files_dontaudit_read_default_files($1_usertype)
# Stat lost+found.
- files_getattr_lost_found_dirs($1_t)
+ files_getattr_lost_found_dirs($1_usertype)
@@ -30523,18 +30558,15 @@
- fs_search_auto_mountpoints($1_t)
- fs_list_inotifyfs($1_t)
- fs_rw_anon_inodefs_files($1_t)
-+ files_dontaudit_list_default($1_usertype)
-+ files_dontaudit_read_default_files($1_usertype)
-
-- auth_dontaudit_write_login_records($1_t)
+ fs_get_all_fs_quotas($1_usertype)
+ fs_getattr_all_fs($1_usertype)
+ fs_search_all($1_usertype)
+ fs_list_inotifyfs($1_usertype)
+ fs_rw_anon_inodefs_files($1_usertype)
+ auth_dontaudit_write_login_records($1_t)
+-
- application_exec_all($1_t)
-+ auth_dontaudit_write_login_records($1_t)
+ auth_rw_cache($1_t)
# The library functions always try to open read-write first,
@@ -30599,7 +30631,7 @@
')
')
-@@ -846,6 +876,28 @@
+@@ -846,6 +874,28 @@
# Local policy
#
@@ -30628,7 +30660,7 @@
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -876,7 +928,7 @@
+@@ -876,7 +926,7 @@
userdom_restricted_user_template($1)
@@ -30637,7 +30669,7 @@
##############################
#
-@@ -884,14 +936,19 @@
+@@ -884,14 +934,19 @@
#
auth_role($1_r, $1_t)
@@ -30662,7 +30694,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +956,29 @@
+@@ -899,28 +954,29 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -30700,17 +30732,7 @@
')
')
-@@ -931,8 +989,7 @@
- ## </summary>
- ## <desc>
- ## <p>
--## The template for creating a unprivileged user roughly
--## equivalent to a regular linux user.
-+## The template containing the most basic rules common to all users.
- ## </p>
- ## <p>
- ## This template creates a user domain, types, and
-@@ -954,8 +1011,8 @@
+@@ -954,8 +1010,8 @@
# Declarations
#
@@ -30720,7 +30742,7 @@
userdom_common_user_template($1)
##############################
-@@ -964,11 +1021,12 @@
+@@ -964,11 +1020,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -30735,7 +30757,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1044,47 @@
+@@ -986,37 +1043,47 @@
')
')
@@ -30797,7 +30819,7 @@
')
#######################################
-@@ -1050,7 +1118,7 @@
+@@ -1050,7 +1117,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -30806,7 +30828,7 @@
')
##############################
-@@ -1059,8 +1127,7 @@
+@@ -1059,8 +1126,7 @@
#
# Inherit rules for ordinary users.
@@ -30816,7 +30838,7 @@
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1150,8 @@
+@@ -1083,7 +1149,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -30826,7 +30848,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1167,7 @@
+@@ -1099,6 +1166,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -30834,7 +30856,7 @@
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1175,6 @@
+@@ -1106,8 +1174,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -30843,7 +30865,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1229,6 @@
+@@ -1162,20 +1228,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -30864,7 +30886,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1274,7 @@
+@@ -1221,6 +1273,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -30872,7 +30894,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1340,15 @@
+@@ -1286,11 +1339,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -30888,7 +30910,7 @@
')
########################################
-@@ -1387,7 +1445,7 @@
+@@ -1387,7 +1444,7 @@
########################################
## <summary>
@@ -30897,7 +30919,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1478,14 @@
+@@ -1420,6 +1477,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -30912,7 +30934,7 @@
')
########################################
-@@ -1435,9 +1501,11 @@
+@@ -1435,9 +1500,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -30924,7 +30946,7 @@
')
########################################
-@@ -1494,6 +1562,25 @@
+@@ -1494,6 +1561,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -30950,19 +30972,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1547,9 +1634,9 @@
- type user_home_dir_t, user_home_t;
- ')
-
-- domain_auto_trans($1, user_home_t, $2)
-- allow $1 user_home_dir_t:dir search_dir_perms;
- files_search_home($1)
-+ allow $1 user_home_dir_t:dir search_dir_perms;
-+ domain_auto_trans($1, user_home_t, $2)
- ')
-
- ########################################
-@@ -1568,6 +1655,8 @@
+@@ -1568,6 +1654,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -30971,7 +30981,7 @@
')
########################################
-@@ -1643,6 +1732,7 @@
+@@ -1643,6 +1731,7 @@
type user_home_dir_t, user_home_t;
')
@@ -30979,7 +30989,7 @@
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,6 +1831,62 @@
+@@ -1741,6 +1830,62 @@
########################################
## <summary>
@@ -31042,7 +31052,7 @@
## Execute user home files.
## </summary>
## <param name="domain">
-@@ -1757,14 +1903,6 @@
+@@ -1757,14 +1902,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -31057,7 +31067,7 @@
')
########################################
-@@ -1787,6 +1925,46 @@
+@@ -1787,6 +1924,46 @@
########################################
## <summary>
@@ -31104,7 +31114,7 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -1799,6 +1977,7 @@
+@@ -1799,6 +1976,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -31112,135 +31122,16 @@
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -1921,7 +2100,7 @@
-
- ########################################
- ## <summary>
--## Create objects in a user home directory
-+## Create objects in the /root directory
- ## with an automatic type transition to
- ## a specified private type.
