rpms/selinux-policy/F-9 policy-20071130.patch, 1.263, 1.264 selinux-policy.spec, 1.745, 1.746

Miroslav Grepl mgrepl at fedoraproject.org
Wed Mar 25 08:29:47 UTC 2009 

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26754

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
- Add xenner fixes



policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.263
retrieving revision 1.264
diff -u -r1.263 -r1.264
--- policy-20071130.patch	23 Mar 2009 17:06:25 -0000	1.263
+++ policy-20071130.patch	25 Mar 2009 08:29:43 -0000	1.264
@@ -655058,7 +655058,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.3.1/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.te	2009-03-23 10:41:10.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/mysql.te	2009-03-25 00:08:28.000000000 +0100
 @@ -10,6 +10,10 @@
  type mysqld_exec_t;
  init_daemon_domain(mysqld_t,mysqld_exec_t)
@@ -655100,7 +655100,7 @@
  
  domain_use_interactive_fds(mysqld_t)
  
-@@ -119,3 +128,40 @@
+@@ -119,3 +128,38 @@
  optional_policy(`
  	udev_read_db(mysqld_t)
  ')
@@ -655139,8 +655139,6 @@
 +
 +hostname_exec(mysqld_safe_t)
 +
-+permissive mysqld_safe_t;
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.3.1/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2008-02-26 14:23:10.000000000 +0100
 +++ serefpolicy-3.3.1/policy/modules/services/nagios.fc	2009-02-12 22:21:57.000000000 +0100
@@ -678638,9 +678636,35 @@
 +optional_policy(`
 +	unconfined_domain(virtd_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.3.1/policy/modules/system/xen.fc
+--- nsaserefpolicy/policy/modules/system/xen.fc	2008-02-26 14:23:09.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/xen.fc	2009-03-25 00:31:38.000000000 +0100
+@@ -1,5 +1,7 @@
+ /dev/xen/tapctrl.*	-p	gen_context(system_u:object_r:xenctl_t,s0)
+ 
++/usr/sbin/evtchnd       --      gen_context(system_u:object_r:evtchnd_exec_t,s0)
++
+ /usr/bin/virsh		--	gen_context(system_u:object_r:xm_exec_t,s0)
+ 
+ /usr/sbin/xenconsoled	--	gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+@@ -12,11 +14,14 @@
+ /var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
+ /var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+ 
++/var/log/evtchnd\.log   --      gen_context(system_u:object_r:evtchnd_var_log_t,s0)
+ /var/log/xen(/.*)?		gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xen-hotplug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xend\.log	--	gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xend-debug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
+ 
++/var/run/evtchnd\.pid   --      gen_context(system_u:object_r:evtchnd_var_run_t,s0)
++/var/run/evtchnd        -s      gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+ /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+ /var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/xen.if	2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/xen.if	2009-03-25 00:27:22.000000000 +0100
 @@ -167,11 +167,14 @@
  #
  interface(`xen_stream_connect',`
@@ -678657,7 +678681,7 @@
  ')
  
  ########################################
-@@ -191,3 +194,24 @@
+@@ -191,3 +194,45 @@
  
  	domtrans_pattern($1,xm_exec_t,xm_t)
  ')
@@ -678682,9 +678706,30 @@
 +	allow $1 xend_var_lib_t:dir search_dir_perms;
 +	rw_files_pattern($1,xen_image_t,xen_image_t)
 +')
++
++######################################
++## <summary>
++##      Connect to evtchnd over a unix domain
++##      stream socket.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`evtchnd_stream_connect',`
++        gen_require(`
++                type evtchnd_var_run_t, evtchnd_t;
++        ')
++
++        allow $1 evtchnd_t:unix_stream_socket connectto;
++        allow $1 evtchnd_var_run_t:sock_file { getattr write };
++        files_search_pids($1)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/xen.te	2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/xen.te	2009-03-25 00:26:11.000000000 +0100
 @@ -6,6 +6,13 @@
  # Declarations
  #
@@ -678720,7 +678765,26 @@
  role system_r types xenconsoled_t;
  
  # pid files
-@@ -95,7 +99,7 @@
+@@ -72,6 +76,18 @@
+ domain_type(xm_t)
+ init_system_domain(xm_t, xm_exec_t)
+ 
++type evtchnd_t;
++type evtchnd_exec_t;
++init_daemon_domain(evtchnd_t, evtchnd_exec_t)
++
++# log files
++ type evtchnd_var_log_t;
++logging_log_file(evtchnd_var_log_t)
++
++# pid files
++type evtchnd_var_run_t;
++files_pid_file(evtchnd_var_run_t)
++ 
+ ########################################
+ #
+ # xend local policy
+@@ -95,7 +111,7 @@
  read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
  rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
  
@@ -678729,7 +678793,7 @@
  dev_filetrans(xend_t, xenctl_t, fifo_file)
  
  manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
-@@ -103,14 +107,14 @@
+@@ -103,14 +119,14 @@
  files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
  
