rpms/selinux-policy/devel policy-20090105.patch, 1.59, 1.60 selinux-policy.spec, 1.803, 1.804
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Mar 11 20:05:17 UTC 2009
- Previous message (by thread): rpms/lpairs/F-10 lpairs-1.0.3-datadir.diff, NONE, 1.1 lpairs-1.0.4-desktop.diff, NONE, 1.1 lpairs.spec, NONE, 1.1 sources, 1.1, 1.2
- Next message (by thread): rpms/eclipse-findbugs/devel eclipse-findbugs.spec, NONE, 1.1 eclipsePlugin-1.3.7-build.patch, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2530
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Tue Mar 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.8-4
- Fixes for iscsid and sssd
- More cleanups for upgrade from F10 to Rawhide.
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -r1.59 -r1.60
--- policy-20090105.patch 10 Mar 2009 20:11:23 -0000 1.59
+++ policy-20090105.patch 11 Mar 2009 20:05:16 -0000 1.60
@@ -1598,7 +1598,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.8/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/admin/usermanage.if 2009-03-10 08:25:54.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/admin/usermanage.if 2009-03-11 15:22:10.000000000 -0400
@@ -117,6 +117,24 @@
########################################
@@ -2229,7 +2229,7 @@
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/java.if 2009-03-10 08:25:54.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/apps/java.if 2009-03-11 15:31:03.000000000 -0400
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -2238,7 +2238,7 @@
')
########################################
-@@ -68,3 +69,122 @@
+@@ -68,3 +69,124 @@
domtrans_pattern($1, java_exec_t, unconfined_java_t)
corecmd_search_bin($1)
')
@@ -2287,10 +2287,12 @@
+interface(`java_run_unconfined',`
+ gen_require(`
+ type unconfined_java_t;
++ type java_t;
+ ')
+
+ java_domtrans_unconfined($1)
+ role $2 types unconfined_java_t;
++ role $2 types java_t;
+')
+
+########################################
@@ -2363,8 +2365,17 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/java.te 2009-03-10 08:25:54.000000000 -0400
-@@ -40,7 +40,7 @@
++++ serefpolicy-3.6.8/policy/modules/apps/java.te 2009-03-11 15:26:01.000000000 -0400
+@@ -20,6 +20,8 @@
+ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
+ typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
+
++role system_r types java_t;
++
+ type java_tmp_t;
+ files_tmp_file(java_tmp_t)
+ ubac_constrained(java_tmp_t)
+@@ -40,7 +42,7 @@
# Local policy
#
@@ -2373,7 +2384,7 @@
allow java_t self:fifo_file rw_fifo_file_perms;
allow java_t self:tcp_socket create_socket_perms;
allow java_t self:udp_socket create_socket_perms;
-@@ -80,6 +80,7 @@
+@@ -80,6 +82,7 @@
dev_write_sound(java_t)
dev_read_urand(java_t)
dev_read_rand(java_t)
@@ -2381,7 +2392,7 @@
files_read_etc_files(java_t)
files_read_usr_files(java_t)
-@@ -116,12 +117,13 @@
+@@ -116,12 +119,13 @@
allow java_t java_tmp_t:file execute;
@@ -2396,7 +2407,7 @@
optional_policy(`
nis_use_ypbind(java_t)
')
-@@ -147,4 +149,11 @@
+@@ -147,4 +151,11 @@
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
@@ -4608,7 +4619,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-03-02 16:51:45.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in 2009-03-10 08:25:54.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in 2009-03-11 15:16:21.000000000 -0400
@@ -65,10 +65,12 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4730,6 +4741,15 @@
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
+@@ -208,6 +235,8 @@
+ type node_t, node_type;
+ sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
+
++typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
++
+ # network_node examples:
+ #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
+ #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.8/policy/modules/kernel/domain.if 2009-03-10 08:25:54.000000000 -0400
@@ -7307,7 +7327,7 @@
+permissive afs_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/apache.fc 2009-03-10 09:38:57.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/apache.fc 2009-03-10 16:56:25.000000000 -0400
@@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -7395,7 +7415,7 @@
+
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
-+/var/www/svn/repo/db(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.8/policy/modules/services/apache.if 2009-03-10 08:25:54.000000000 -0400
@@ -7933,7 +7953,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/apache.te 2009-03-10 08:25:54.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/apache.te 2009-03-11 14:44:03.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -9959,7 +9979,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/cron.te 2009-03-10 08:25:54.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/cron.te 2009-03-10 15:56:54.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -9998,7 +10018,13 @@
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-@@ -103,6 +113,13 @@
+@@ -98,11 +108,18 @@
+
+ # Type of user crontabs once moved to cron spool.
