rpms/selinux-policy/F-10 policy-20080710.patch,1.147,1.148
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Mar 19 17:19:33 UTC 2009
- Previous message (by thread): rpms/gcc/devel gcc44-c++-builtin-redecl.patch,1.1,1.2
- Next message (by thread): rpms/crda/devel regulatory-rules-setregdomain.patch, NONE, 1.1 setregdomain, NONE, 1.1 .cvsignore, 1.5, 1.6 crda.spec, 1.13, 1.14
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27905
Modified Files:
policy-20080710.patch
Log Message:
- Allow mdadm to read/write mls override
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.147
retrieving revision 1.148
diff -u -r1.147 -r1.148
--- policy-20080710.patch 12 Mar 2009 14:49:10 -0000 1.147
+++ policy-20080710.patch 19 Mar 2009 17:19:31 -0000 1.148
@@ -6351,26 +6351,32 @@
files_read_etc_runtime_files(webalizer_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/apps/wine.fc 2009-03-06 09:53:41.000000000 +0100
-@@ -1,4 +1,15 @@
++++ serefpolicy-3.5.13/policy/modules/apps/wine.fc 2009-03-16 15:53:56.000000000 +0100
+@@ -1,4 +1,21 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
-+
+
+-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-+
-+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-+
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
++/usr/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
-+/usr/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
-
--/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
--/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
++
++/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++
++/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.13/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/wine.if 2009-02-10 15:07:15.000000000 +0100
@@ -8779,7 +8785,7 @@
Binary files nsaserefpolicy/policy/modules/kernel/.filesystem.if.swp and serefpolicy-3.5.13/policy/modules/kernel/.filesystem.if.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2009-03-18 09:34:45.000000000 +0100
@@ -21,7 +21,7 @@
# Use xattrs for the following filesystem types.
@@ -8810,7 +8816,24 @@
type vxfs_t;
fs_noxattr_type(vxfs_t)
-@@ -241,6 +248,8 @@
+@@ -199,6 +206,11 @@
+ genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
+ genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
+ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
++# Labeling dosfs_t since these are removable file systems with the i
++# same security properties as dosfs_t
++genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
++genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
++
+
+ type fusefs_t;
+ fs_noxattr_type(fusefs_t)
+@@ -236,11 +248,11 @@
+ genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
+-genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
+-genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -18135,20 +18158,20 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.5.13/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.fc 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/milter.fc 2009-03-17 16:49:14.000000000 +0100
@@ -0,0 +1,8 @@
+
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-+
++/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.5.13/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.if 2009-02-18 14:29:13.000000000 +0100
-@@ -0,0 +1,84 @@
++++ serefpolicy-3.5.13/policy/modules/services/milter.if 2009-03-17 16:49:58.000000000 +0100
+@@ -0,0 +1,104 @@
+## <summary>Milter mail filters</summary>
+
+########################################
@@ -18233,10 +18256,30 @@
+ getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
+')
+
++########################################
++## <summary>
++## Manage spamassassin milter state
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`spamass_milter_manage_state',`
++ gen_require(`
++ type spamass_milter_state_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
++ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
++ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.5.13/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.te 2009-02-10 15:07:15.000000000 +0100
-@@ -0,0 +1,55 @@
++++ serefpolicy-3.5.13/policy/modules/services/milter.te 2009-03-17 16:48:44.000000000 +0100
+@@ -0,0 +1,69 @@
+
+policy_module(milter, 1.0.0)
+
@@ -18253,6 +18296,12 @@
+milter_template(regex)
+milter_template(spamass)
+
++# Type for the spamass-milter home directory, under which spamassassin will
++# store system-wide preferences, bayes databases etc. if not configured to
++# use per-user configuration
++type spamass_milter_state_t;
++files_type(spamass_milter_state_t);
++
+########################################
+#
+# milter-regex local policy
@@ -18260,6 +18309,10 @@
+# http://www.benzedrine.cx/milter-regex.html
+#
+
++# The milter runs from /var/lib/spamass-milter
++files_search_var_lib(spamass_milter_t);
++allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
++
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_override };
@@ -18280,6 +18333,10 @@
+# http://savannah.nongnu.org/projects/spamass-milt/
+#
+
++# The milter runs from /var/lib/spamass-milter
++files_search_var_lib(spamass_milter_t);
++allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
++
+kernel_read_system_state(spamass_milter_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
@@ -27790,7 +27847,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2009-02-18 14:29:57.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2009-03-17 16:50:53.000000000 +0100
@@ -21,16 +21,24 @@
gen_tunable(spamd_enable_home_dirs, true)
@@ -27974,8 +28031,14 @@
')
optional_policy(`
-@@ -213,3 +263,131 @@
+@@ -211,5 +261,137 @@
+ ')
+
optional_policy(`
++ spamass_milter_manage_state(spamd_t)
++')
++
++optional_policy(`
udev_read_db(spamd_t)
')
+
@@ -32615,7 +32678,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-03-05 13:40:41.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-03-18 14:31:14.000000000 +0100
@@ -60,12 +60,15 @@
#
# /opt
@@ -32714,7 +32777,17 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -233,7 +251,7 @@
+@@ -208,6 +226,9 @@
+ /usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++# Canon
++/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ # Fedora Extras packages: ladspa, imlib2, ocaml
+ /usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -233,7 +254,7 @@
/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
@@ -32723,7 +32796,7 @@
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,13 +264,16 @@
+@@ -246,13 +267,16 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -32742,7 +32815,7 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +288,9 @@
+@@ -267,6 +291,9 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -32752,7 +32825,7 @@
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +315,8 @@
+@@ -291,6 +318,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -32761,7 +32834,7 @@
') dnl end distro_redhat
#
-@@ -307,6 +333,33 @@
+@@ -307,6 +336,33 @@
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
@@ -33718,7 +33791,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.13/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/raid.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/raid.te 2009-03-19 18:14:44.000000000 +0100
@@ -39,6 +39,7 @@
dev_dontaudit_getattr_generic_files(mdadm_t)
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
@@ -33727,6 +33800,16 @@
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+@@ -48,6 +49,9 @@
+ storage_dev_filetrans_fixed_disk(mdadm_t)
+ storage_read_scsi_generic(mdadm_t)
+
++mls_file_read_all_levels(mdadm_t)
++mls_file_write_all_levels(mdadm_t)
++
+ term_dontaudit_list_ptys(mdadm_t)
+
+ # Helper program access
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.5.13/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.fc 2009-02-10 15:07:15.000000000 +0100
@@ -38814,7 +38897,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.13/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/xen.fc 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/xen.fc 2009-03-19 18:00:28.000000000 +0100
@@ -20,6 +20,7 @@
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
@@ -38825,7 +38908,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.13/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/xen.if 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/xen.if 2009-03-19 18:01:20.000000000 +0100
@@ -155,7 +155,7 @@
stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t)
')
@@ -38851,7 +38934,7 @@
')
########################################
-@@ -191,3 +194,24 @@
+@@ -191,3 +194,25 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
@@ -38876,9 +38959,10 @@
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1, xen_image_t, xen_image_t)
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/xen.te 2009-03-19 18:04:54.000000000 +0100
@@ -6,6 +6,13 @@
# Declarations
#
- Previous message (by thread): rpms/gcc/devel gcc44-c++-builtin-redecl.patch,1.1,1.2
- Next message (by thread): rpms/crda/devel regulatory-rules-setregdomain.patch, NONE, 1.1 setregdomain, NONE, 1.1 .cvsignore, 1.5, 1.6 crda.spec, 1.13, 1.14
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list