rpms/selinux-policy/F-10 modules-minimum.conf, 1.8, 1.9 modules-mls.conf, 1.40, 1.41 modules-targeted.conf, 1.113, 1.114 policy-20080710.patch, 1.146, 1.147
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Mar 12 14:49:41 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1760
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-20080710.patch
Log Message:
- Fix sysnet/net_conf_t
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-minimum.conf,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- modules-minimum.conf 4 Feb 2009 10:33:05 -0000 1.8
+++ modules-minimum.conf 12 Mar 2009 14:49:10 -0000 1.9
@@ -793,6 +793,13 @@
#
gpg = module
+# Layer: services
+# Module: gpsd
+#
+# gpsd monitor daemon
+#
+gpsd = module
+
# Layer: admin
# Module: mrtg
#
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-mls.conf,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- modules-mls.conf 4 Feb 2009 10:33:05 -0000 1.40
+++ modules-mls.conf 12 Mar 2009 14:49:10 -0000 1.41
@@ -255,6 +255,13 @@
#
gpg = module
+# Layer: services
+# Module: gpsd
+#
+# gpsd monitor daemon
+#
+gpsd = module
+
# Layer: apps
# Module: loadkeys
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-targeted.conf,v
retrieving revision 1.113
retrieving revision 1.114
diff -u -r1.113 -r1.114
--- modules-targeted.conf 4 Feb 2009 10:33:05 -0000 1.113
+++ modules-targeted.conf 12 Mar 2009 14:49:10 -0000 1.114
@@ -477,6 +477,13 @@
#
getty = base
+# Layer: services
+# Module: gpsd
+#
+# gpsd monitor daemon
+#
+gpsd = module
+
# Layer: apps
# Module: gnome
#
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.146
retrieving revision 1.147
diff -u -r1.146 -r1.147
--- policy-20080710.patch 11 Mar 2009 11:42:43 -0000 1.146
+++ policy-20080710.patch 12 Mar 2009 14:49:10 -0000 1.147
@@ -2326,7 +2326,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.13/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2009-03-12 13:00:13.000000000 +0100
@@ -8,8 +8,33 @@
attribute gnomedomain;
@@ -2357,7 +2357,7 @@
+#
+type gconfd_t, gnomedomain;
+application_domain(gconfd_t, gconfd_exec_t)
-+role system_r types gconfd_exec_t;
++role system_r types gconfd_t;
+
+##############################
+#
@@ -6674,8 +6674,29 @@
+wm_domain_template(user,xdm)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-02-26 15:48:02.000000000 +0100
-@@ -123,12 +123,17 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-03-12 13:44:36.000000000 +0100
+@@ -73,10 +73,16 @@
+ /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0)
+-/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
+-/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0)
+-/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
+-/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0)
++
++/etc/sysconfig/network-scripts/ifup.* gen_context(system_u:object_r:bin_t,s0)
++/etc/sysconfig/network-scripts/ifdown.* gen_context(system_u:object_r:bin_t,s0)
++/etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0)
++/etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0)
++
++#/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
++#/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0)
++#/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
++#/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
+@@ -123,12 +129,17 @@
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6693,7 +6714,7 @@
#
# /usr
#
-@@ -176,6 +181,8 @@
+@@ -176,6 +187,8 @@
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
@@ -6702,7 +6723,7 @@
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -184,10 +191,8 @@
+@@ -184,10 +197,8 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -6715,7 +6736,7 @@
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -202,6 +207,7 @@
+@@ -202,6 +213,7 @@
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -6723,7 +6744,7 @@
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-@@ -222,14 +228,15 @@
+@@ -222,14 +234,15 @@
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -6741,7 +6762,7 @@
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-@@ -292,3 +299,14 @@
+@@ -292,3 +305,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -22010,7 +22031,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2009-03-12 13:00:18.000000000 +0100
@@ -0,0 +1,235 @@
+policy_module(polkit_auth, 1.0.0)
+
@@ -22139,7 +22160,7 @@
+optional_policy(`
+ dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
+ consolekit_dbus_chat(polkit_auth_t)
-+ dbus_system_domain(polkit_exec_t, polkit_t)
++ dbus_system_domain(polkit_auth_t, polkit_auth_exec_t)
+')
+
+optional_policy(`
@@ -26807,7 +26828,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te 2009-03-12 12:57:27.000000000 +0100
@@ -11,6 +11,9 @@
domain_type(setroubleshootd_t)
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -26865,7 +26886,7 @@
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -97,22 +110,25 @@
+@@ -97,23 +110,30 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -26893,6 +26914,11 @@
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
+ ')
++
++optional_policy(`
++ unconfined_signull(setroubleshoot_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.13/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/smartmon.te 2009-02-10 15:07:15.000000000 +0100
@@ -34546,8 +34572,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc 2009-02-10 15:07:15.000000000 +0100
-@@ -11,15 +11,21 @@
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc 2009-03-12 13:33:35.000000000 +0100
+@@ -11,15 +11,23 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -34563,13 +34589,17 @@
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
+
ifdef(`distro_redhat',`
- /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/sysconfig/networking/profiles/.*/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/sysconfig/networking/profiles/.*/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
++
')
#
-@@ -57,3 +63,5 @@
+@@ -57,3 +65,5 @@
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
@@ -34577,7 +34607,7 @@
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2009-03-12 14:42:54.000000000 +0100
@@ -198,7 +198,25 @@
type dhcpc_state_t;
')
@@ -34605,7 +34635,26 @@
')
#######################################
-@@ -553,6 +571,7 @@
+@@ -236,7 +254,7 @@
+ ')
+
+ files_search_etc($1)
+- allow $1 net_conf_t:file read_file_perms;
++ read_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+
+ #######################################
+@@ -329,7 +347,8 @@
+ type net_conf_t;
+ ')
+
+- allow $1 net_conf_t:file manage_file_perms;
++ allow $1 net_conf_t:dir list_dir_perms;
++ manage_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+
+ #######################################
+@@ -553,6 +572,7 @@
type net_conf_t;
')
@@ -34613,7 +34662,7 @@
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
-@@ -569,6 +588,14 @@
+@@ -569,6 +589,14 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -34628,7 +34677,7 @@
')
########################################
-@@ -598,6 +625,8 @@
+@@ -598,6 +626,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -34637,7 +34686,7 @@
')
########################################
-@@ -632,3 +661,49 @@
+@@ -632,3 +662,49 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
')
@@ -34689,7 +34738,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2009-03-12 15:06:51.000000000 +0100
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -34727,6 +34776,15 @@
manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t)
filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file)
+@@ -65,7 +69,7 @@
+
+ # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
+ # in /etc created by dhcpcd will be labelled net_conf_t.
+-allow dhcpc_t net_conf_t:file manage_file_perms;
++sysnet_manage_config(dhcpc_t)
+ files_etc_filetrans(dhcpc_t,net_conf_t,file)
+
+ # create temp files
@@ -116,7 +120,7 @@
corecmd_exec_shell(dhcpc_t)
More information about the fedora-extras-commits
mailing list