+ type user_cron_spool_t, cron_spool_type;
+-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t };
++typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
+ typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
@@ -15420,7 +15446,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.8/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.8/policy/modules/services/oddjob.if 2009-03-10 08:25:54.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/oddjob.if 2009-03-11 15:20:43.000000000 -0400
@@ -44,6 +44,7 @@
')
@@ -16276,7 +16302,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.8/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/polkit.te 2009-03-10 08:25:54.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/polkit.te 2009-03-11 15:59:49.000000000 -0400
@@ -0,0 +1,237 @@
+policy_module(polkit_auth, 1.0.0)
+
@@ -20290,7 +20316,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te 2009-03-10 08:25:55.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te 2009-03-10 16:10:06.000000000 -0400
@@ -11,6 +11,9 @@
domain_type(setroubleshootd_t)
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -21179,7 +21205,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/ssh.te 2009-03-10 08:25:55.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/ssh.te 2009-03-11 14:25:03.000000000 -0400
@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
@@ -21199,16 +21225,17 @@
typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
files_type(home_ssh_t)
userdom_user_home_content(home_ssh_t)
-@@ -95,7 +98,7 @@
+@@ -95,8 +98,7 @@
allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
-allow ssh_t self:tcp_socket create_socket_perms;
+-allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
+allow ssh_t self:tcp_socket create_stream_socket_perms;
- allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
# Read the ssh key file.
-@@ -115,6 +118,7 @@
+ allow ssh_t sshd_key_t:file read_file_perms;
+@@ -115,6 +117,7 @@
manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
@@ -21216,6 +21243,14 @@
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
+@@ -131,6 +134,7 @@
+ read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
+
+ kernel_read_kernel_sysctls(ssh_t)
++kernel_read_system_state(ssh_t)
+
+ corenet_all_recvfrom_unlabeled(ssh_t)
+ corenet_all_recvfrom_netlabel(ssh_t)
@@ -139,6 +143,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
@@ -21225,7 +21260,22 @@
dev_read_urand(ssh_t)
-@@ -173,6 +179,7 @@
+@@ -160,19 +166,19 @@
+ logging_send_syslog_msg(ssh_t)
+ logging_read_generic_logs(ssh_t)
+
++auth_use_nsswitch(ssh_t)
++
+ miscfiles_read_localization(ssh_t)
+
+ seutil_read_config(ssh_t)
+
+-sysnet_read_config(ssh_t)
+-sysnet_dns_name_resolve(ssh_t)
+-
+ userdom_dontaudit_list_user_home_dirs(ssh_t)
+ userdom_search_user_home_dirs(ssh_t)
+ # Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
# needs to read krb tgt
userdom_read_user_tmp_files(ssh_t)
@@ -21233,15 +21283,33 @@
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -202,6 +209,7 @@
+@@ -202,23 +208,13 @@
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port(ssh_t)
+-')
+-
+-optional_policy(`
+- kerberos_use(ssh_t)
+-')
+-
+-optional_policy(`
+- nis_use_ypbind(ssh_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(ssh_t)
+ corenet_tcp_bind_generic_node(ssh_t)
')
optional_policy(`
-@@ -310,6 +318,8 @@
+ xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
+ xserver_domtrans_xauth(ssh_t)
++ xserver_stream_connect(ssh_t)
+ ')
+
+ ########################################
+@@ -310,6 +306,8 @@
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
@@ -21250,7 +21318,7 @@
term_use_all_user_ptys(sshd_t)
term_setattr_all_user_ptys(sshd_t)
term_relabelto_all_user_ptys(sshd_t)
-@@ -318,16 +328,30 @@
+@@ -318,16 +316,30 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -21283,7 +21351,7 @@
')
optional_policy(`
-@@ -349,7 +373,11 @@
+@@ -349,7 +361,11 @@
')
optional_policy(`
@@ -21296,7 +21364,7 @@
unconfined_shell_domtrans(sshd_t)
')
-@@ -408,6 +436,8 @@
+@@ -408,6 +424,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -21570,8 +21638,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.8/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/sssd.te 2009-03-10 08:25:55.000000000 -0400
-@@ -0,0 +1,55 @@
++++ serefpolicy-3.6.8/policy/modules/services/sssd.te 2009-03-10 19:51:47.000000000 -0400
+@@ -0,0 +1,63 @@
+policy_module(sssd,1.0.0)
+
+########################################
@@ -21598,11 +21666,15 @@
+#
+# sssd local policy
+#
++allow sssd_t self:capability sys_nice;
++allow sssd_t self:process { setsched signal getsched };
++allow sssd_t tmp_t:dir { read getattr open };
+
+# Init script handling
+domain_use_interactive_fds(sssd_t)
+
+# internal communication is often done using fifo and unix sockets.
