rpms/selinux-policy/F-9 policy-20071130.patch, 1.262, 1.263 selinux-policy.spec, 1.744, 1.745
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 23 17:06:30 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21159
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
- Add google-earth labeling
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.262
retrieving revision 1.263
diff -u -r1.262 -r1.263
--- policy-20071130.patch 20 Mar 2009 10:43:22 -0000 1.262
+++ policy-20071130.patch 23 Mar 2009 17:06:25 -0000 1.263
@@ -655058,7 +655058,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.3.1/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-03-20 09:44:49.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-03-23 10:41:10.000000000 +0100
@@ -10,6 +10,10 @@
type mysqld_exec_t;
init_daemon_domain(mysqld_t,mysqld_exec_t)
@@ -655100,7 +655100,7 @@
domain_use_interactive_fds(mysqld_t)
-@@ -119,3 +128,37 @@
+@@ -119,3 +128,40 @@
optional_policy(`
udev_read_db(mysqld_t)
')
@@ -655115,6 +655115,9 @@
+allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
++allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
++logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
++
+mysql_append_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
@@ -670248,7 +670251,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2009-03-20 09:46:49.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2009-03-23 10:46:22.000000000 +0100
@@ -69,8 +69,10 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -670374,7 +670377,7 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -301,6 +321,28 @@
+@@ -301,6 +321,30 @@
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
@@ -670398,7 +670401,9 @@
+/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sse2/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++# google-earth
++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Komodo/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -671585,16 +671590,19 @@
#################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.3.1/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/mount.fc 2009-02-12 22:21:57.000000000 +0100
-@@ -1,4 +1,6 @@
++++ serefpolicy-3.3.1/policy/modules/system/mount.fc 2009-03-23 11:00:51.000000000 +0100
+@@ -1,4 +1,10 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
--
--/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
++
++/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+
+-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.3.1/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2008-02-26 14:23:09.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/system/mount.if 2009-02-12 22:21:57.000000000 +0100
@@ -671635,8 +671643,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/mount.te 2009-02-12 22:21:57.000000000 +0100
-@@ -18,17 +18,18 @@
++++ serefpolicy-3.3.1/policy/modules/system/mount.te 2009-03-23 11:00:15.000000000 +0100
+@@ -18,17 +18,21 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -671655,15 +671663,19 @@
type unconfined_mount_t;
application_domain(unconfined_mount_t,mount_exec_t)
+role system_r types unconfined_mount_t;
++
++type mount_var_run_t;
++files_pid_file(mount_var_run_t)
########################################
#
-@@ -36,23 +37,26 @@
+@@ -36,23 +40,33 @@
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
++allow mount_t self:process { ptrace signal };
allow mount_t mount_loopback_t:file read_file_perms;
@@ -671671,10 +671683,15 @@
allow mount_t mount_tmp_t:dir manage_dir_perms;
+files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
- can_exec(mount_t, mount_exec_t)
+-can_exec(mount_t, mount_exec_t)
++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++files_pid_filetrans(mount_t,mount_var_run_t,dir)
++files_var_filetrans(mount_t,mount_var_run_t,dir)
-files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
--
++can_exec(mount_t, mount_exec_t)
+
+# In order to mount reiserfs_t
+kernel_list_unlabeled(mount_t)
kernel_read_system_state(mount_t)
@@ -671685,10 +671702,11 @@
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
++dev_read_rand(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +66,20 @@
+@@ -62,16 +76,20 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -671711,7 +671729,7 @@
term_use_all_terms(mount_t)
-@@ -87,7 +95,7 @@
+@@ -87,7 +105,7 @@
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
@@ -671720,7 +671738,7 @@
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -100,6 +108,8 @@
+@@ -100,6 +118,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -671729,7 +671747,7 @@
auth_use_nsswitch(mount_t)
-@@ -119,6 +129,8 @@
+@@ -119,6 +139,8 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -671738,7 +671756,7 @@
ifdef(`distro_redhat',`
optional_policy(`
-@@ -167,6 +179,8 @@
+@@ -167,6 +189,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -671747,7 +671765,7 @@
')
optional_policy(`
-@@ -181,6 +195,11 @@
+@@ -181,6 +205,11 @@
')
')
@@ -671759,7 +671777,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -188,6 +207,7 @@
+@@ -188,6 +217,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -671767,7 +671785,7 @@
')
########################################
-@@ -198,4 +218,26 @@
+@@ -198,4 +228,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.744
retrieving revision 1.745
diff -u -r1.744 -r1.745
--- selinux-policy.spec 20 Mar 2009 10:14:23 -0000 1.744
+++ selinux-policy.spec 23 Mar 2009 17:06:28 -0000 1.745
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 128%{?dist}
+Release: 129%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
%endif
%changelog
+* Mon Mar 23 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-129
+- Add google-earth labeling
+
* Fri Mar 20 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-128
- Add gitosis policy
More information about the fedora-extras-commits
mailing list