rpms/selinux-policy/F-10 modules-minimum.conf, 1.9, 1.10 modules-mls.conf, 1.41, 1.42 modules-targeted.conf, 1.114, 1.115 policy-20080710.patch, 1.148, 1.149 selinux-policy.spec, 1.780, 1.781
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 20 09:33:18 UTC 2009
- Previous message (by thread): rpms/mingw32-liboil/EL-5 import.log, NONE, 1.1 mingw32-liboil.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/globus-libtool/devel globus-libtool-pkg_data_src.gpt.in, NONE, 1.1 globus-libtool.spec, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14828
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-20080710.patch selinux-policy.spec
Log Message:
- Add gitosis policy
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-minimum.conf,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- modules-minimum.conf 12 Mar 2009 14:49:10 -0000 1.9
+++ modules-minimum.conf 20 Mar 2009 09:32:47 -0000 1.10
@@ -787,6 +787,13 @@
mplayer = module
# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+#
+gitosis = module
+
+# Layer: apps
# Module: gpg
#
# Policy for Mozilla and related web browsers
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-mls.conf,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42
--- modules-mls.conf 12 Mar 2009 14:49:10 -0000 1.41
+++ modules-mls.conf 20 Mar 2009 09:32:47 -0000 1.42
@@ -249,6 +249,13 @@
dmidecode = base
# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+#
+gitosis = module
+
+# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-targeted.conf,v
retrieving revision 1.114
retrieving revision 1.115
diff -u -r1.114 -r1.115
--- modules-targeted.conf 12 Mar 2009 14:49:10 -0000 1.114
+++ modules-targeted.conf 20 Mar 2009 09:32:47 -0000 1.115
@@ -477,6 +477,13 @@
#
getty = base
+# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+#
+gitosis = module
+
# Layer: services
# Module: gpsd
#
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.148
retrieving revision 1.149
diff -u -r1.148 -r1.149
--- policy-20080710.patch 19 Mar 2009 17:19:31 -0000 1.148
+++ policy-20080710.patch 20 Mar 2009 09:32:47 -0000 1.149
@@ -2053,6 +2053,159 @@
+ rw_files_pattern($1, games_data_t, games_data_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.5.13/policy/modules/apps/gitosis.fc
+--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/apps/gitosis.fc 2009-03-20 09:26:47.000000000 +0100
+@@ -0,0 +1,4 @@
++
++/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
++
++/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.5.13/policy/modules/apps/gitosis.if
+--- nsaserefpolicy/policy/modules/apps/gitosis.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/apps/gitosis.if 2009-03-20 09:26:47.000000000 +0100
+@@ -0,0 +1,94 @@
++## <summary>gitosis interface</summary>
++
++#######################################
++## <summary>
++## Execute a domain transition to run gitosis.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gitosis_domtrans',`
++ gen_require(`
++ type gitosis_t, gitosis_exec_t;
++ ')
++
++ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
++')
++
++#######################################
++## <summary>
++## Execute gitosis-serve in the gitosis domain, and
++## allow the specified role the gitosis domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the gpsd domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the role's terminal.
++## </summary>
++## </param>
++#
++interface(`gitosis_run',`
++ gen_require(`
++ type gitosis_t;
++ ')
++
++ gitosis_domtrans($1)
++ role $2 types gitosis_t;
++ allow gitosis_t $3:chr_file rw_term_perms;
++')
++
++#######################################
++## <summary>
++## Allow the specified domain to read
++## gitosis lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gitosis_read_var_lib',`
++ gen_require(`
++ type gitosis_var_lib_t;
++
++ ')
++
++ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to manage
++## gitosis lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gitosis_manage_var_lib',`
++ gen_require(`
++ type gitosis_var_lib_t;
++
++ ')
++
++ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.5.13/policy/modules/apps/gitosis.te
+--- nsaserefpolicy/policy/modules/apps/gitosis.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/apps/gitosis.te 2009-03-20 09:27:40.000000000 +0100
+@@ -0,0 +1,43 @@
++policy_module(gitosis,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gitosis_t;
++type gitosis_exec_t;
++application_domain(gitosis_t, gitosis_exec_t)
++role system_r types gitosis_t;
++
++type gitosis_var_lib_t;
++files_type(gitosis_var_lib_t)
++
++########################################
++#
++# gitosis local policy
++#
++
++allow gitosis_t self:fifo_file rw_fifo_file_perms;
++
++exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++
++corecmd_exec_bin(gitosis_t)
++corecmd_exec_shell(gitosis_t)
++
++kernel_read_system_state(gitosis_t)
++
++files_read_usr_files(gitosis_t)
++files_search_var_lib(gitosis_t)
++
++libs_use_ld_so(gitosis_t)
++libs_use_shared_libs(gitosis_t)
++
++miscfiles_read_localization(gitosis_t)
++
++optional_policy(`
++ ssh_rw_pipes(gitosis_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.13/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gnome.fc 2009-02-10 15:07:15.000000000 +0100
@@ -18972,7 +19125,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.13/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mysql.if 2009-02-26 16:00:52.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mysql.if 2009-03-20 09:38:48.000000000 +0100
@@ -53,9 +53,11 @@
interface(`mysql_stream_connect',`
gen_require(`
@@ -18994,12 +19147,31 @@
')
########################################
-@@ -120,6 +122,25 @@
+@@ -120,6 +122,44 @@
allow $1 mysqld_db_t:dir rw_dir_perms;
')
+#######################################
+## <summary>
++## Append to the MySQL database directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_append_db_files',`
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ append_files_pattern($1, mysqld_db_t, mysqld_db_t)
++')