++allow sssd_t self:process signal;
+allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
@@ -21619,7 +21691,11 @@
+
+dev_read_urand(sssd_t)
+
++files_list_tmp(sssd_t)
+files_read_etc_files(sssd_t)
++files_read_usr_files(sssd_t)
++
++auth_use_nsswitch(sssd_t)
+
+miscfiles_read_localization(sssd_t)
+
@@ -22108,7 +22184,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.8/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/virt.te 2009-03-10 08:25:55.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/virt.te 2009-03-11 14:44:45.000000000 -0400
@@ -8,20 +8,18 @@
## <desc>
@@ -22147,7 +22223,7 @@
type virt_log_t;
logging_log_file(virt_log_t)
-@@ -48,17 +50,37 @@
+@@ -48,17 +50,40 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -22176,18 +22252,21 @@
-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
-allow virtd_t self:process { getsched sigkill signal execmem };
-+allow virtd_t self:capability { dac_override kill net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
-+allow virtd_t self:process { getsched sigkill signal execmem setexec setfscreate };
++allow virtd_t self:capability { chown dac_override ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
++allow virtd_t self:process { getsched sigkill signal execmem setexec setfscreate setsched };
allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
++manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
++manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t)
+allow virtd_t virt_image_t:file { relabelfrom relabelto };
++allow virtd_t virt_image_t:blk_file { relabelfrom relabelto };
+
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -67,7 +89,10 @@
+@@ -67,7 +92,10 @@
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -22199,7 +22278,15 @@
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -96,7 +121,7 @@
+@@ -86,6 +114,7 @@
+ kernel_read_network_state(virtd_t)
+ kernel_rw_net_sysctls(virtd_t)
+ kernel_load_module(virtd_t)
++kernel_search_debugfs(virtd_t)
+
+ corecmd_exec_bin(virtd_t)
+ corecmd_exec_shell(virtd_t)
+@@ -96,7 +125,7 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -22208,7 +22295,11 @@
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -107,18 +132,31 @@
+@@ -104,21 +133,36 @@
+
+ dev_read_sysfs(virtd_t)
+ dev_read_rand(virtd_t)
++dev_getattr_all_chr_files(virtd_t)
# Init script handling
domain_use_interactive_fds(virtd_t)
@@ -22233,6 +22324,7 @@
fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
++storage_manage_fixed_disk(virtd_t)
storage_raw_write_removable_device(virtd_t)
storage_raw_read_removable_device(virtd_t)
@@ -22241,7 +22333,7 @@
term_getattr_pty_fs(virtd_t)
term_use_ptmx(virtd_t)
-@@ -129,7 +167,11 @@
+@@ -129,7 +173,11 @@
logging_send_syslog_msg(virtd_t)
@@ -22253,7 +22345,7 @@
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -167,22 +209,25 @@
+@@ -167,22 +215,33 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -22270,12 +22362,20 @@
-# polkit_domtrans_resolve(virtd_t)
-#')
+optional_policy(`
-+ polkit_domtrans_auth(virtd_t)
-+ polkit_domtrans_resolve(virtd_t)
++ kerberos_keytab_template(virtd, virtd_t)
++')
++
++optional_policy(`
++ lvm_domtrans(virtd_t)
+')
optional_policy(`
- qemu_domtrans(virtd_t)
++ polkit_domtrans_auth(virtd_t)
++ polkit_domtrans_resolve(virtd_t)
++')
++
++optional_policy(`
+ qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t)
qemu_signal(virtd_t)
@@ -22284,10 +22384,14 @@
')
optional_policy(`
-@@ -197,6 +242,69 @@
- xen_stream_connect_xenstore(virtd_t)
+@@ -198,5 +257,72 @@
')
+ optional_policy(`
+- unconfined_domain(virtd_t)
++ udev_domtrans(virtd_t)
++')
++
+#optional_policy(`
+# unconfined_domain(virtd_t)
