rpms/selinux-policy/F-9 policy-20071130.patch, 1.262, 1.263 selinux-policy.spec, 1.744, 1.745

Miroslav Grepl mgrepl at fedoraproject.org
Mon Mar 23 17:06:30 UTC 2009 

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21159

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
- Add google-earth labeling



policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.262
retrieving revision 1.263
diff -u -r1.262 -r1.263
--- policy-20071130.patch	20 Mar 2009 10:43:22 -0000	1.262
+++ policy-20071130.patch	23 Mar 2009 17:06:25 -0000	1.263
@@ -655058,7 +655058,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.3.1/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.te	2009-03-20 09:44:49.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/mysql.te	2009-03-23 10:41:10.000000000 +0100
 @@ -10,6 +10,10 @@
  type mysqld_exec_t;
  init_daemon_domain(mysqld_t,mysqld_exec_t)
@@ -655100,7 +655100,7 @@
  
  domain_use_interactive_fds(mysqld_t)
  
-@@ -119,3 +128,37 @@
+@@ -119,3 +128,40 @@
  optional_policy(`
  	udev_read_db(mysqld_t)
  ')
@@ -655115,6 +655115,9 @@
 +allow mysqld_safe_t self:capability { dac_override fowner chown };
 +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 +
++allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
++logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
++
 +mysql_append_db_files(mysqld_safe_t)
 +mysql_read_config(mysqld_safe_t)
 +mysql_search_pid_files(mysqld_safe_t)
@@ -670248,7 +670251,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc	2009-03-20 09:46:49.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc	2009-03-23 10:46:22.000000000 +0100
 @@ -69,8 +69,10 @@
  ifdef(`distro_gentoo',`
  # despite the extensions, they are actually libs
@@ -670374,7 +670377,7 @@
  /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
  
-@@ -301,6 +321,28 @@
+@@ -301,6 +321,30 @@
  /var/lib/samba/bin/.+\.so(\.[^/]*)*	-l	gen_context(system_u:object_r:lib_t,s0)
  ')
  
@@ -670398,7 +670401,9 @@
 +/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/sse2/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
-+/opt/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
++# google-earth
++/opt/google-earth/.*\.so.*		--     gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/google-earth/.*\.so.*	--     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/opt/Komodo/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
@@ -671585,16 +671590,19 @@
  #################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.3.1/policy/modules/system/mount.fc
 --- nsaserefpolicy/policy/modules/system/mount.fc	2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/mount.fc	2009-02-12 22:21:57.000000000 +0100
-@@ -1,4 +1,6 @@
++++ serefpolicy-3.3.1/policy/modules/system/mount.fc	2009-03-23 11:00:51.000000000 +0100
+@@ -1,4 +1,10 @@
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
--
--/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/bin/fusermount            --      gen_context(system_u:object_r:mount_exec_t,s0)
 +/usr/bin/fusermount            --      gen_context(system_u:object_r:mount_exec_t,s0)
++
++/var/cache/davfs2(/.*)?         gen_context(system_u:object_r:mount_var_run_t,s0)
++/var/run/davfs2(/.*)?           gen_context(system_u:object_r:mount_var_run_t,s0)
+ 
+-/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.3.1/policy/modules/system/mount.if
 --- nsaserefpolicy/policy/modules/system/mount.if	2008-02-26 14:23:09.000000000 +0100
 +++ serefpolicy-3.3.1/policy/modules/system/mount.if	2009-02-12 22:21:57.000000000 +0100
@@ -671635,8 +671643,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/mount.te	2009-02-12 22:21:57.000000000 +0100
-@@ -18,17 +18,18 @@
++++ serefpolicy-3.3.1/policy/modules/system/mount.te	2009-03-23 11:00:15.000000000 +0100
+@@ -18,17 +18,21 @@
  init_system_domain(mount_t,mount_exec_t)
  role system_r types mount_t;
  