  # pid file
@@ -678747,7 +678811,7 @@
  manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
  manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
  logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
-@@ -122,15 +126,13 @@
+@@ -122,15 +138,13 @@
  manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
  files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
  
@@ -678767,7 +678831,7 @@
  
  kernel_read_kernel_sysctls(xend_t)
  kernel_read_system_state(xend_t)
-@@ -176,6 +178,7 @@
+@@ -176,6 +190,7 @@
  files_manage_etc_runtime_files(xend_t)
  files_etc_filetrans_etc_runtime(xend_t,file)
  files_read_usr_files(xend_t)
@@ -678775,7 +678839,7 @@
  
  storage_raw_read_fixed_disk(xend_t)
  storage_raw_write_fixed_disk(xend_t)
-@@ -214,6 +217,10 @@
+@@ -214,6 +229,10 @@
  netutils_domtrans(xend_t)
  
  optional_policy(`
@@ -678786,7 +678850,7 @@
  	consoletype_exec(xend_t)
  ')
  
-@@ -224,7 +231,7 @@
+@@ -224,7 +243,7 @@
  
  allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
  allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
@@ -678795,7 +678859,7 @@
  
  allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
  
-@@ -245,6 +252,8 @@
+@@ -245,6 +264,8 @@
  
  files_read_usr_files(xenconsoled_t)
  
@@ -678804,7 +678868,7 @@
  term_create_pty(xenconsoled_t,xen_devpts_t);
  term_use_generic_ptys(xenconsoled_t)
  term_use_console(xenconsoled_t)
-@@ -257,7 +266,7 @@
+@@ -257,7 +278,7 @@
  
  miscfiles_read_localization(xenconsoled_t)
  
@@ -678813,7 +678877,7 @@
  xen_stream_connect_xenstore(xenconsoled_t)
  
  ########################################
-@@ -265,7 +274,7 @@
+@@ -265,7 +286,7 @@
  # Xen store local policy
  #
  
@@ -678822,7 +678886,17 @@
  allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
  allow xenstored_t self:unix_dgram_socket create_socket_perms;
  
-@@ -310,6 +319,10 @@
+@@ -280,6 +301,9 @@
+ manage_sock_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
+ files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
+ 
++# write and connect to evtchnd socket
++evtchnd_stream_connect(xenstored_t)
++
+ kernel_write_xen_state(xenstored_t)
+ kernel_read_xen_state(xenstored_t)
+ 
+@@ -310,6 +334,10 @@
  
  xen_append_log(xenstored_t)
  
@@ -678833,7 +678907,7 @@
  ########################################
  #
  # xm local policy
-@@ -318,12 +331,13 @@
+@@ -318,12 +346,13 @@
  allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
  
  # internal communication is often done using fifo and unix sockets.
@@ -678848,7 +678922,7 @@
  files_search_var_lib(xm_t)
  
  allow xm_t xen_image_t:dir rw_dir_perms;
-@@ -336,6 +350,7 @@
+@@ -336,6 +365,7 @@
  kernel_write_xen_state(xm_t)
  
  corecmd_exec_bin(xm_t)
@@ -678856,7 +678930,7 @@
  
  corenet_tcp_sendrecv_generic_if(xm_t)
  corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -351,8 +366,11 @@
+@@ -351,8 +381,11 @@
  
  storage_raw_read_fixed_disk(xm_t)
  
@@ -678868,7 +678942,7 @@
  init_rw_script_stream_sockets(xm_t)
  init_use_fds(xm_t)
  
-@@ -363,6 +381,23 @@
+@@ -363,6 +396,43 @@
  
  sysnet_read_config(xm_t)
  
@@ -678892,6 +678966,26 @@
 +optional_policy(`
 +	unconfined_domain(xend_t)
 +')
++
++#######################################
++#
++# evtchnd local policy
++#
++
++# pid file
++manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
++manage_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
++manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
++files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
++
++# log files
++manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
++manage_files_pattern(evtchnd_t,evtchnd_var_log_t,evtchnd_var_log_t)
++logging_log_filetrans(evtchnd_t,evtchnd_var_log_t,{ file dir })
++
++libs_use_ld_so(evtchnd_t)
++libs_use_shared_libs(evtchnd_t)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.3.1/policy/modules/users/auditadm.fc
 --- nsaserefpolicy/policy/modules/users/auditadm.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.3.1/policy/modules/users/auditadm.fc	2009-02-12 22:21:57.000000000 +0100


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.745
retrieving revision 1.746
diff -u -r1.745 -r1.746
--- selinux-policy.spec	23 Mar 2009 17:06:28 -0000	1.745
+++ selinux-policy.spec	25 Mar 2009 08:29:45 -0000	1.746
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 129%{?dist}
+Release: 130%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
 %endif
 
 %changelog
+* Wed Mar 25 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-130
+- Add xenner fixes
+
 * Mon Mar 23 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-129
 - Add google-earth labeling

More information about the fedora-extras-commits mailing list