+#')
@@ -22351,8 +22455,7 @@
+ xen_rw_image_files(svirt_t)
+')
+
- optional_policy(`
-- unconfined_domain(virtd_t)
++optional_policy(`
+ xen_rw_image_files(svirt_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.8/policy/modules/services/w3c.te
@@ -24631,7 +24734,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/init.te 2009-03-10 08:25:55.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/system/init.te 2009-03-11 11:57:43.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -24894,7 +24997,16 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -768,6 +837,10 @@
+@@ -761,6 +830,8 @@
+ # system-config-services causes avc messages that should be dontaudited
+ unconfined_dontaudit_rw_pipes(daemon)
+ ')
++ # sudo service restart causes this
++ unconfined_signull(daemon)
+
+ optional_policy(`
+ mono_domtrans(initrc_t)
+@@ -768,6 +839,10 @@
')
optional_policy(`
@@ -24905,7 +25017,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +863,11 @@
+@@ -790,3 +865,11 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -25092,7 +25204,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.8/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/iscsi.te 2009-03-10 08:25:55.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/system/iscsi.te 2009-03-10 15:47:16.000000000 -0400
@@ -28,7 +28,7 @@
# iscsid local policy
#
@@ -25111,6 +25223,23 @@
files_lock_filetrans(iscsid_t,iscsi_lock_t,file)
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
+@@ -55,6 +55,7 @@
+ files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
+
+ kernel_read_system_state(iscsid_t)
++kernel_search_debugfs(iscsid_t)
+
+ corenet_all_recvfrom_unlabeled(iscsid_t)
+ corenet_all_recvfrom_netlabel(iscsid_t)
+@@ -73,6 +74,6 @@
+
+ logging_send_syslog_msg(iscsid_t)
+
+-miscfiles_read_localization(iscsid_t)
++auth_use_nsswitch(iscsid_t)
+
+-sysnet_dns_name_resolve(iscsid_t)
++miscfiles_read_localization(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.8/policy/modules/system/libraries.fc 2009-03-10 08:25:55.000000000 -0400
@@ -27703,7 +27832,7 @@
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/unconfined.if 2009-03-10 08:25:55.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/system/unconfined.if 2009-03-10 16:09:06.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -27983,7 +28112,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/unconfined.te 2009-03-10 15:44:05.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/system/unconfined.te 2009-03-11 15:44:23.000000000 -0400
@@ -5,6 +5,35 @@
#
# Declarations
@@ -28035,7 +28164,7 @@
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
+role system_r types unconfined_t;
-+typealias unconfined_t alias unconfined_dbusd_t;
++typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t };
type unconfined_execmem_t;
-type unconfined_execmem_exec_t;
@@ -28075,7 +28204,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r)
-@@ -42,26 +94,46 @@
+@@ -42,26 +94,53 @@
logging_run_auditctl(unconfined_t, unconfined_r)
mount_run_unconfined(unconfined_t, unconfined_r)
@@ -28091,6 +28220,9 @@
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
++usermanage_run_passwd(unconfined_t, unconfined_r)
++usermanage_run_chfn(unconfined_t, unconfined_r)
++
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
@@ -28099,6 +28231,10 @@
+')
+
+optional_policy(`
++ loadkeys_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ nsplugin_role_notrans(unconfined_r, unconfined_t)
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
+ nsplugin_domtrans(unconfined_execmem_t)
@@ -28124,7 +28260,7 @@
')
optional_policy(`
-@@ -102,12 +174,24 @@
+@@ -102,12 +181,24 @@
')