- ## </summary>
-@@ -1941,28 +2120,58 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_user_home_content_filetrans',`
-+interface(`userdom_admin_home_dir_filetrans',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ type admin_home_t;
- ')
-
-- filetrans_pattern($1, user_home_t, $2, $3)
-- allow $1 user_home_dir_t:dir search_dir_perms;
-- files_search_home($1)
-+ filetrans_pattern($1, admin_home_t, $2, $3)
- ')
+@@ -2328,7 +2506,7 @@
########################################
## <summary>
- ## Create objects in a user home directory
- ## with an automatic type transition to
--## the user home file type.
-+## a specified private type.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="object_class">
-+## <param name="private_type">
-+## <summary>
-+## The type of the object to create.
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
-+## The class of the object to be created.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_user_home_content_filetrans',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ filetrans_pattern($1, user_home_t, $2, $3)
-+ allow $1 user_home_dir_t:dir search_dir_perms;
-+ files_search_home($1)
-+')
-+
-+########################################
-+## <summary>
-+## Create objects in a user home directory
-+## with an automatic type transition to
-+## the user home file type.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="object_class">
- ## <summary>
- ## The class of the object to be created.
- ## </summary>
-@@ -2336,6 +2545,27 @@
- ## </summary>
- ## </param>
- #
-+interface(`userdom_read_user_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ allow $1 user_tmpfs_t:dir list_dir_perms;
-+ fs_search_tmpfs($1)
-+')
-+
-+########################################
-+## <summary>
+-## Read user tmpfs files.
+## Read/Write user tmpfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
- interface(`userdom_rw_user_tmpfs_files',`
- gen_require(`
- type user_tmpfs_t;
-@@ -2709,6 +2939,24 @@
-
- ########################################
- ## <summary>
-+## Send signull to unprivileged user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_signull_unpriv_users',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:process signull;
-+')
-+
-+########################################
-+## <summary>
- ## Inherit the file descriptors from unprivileged user domains.
## </summary>
## <param name="domain">
-@@ -2814,7 +3062,43 @@
+ ## <summary>
+@@ -2814,7 +2992,25 @@
type user_tmp_t;
')
@@ -31250,24 +31141,6 @@
+
+########################################
+## <summary>
-+## Write all users files in /tmp
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_write_user_tmp_dirs',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ write_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+########################################
-+## <summary>
+## Delete all users files in /tmp
+## </summary>
+## <param name="domain">
@@ -31285,7 +31158,7 @@
')
########################################
-@@ -2851,6 +3135,7 @@
+@@ -2851,6 +3047,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -31293,32 +31166,7 @@
kernel_search_proc($1)
')
-@@ -2965,6 +3250,24 @@
-
- ########################################
- ## <summary>
-+## Manage keys for all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_manage_all_users_keys',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:key manage_key_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Send a dbus message to all user domains.
- ## </summary>
- ## <param name="domain">
-@@ -2981,3 +3284,338 @@
+@@ -2981,3 +3178,462 @@
allow $1 userdomain:dbus send_msg;
')
@@ -31549,6 +31397,24 @@
+
+########################################
+## <summary>
++## Add attrinute admin domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_admin',`
++ gen_require(`
++ attribute admin_userdomain;
++ ')
++
++ typeattribute $1 admin_userdomain;
++')
++
++########################################
++## <summary>
+## Send a message to unpriv users over a unix domain
+## datagram socket.
+## </summary>
@@ -31657,9 +31523,115 @@
+
+ type_transition $1 user_home_dir_t:$2 user_home_t;
+')
++
++########################################
++## <summary>
++## Create objects in the /root directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`userdom_admin_home_dir_filetrans',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ filetrans_pattern($1, admin_home_t, $2, $3)
++')
++
++########################################
++## <summary>
++## Send signull to unprivileged user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_signull_unpriv_users',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:process signull;
++')
++
++########################################
++## <summary>
++## Read user tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ allow $1 user_tmpfs_t:dir list_dir_perms;
++ fs_search_tmpfs($1)
++')
++
++########################################
++## <summary>
++## Write all users files in /tmp
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_write_user_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++## <summary>
++## Manage keys for all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key manage_key_perms;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.7/policy/modules/system/userdomain.te 2009-03-03 17:11:59.000000000 -0500
++++ serefpolicy-3.6.7/policy/modules/system/userdomain.te 2009-03-04 13:46:42.000000000 -0500
@@ -8,13 +8,6 @@
## <desc>
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.799
retrieving revision 1.800
diff -u -r1.799 -r1.800
--- selinux-policy.spec 3 Mar 2009 20:10:30 -0000 1.799
+++ selinux-policy.spec 4 Mar 2009 19:41:16 -0000 1.800
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.7
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
%endif
%changelog
+* Wed Mar 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.7-2
+- Fixes for libvirt
+
* Mon Mar 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.7-1
- Update to Latest upstream
- Previous message (by thread): rpms/DeviceKit-disks/devel devkit-disks-dump-option.patch, NONE, 1.1 devkit-disks-fstab-unmount.patch, NONE, 1.1 DeviceKit-disks.spec, 1.6, 1.7
- Next message (by thread): rpms/srecord/devel .cvsignore, 1.17, 1.18 sources, 1.17, 1.18 srecord.spec, 1.22, 1.23
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list