++
++#######################################
++## <summary>
+## Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
@@ -19020,7 +19192,7 @@
########################################
## <summary>
## Create, read, write, and delete MySQL database directories.
-@@ -139,6 +160,25 @@
+@@ -139,6 +179,25 @@
allow $1 mysqld_db_t:dir manage_dir_perms;
')
@@ -19046,7 +19218,7 @@
########################################
## <summary>
## Read and write to the MySQL database
-@@ -157,7 +197,26 @@
+@@ -157,7 +216,26 @@
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
@@ -19074,12 +19246,12 @@
')
########################################
-@@ -176,5 +235,49 @@
+@@ -176,5 +254,49 @@
')
logging_search_logs($1)
- allow $1 mysqld_log_t:file { write append setattr ioctl };
-+ write_files_pattern($1,mysqld_log_t,mysqld_log_t)
++ allow $1 mysqld_log_t:file { write_file_perms setattr getattr };
+')
+
+########################################
@@ -19127,7 +19299,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.13/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2009-02-26 15:37:23.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2009-03-20 09:39:54.000000000 +0100
@@ -10,6 +10,10 @@
type mysqld_exec_t;
init_daemon_domain(mysqld_t, mysqld_exec_t)
@@ -19173,7 +19345,7 @@
domain_use_interactive_fds(mysqld_t)
-@@ -120,3 +129,40 @@
+@@ -120,3 +129,39 @@
optional_policy(`
udev_read_db(mysqld_t)
')
@@ -19188,8 +19360,7 @@
+allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
-+append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-+
++mysql_append_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
@@ -28246,7 +28417,7 @@
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2009-03-20 09:28:24.000000000 +0100
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -28471,9 +28642,9 @@
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
- corenet_sendrecv_ssh_server_packets($1_t)
-+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
++ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
@@ -28516,7 +28687,33 @@
')
optional_policy(`
-@@ -710,3 +724,22 @@
+@@ -605,6 +619,25 @@
+ allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
+ ')
+
++#######################################
++## <summary>
++## Allow attempts to read and write to
++## sshd unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_rw_pipes',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow $1 sshd_t:fifo_file rw_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read and write
+@@ -710,3 +743,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -28541,7 +28738,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2009-03-20 09:28:31.000000000 +0100
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -28604,7 +28801,7 @@
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -99,6 +120,14 @@
+@@ -99,10 +120,22 @@
')
optional_policy(`
@@ -28619,7 +28816,15 @@
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -117,7 +146,11 @@
+ optional_policy(`
++ gitosis_read_var_lib(sshd_t)
++')
++
++optional_policy(`
+ inetd_tcp_service_domain(sshd_t, sshd_exec_t)
+ ')
+
+@@ -117,7 +150,11 @@
')
optional_policy(`
@@ -28632,7 +28837,7 @@
unconfined_shell_domtrans(sshd_t)
')
-@@ -176,6 +209,8 @@
+@@ -176,6 +213,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -35544,7 +35749,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2009-03-10 13:22:29.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2009-03-20 09:28:45.000000000 +0100
@@ -6,35 +6,78 @@
# Declarations
#
@@ -35713,54 +35918,54 @@
')
optional_policy(`
-@@ -123,79 +183,91 @@
+@@ -123,79 +183,95 @@
')
optional_policy(`
- inn_domtrans(unconfined_t)
-+ gpsd_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++ gitosis_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- java_domtrans(unconfined_t)
-+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ gpsd_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- mono_domtrans(unconfined_t)
-+ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
-+ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ mono_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ unconfined_domain(unconfined_mono_t)
-+ role system_r types unconfined_mono_t;
++ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ mono_per_role_template(unconfined, unconfined_t, unconfined_r)
++ unconfined_domain(unconfined_mono_t)
++ role system_r types unconfined_mono_t;
')
optional_policy(`
@@ -35768,17 +35973,19 @@
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-+ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
-
optional_policy(`
- pyzor_per_role_template(unconfined)
--')
-+ qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
++ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
--optional_policy(`
+ optional_policy(`
- qmail_per_role_template(unconfined, unconfined_t, unconfined_r)
++ qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
++
+ tunable_policy(`allow_unconfined_qemu_transition',`
+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ',`
@@ -35828,7 +36035,7 @@
')
optional_policy(`
-@@ -203,7 +275,7 @@
+@@ -203,7 +279,7 @@
')
optional_policy(`
@@ -35837,7 +36044,7 @@
')
optional_policy(`
-@@ -215,11 +287,12 @@
+@@ -215,11 +291,12 @@
')
optional_policy(`
@@ -35852,7 +36059,7 @@
')
########################################
-@@ -229,14 +302,61 @@
+@@ -229,14 +306,61 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.780
retrieving revision 1.781
diff -u -r1.780 -r1.781
--- selinux-policy.spec 13 Mar 2009 08:29:44 -0000 1.780
+++ selinux-policy.spec 20 Mar 2009 09:32:48 -0000 1.781
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 49%{?dist}
+Release: 50%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,10 @@
%endif
%changelog
+* Fri Mar 20 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-50
+- Add gitosis policy
+- Allow mdadm to read/write mls override
+
* Fri Mar 13 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-49
- Add gpsd policy
- Fix razor policy
- Previous message (by thread): rpms/mingw32-liboil/EL-5 import.log, NONE, 1.1 mingw32-liboil.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/globus-libtool/devel globus-libtool-pkg_data_src.gpt.in, NONE, 1.1 globus-libtool.spec, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list