optional_policy(`
@@ -28149,7 +28285,7 @@
')
optional_policy(`
-@@ -119,72 +203,80 @@
+@@ -119,72 +210,84 @@
')
optional_policy(`
@@ -28196,25 +28332,27 @@
optional_policy(`
- portmap_run_helper(unconfined_t, unconfined_r)
-+ prelink_run(unconfined_t, unconfined_r)
++ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
')
optional_policy(`
- postfix_run_map(unconfined_t, unconfined_r)
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-+ portmap_run_helper(unconfined_t, unconfined_r)
++ prelink_run(unconfined_t, unconfined_r)
')
optional_policy(`
- pyzor_role(unconfined_r, unconfined_t)
--')
-+ qemu_role_notrans(unconfined_r, unconfined_t)
-+ qemu_unconfined_role(unconfined_r)
++ portmap_run_helper(unconfined_t, unconfined_r)
+ ')
--optional_policy(`
+ optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
++ qemu_role_notrans(unconfined_r, unconfined_t)
++ qemu_unconfined_role(unconfined_r)
++
+ tunable_policy(`allow_unconfined_qemu_transition',`
+ qemu_domtrans(unconfined_t)
+ ',`
@@ -28249,7 +28387,7 @@
')
optional_policy(`
-@@ -192,7 +284,7 @@
+@@ -192,7 +295,7 @@
')
optional_policy(`
@@ -28258,7 +28396,7 @@
')
optional_policy(`
-@@ -204,11 +296,12 @@
+@@ -204,11 +307,12 @@
')
optional_policy(`
@@ -28273,7 +28411,7 @@
')
########################################
-@@ -218,14 +311,61 @@
+@@ -218,14 +322,61 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -28298,7 +28436,7 @@
+
+optional_policy(`
+ xserver_rw_shm(unconfined_execmem_t)
- ')
++')
+
+########################################
+#
@@ -28325,7 +28463,7 @@
+ type mozilla_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
-+')
+ ')
+')
+
+optional_policy(`
@@ -30200,7 +30338,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/userdomain.te 2009-03-10 08:25:55.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/system/userdomain.te 2009-03-10 15:58:19.000000000 -0400
@@ -8,13 +8,6 @@
## <desc>
@@ -30394,8 +30532,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.8/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/virtual.te 2009-03-10 08:25:55.000000000 -0400
-@@ -0,0 +1,78 @@
++++ serefpolicy-3.6.8/policy/modules/system/virtual.te 2009-03-11 14:43:06.000000000 -0400
+@@ -0,0 +1,80 @@
+
+policy_module(virtualization, 1.1.2)
+
@@ -30456,6 +30594,8 @@
+
+auth_use_nsswitch(virtualdomain)
+
++logging_send_syslog_msg(virtualdomain)
++
+miscfiles_read_localization(virtualdomain)
+
+optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.803
retrieving revision 1.804
diff -u -r1.803 -r1.804
--- selinux-policy.spec 9 Mar 2009 21:58:08 -0000 1.803
+++ selinux-policy.spec 11 Mar 2009 20:05:16 -0000 1.804
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.8
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -368,9 +368,6 @@
if [ $1 -eq 1 ]; then
%loadminpolicy minimum
semanage -S minimum -i - << __eof
-user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
-__eof
-semanage -S minimum -i - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
@@ -447,6 +444,10 @@
%endif
%changelog
+* Tue Mar 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.8-4
+- Fixes for iscsid and sssd
+- More cleanups for upgrade from F10 to Rawhide.
+
* Mon Mar 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.8-3
- Add pulseaudio, sssd policy
- Allow networkmanager to exec udevadm
- Previous message (by thread): rpms/lpairs/F-10 lpairs-1.0.3-datadir.diff, NONE, 1.1 lpairs-1.0.4-desktop.diff, NONE, 1.1 lpairs.spec, NONE, 1.1 sources, 1.1, 1.2
- Next message (by thread): rpms/eclipse-findbugs/devel eclipse-findbugs.spec, NONE, 1.1 eclipsePlugin-1.3.7-build.patch, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list