@@ -671655,15 +671663,19 @@
  type unconfined_mount_t;
  application_domain(unconfined_mount_t,mount_exec_t)
 +role system_r types unconfined_mount_t;
++
++type mount_var_run_t;
++files_pid_file(mount_var_run_t)
  
  ########################################
  #
-@@ -36,23 +37,26 @@
+@@ -36,23 +40,33 @@
  #
  
  # setuid/setgid needed to mount cifs 
 -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
 +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
++allow mount_t self:process { ptrace signal };
  
  allow mount_t mount_loopback_t:file read_file_perms;
  
@@ -671671,10 +671683,15 @@
  allow mount_t mount_tmp_t:dir manage_dir_perms;
 +files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
  
- can_exec(mount_t, mount_exec_t)
+-can_exec(mount_t, mount_exec_t)
++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++files_pid_filetrans(mount_t,mount_var_run_t,dir)
++files_var_filetrans(mount_t,mount_var_run_t,dir)
  
 -files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
--
++can_exec(mount_t, mount_exec_t)
+ 
 +# In order to mount reiserfs_t
 +kernel_list_unlabeled(mount_t)
  kernel_read_system_state(mount_t)
@@ -671685,10 +671702,11 @@
  dev_getattr_all_blk_files(mount_t)
  dev_list_all_dev_nodes(mount_t)
 +dev_read_usbfs(mount_t)
++dev_read_rand(mount_t)
  dev_rw_lvm_control(mount_t)
  dev_dontaudit_getattr_all_chr_files(mount_t)
  dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +66,20 @@
+@@ -62,16 +76,20 @@
  storage_raw_write_fixed_disk(mount_t)
  storage_raw_read_removable_device(mount_t)
  storage_raw_write_removable_device(mount_t)
@@ -671711,7 +671729,7 @@
  
  term_use_all_terms(mount_t)
  
-@@ -87,7 +95,7 @@
+@@ -87,7 +105,7 @@
  files_mounton_all_mountpoints(mount_t)
  files_unmount_rootfs(mount_t)
  # These rules need to be generalized.  Only admin, initrc should have it:
@@ -671720,7 +671738,7 @@
  files_mount_all_file_type_fs(mount_t)
  files_unmount_all_file_type_fs(mount_t)
  # for when /etc/mtab loses its type
-@@ -100,6 +108,8 @@
+@@ -100,6 +118,8 @@
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -671729,7 +671747,7 @@
  
  auth_use_nsswitch(mount_t)
  
-@@ -119,6 +129,8 @@
+@@ -119,6 +139,8 @@
  seutil_read_config(mount_t)
  
  userdom_use_all_users_fds(mount_t)
@@ -671738,7 +671756,7 @@
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -167,6 +179,8 @@
+@@ -167,6 +189,8 @@
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -671747,7 +671765,7 @@
  ')
  
  optional_policy(`
-@@ -181,6 +195,11 @@
+@@ -181,6 +205,11 @@
  	')
  ')
  
@@ -671759,7 +671777,7 @@
  # for kernel package installation
  optional_policy(`
  	rpm_rw_pipes(mount_t)
-@@ -188,6 +207,7 @@
+@@ -188,6 +217,7 @@
  
  optional_policy(`
  	samba_domtrans_smbmount(mount_t)
@@ -671767,7 +671785,7 @@
  ')
  
  ########################################
-@@ -198,4 +218,26 @@
+@@ -198,4 +228,26 @@
  optional_policy(`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.744
retrieving revision 1.745
diff -u -r1.744 -r1.745
--- selinux-policy.spec	20 Mar 2009 10:14:23 -0000	1.744
+++ selinux-policy.spec	23 Mar 2009 17:06:28 -0000	1.745
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 128%{?dist}
+Release: 129%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
 %endif
 
 %changelog
+* Mon Mar 23 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-129
+- Add google-earth labeling
+
 * Fri Mar 20 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-128
 - Add gitosis policy

More information about the fedora-extras-commits mailing list