rpms/selinux-policy/devel policy-20090105.patch, 1.68, 1.69 selinux-policy.spec, 1.811, 1.812
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Mar 27 00:02:22 UTC 2009
- Previous message (by thread): rpms/monodevelop/devel .cvsignore, 1.23, 1.24 import.log, 1.21, 1.22 monodevelop-2.spec, 1.14, 1.15 sources, 1.23, 1.24
- Next message (by thread): rpms/boinc-client/devel boinc-cuda.patch, NONE, 1.1 boinc-client-init-d, 1.7, 1.8 boinc-client.spec, 1.31, 1.32
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4932
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Thu Mar 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-3
- Fixes for svirt
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.68
retrieving revision 1.69
diff -u -r1.68 -r1.69
--- policy-20090105.patch 24 Mar 2009 19:45:02 -0000 1.68
+++ policy-20090105.patch 27 Mar 2009 00:01:51 -0000 1.69
@@ -4524,8 +4524,8 @@
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.10/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-03-05 14:09:51.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-24 15:09:41.000000000 -0400
-@@ -91,6 +91,7 @@
++++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-25 08:24:42.000000000 -0400
+@@ -91,6 +90,7 @@
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -12127,7 +12127,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-24 10:36:54.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-26 08:23:58.000000000 -0400
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -12251,7 +12251,11 @@
miscfiles_read_localization(hald_mac_t)
########################################
-@@ -418,3 +459,49 @@
+@@ -415,6 +456,53 @@
+
+ dev_rw_input_dev(hald_keymap_t)
+
++files_read_etc_files(hald_keymap_t)
files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -21299,7 +21303,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-24 15:41:15.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-26 14:25:09.000000000 -0400
@@ -8,20 +8,18 @@
## <desc>
@@ -21338,7 +21342,7 @@
type virt_log_t;
logging_log_file(virt_log_t)
-@@ -48,17 +50,40 @@
+@@ -48,17 +50,39 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -21351,7 +21355,6 @@
+')
+
+virt_domain_template(svirt)
-+virtual_separated_domain(svirt_t)
+role system_r types svirt_t;
+
+type svirt_cache_t;
@@ -21381,7 +21384,7 @@
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -67,7 +92,11 @@
+@@ -67,7 +91,11 @@
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -21394,7 +21397,7 @@
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +115,7 @@
+@@ -86,6 +114,7 @@
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
kernel_load_module(virtd_t)
@@ -21402,7 +21405,7 @@
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -96,7 +126,7 @@
+@@ -96,7 +125,7 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -21411,11 +21414,11 @@
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -104,21 +134,38 @@
+@@ -104,21 +133,39 @@
dev_read_sysfs(virtd_t)
dev_read_rand(virtd_t)
-+dev_read_kvm(virtd_t)
++dev_rw_kvm(virtd_t)
+dev_getattr_all_chr_files(virtd_t)
# Init script handling
@@ -21440,6 +21443,7 @@
fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
++fs_rw_anon_inodefs_files(virtd_t)
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
@@ -21451,19 +21455,21 @@
term_getattr_pty_fs(virtd_t)
term_use_ptmx(virtd_t)
-@@ -129,6 +176,11 @@
+@@ -129,6 +176,13 @@
logging_send_syslog_msg(virtd_t)
+sysnet_domtrans_ifconfig(virtd_t)
+
++virtual_transition(virtd_t)
++
+userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_search_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
tunable_policy(`virt_use_nfs',`
-@@ -167,22 +219,34 @@
+@@ -167,22 +221,34 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -21482,13 +21488,13 @@
+optional_policy(`
+ kerberos_keytab_template(virtd, virtd_t)
+')
++
++optional_policy(`
++ lvm_domtrans(virtd_t)
++')
optional_policy(`
- qemu_domtrans(virtd_t)
-+ lvm_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
+ polkit_domtrans_auth(virtd_t)
+ polkit_domtrans_resolve(virtd_t)
+ polkit_read_lib(virtd_t)
@@ -21503,7 +21509,7 @@
')
optional_policy(`
-@@ -198,5 +262,76 @@
+@@ -198,5 +264,74 @@
')
optional_policy(`
@@ -21524,8 +21530,6 @@
+#
+# svirt local policy
+#
-+domain_user_exemption_target(svirt_t)
-+allow virtd_t svirt_t:process { setsched transition signal signull sigkill };
+
+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
@@ -29350,8 +29354,8 @@
+# No application file contexts.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-24 09:03:48.000000000 -0400
-@@ -0,0 +1,118 @@
++++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 14:24:01.000000000 -0400
+@@ -0,0 +1,110 @@
+## <summary>Virtual machine emulator and virtualizer</summary>
+
+########################################
@@ -29385,32 +29389,6 @@
+
+########################################
+## <summary>
-+## Make the specified type a virtual domain
-+## </summary>
-+## <desc>
-+## <p>
-+## Make the specified type a virtual domain
-+## </p>
-+## <p>
-+## Gives the basic access required for a virtual operatins system
-+## </p>
-+## </desc>
-+## <param name="type">
-+## <summary>
-+## Type granted access
-+## </summary>
-+## </param>
-+#
-+interface(`virtual_separated_domain',`
-+ gen_require(`
-+ attribute virtualseparateddomain;
-+ ')
-+
-+ typeattribute $1 virtualseparateddomain;
-+')
-+
-+########################################
-+## <summary>
+## Make the specified type usable as a virtual os image
+## </summary>
+## <param name="type">
@@ -29470,10 +29448,28 @@
+ allow $1 virtual_image_type:file { relabelfrom relabelto };
+')
+
++########################################
++## <summary>
++## Allow domain to transition and control virtualdomain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virtual_transition',`
++ gen_require(`
++ attribute virtualdomain;
++ ')
++
++ allow $1 virtualdomain:process { setsched transition signal signull sigkill };
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-24 09:03:48.000000000 -0400
-@@ -0,0 +1,80 @@
++++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 14:21:16.000000000 -0400
+@@ -0,0 +1,81 @@
+
+policy_module(virtualization, 1.1.2)
+
@@ -29517,6 +29513,7 @@
+dev_rw_qemu(virtualdomain)
+
+domain_use_interactive_fds(virtualdomain)
++domain_user_exemption_target(virtualdomain)
+
+files_read_etc_files(virtualdomain)
+files_read_usr_files(virtualdomain)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.811
retrieving revision 1.812
diff -u -r1.811 -r1.812
--- selinux-policy.spec 24 Mar 2009 19:45:02 -0000 1.811
+++ selinux-policy.spec 27 Mar 2009 00:01:52 -0000 1.812
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.10
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
%endif
%changelog
+* Thu Mar 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-3
+- Fixes for svirt
+
* Thu Mar 19 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-2
- Fixes to allow svirt read iso files in homedir
- Previous message (by thread): rpms/monodevelop/devel .cvsignore, 1.23, 1.24 import.log, 1.21, 1.22 monodevelop-2.spec, 1.14, 1.15 sources, 1.23, 1.24
- Next message (by thread): rpms/boinc-client/devel boinc-cuda.patch, NONE, 1.1 boinc-client-init-d, 1.7, 1.8 boinc-client.spec, 1.31, 1.32
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list