rpms/selinux-policy/devel policy-20090105.patch,1.69,1.70
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Mar 27 01:39:14 UTC 2009
- Previous message (by thread): rpms/boinc-client/F-9 boinc-client.spec,1.20,1.21
- Next message (by thread): rpms/xorg-x11-drv-nouveau/devel .cvsignore, 1.22, 1.23 nouveau-fedora.patch, 1.12, 1.13 sources, 1.23, 1.24 xorg-x11-drv-nouveau.spec, 1.28, 1.29
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1262
Modified Files:
policy-20090105.patch
Log Message:
* Thu Mar 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-3
- Fixes for svirt
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.69
retrieving revision 1.70
diff -u -r1.69 -r1.70
--- policy-20090105.patch 27 Mar 2009 00:01:51 -0000 1.69
+++ policy-20090105.patch 27 Mar 2009 01:39:14 -0000 1.70
@@ -4771,7 +4771,7 @@
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-24 09:03:48.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-26 21:12:48.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5179,7 +5179,7 @@
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.10/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/kernel/kernel.if 2009-03-24 09:03:48.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/kernel/kernel.if 2009-03-26 21:08:51.000000000 -0400
@@ -1197,6 +1197,26 @@
')
@@ -5580,8 +5580,8 @@
+gen_user(guest_u, user, guest_r, s0, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.10/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/roles/staff.te 2009-03-24 09:03:48.000000000 -0400
-@@ -15,156 +15,88 @@
++++ serefpolicy-3.6.10/policy/modules/roles/staff.te 2009-03-26 20:39:03.000000000 -0400
+@@ -15,156 +15,90 @@
# Local policy
#
@@ -5596,15 +5596,21 @@
-optional_policy(`
- auditadm_role_change(staff_r)
-')
--
++kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
+
-optional_policy(`
- bluetooth_role(staff_r, staff_t)
-')
--
++auth_domtrans_pam_console(staff_t)
+
-optional_policy(`
- cdrecord_role(staff_r, staff_t)
-')
--
++libs_manage_shared_libs(staff_t)
+
-optional_policy(`
- cron_role(staff_r, staff_t)
-')
@@ -5612,8 +5618,10 @@
-optional_policy(`
- dbus_role_template(staff, staff_r, staff_t)
-')
--
--optional_policy(`
++seutil_run_newrole(staff_t, staff_r)
++netutils_run_ping(staff_t, staff_r)
+
+ optional_policy(`
- ethereal_role(staff_r, staff_t)
-')
-
@@ -5644,107 +5652,100 @@
-optional_policy(`
- java_role(staff_r, staff_t)
-')
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
-
+-
-optional_policy(`
- lockdev_role(staff_r, staff_t)
-')
-+auth_domtrans_pam_console(staff_t)
-
+-
-optional_policy(`
- lpd_role(staff_r, staff_t)
-')
-+libs_manage_shared_libs(staff_t)
-
+-
-optional_policy(`
- mozilla_role(staff_r, staff_t)
--')
-+seutil_run_newrole(staff_t, staff_r)
-+netutils_run_ping(staff_t, staff_r)
-
- optional_policy(`
-- mplayer_role(staff_r, staff_t)
+ sudo_role_template(staff, staff_r, staff_t)
')
optional_policy(`
-- mta_role(staff_r, staff_t)
+- mplayer_role(staff_r, staff_t)
+ auditadm_role_change(staff_r)
')
optional_policy(`
-- oident_manage_user_content(staff_t)
-- oident_relabel_user_content(staff_t)
+- mta_role(staff_r, staff_t)
+ kerneloops_manage_tmp_files(staff_t)
')
optional_policy(`
-- pyzor_role(staff_r, staff_t)
+- oident_manage_user_content(staff_t)
+- oident_relabel_user_content(staff_t)
+ logadm_role_change(staff_r)
')
optional_policy(`
-- razor_role(staff_r, staff_t)
+- pyzor_role(staff_r, staff_t)
+ secadm_role_change(staff_r)
')
optional_policy(`
-- rssh_role(staff_r, staff_t)
+- razor_role(staff_r, staff_t)
+ ssh_role_template(staff, staff_r, staff_t)
')
optional_policy(`
-- screen_role_template(staff, staff_r, staff_t)
+- rssh_role(staff_r, staff_t)
+ sysadm_role_change(staff_r)
')
optional_policy(`
-- secadm_role_change(staff_r)
+- screen_role_template(staff, staff_r, staff_t)
+ usernetctl_run(staff_t, staff_r)
')
optional_policy(`
-- spamassassin_role(staff_r, staff_t)
+- secadm_role_change(staff_r)
+ unconfined_role_change(staff_r)
')
optional_policy(`
-- ssh_role_template(staff, staff_r, staff_t)
+- spamassassin_role(staff_r, staff_t)
+ webadm_role_change(staff_r)
')
-optional_policy(`
-- su_role_template(staff, staff_r, staff_t)
+- ssh_role_template(staff, staff_r, staff_t)
-')
+domain_read_all_domains_state(staff_t)
+domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t)
-optional_policy(`
-- sudo_role_template(staff, staff_r, staff_t)
+- su_role_template(staff, staff_r, staff_t)
-')
+files_read_kernel_modules(staff_t)
-optional_policy(`
-- sysadm_role_change(staff_r)
-- userdom_dontaudit_use_user_terminals(staff_t)
+- sudo_role_template(staff, staff_r, staff_t)
-')
+kernel_read_fs_sysctls(staff_t)
-optional_policy(`
-- thunderbird_role(staff_r, staff_t)
+- sysadm_role_change(staff_r)
+- userdom_dontaudit_use_user_terminals(staff_t)
-')
+modutils_read_module_config(staff_t)
+modutils_read_module_deps(staff_t)
-optional_policy(`
-- tvtime_role(staff_r, staff_t)
+- thunderbird_role(staff_r, staff_t)
-')
+miscfiles_read_hwdata(staff_t)
+-optional_policy(`
+- tvtime_role(staff_r, staff_t)
+-')
++term_use_unallocated_ttys(staff_t)
+
optional_policy(`
- uml_role(staff_r, staff_t)
+ gnomeclock_dbus_chat(staff_t)
@@ -9800,7 +9801,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.10/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/cups.te 2009-03-24 09:03:48.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/cups.te 2009-03-26 21:16:37.000000000 -0400
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -10051,7 +10052,20 @@
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -311,7 +370,7 @@
+@@ -302,8 +361,10 @@
+
+ allow cupsd_config_t cupsd_log_t:file rw_file_perms;
+
+-allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
++manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
++manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
++manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
++files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+
+ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+
+@@ -311,7 +372,7 @@
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
kernel_read_system_state(cupsd_config_t)
@@ -10060,7 +10074,7 @@
corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -324,6 +383,7 @@
+@@ -324,6 +385,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -10068,7 +10082,7 @@
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -341,13 +401,14 @@
+@@ -341,13 +403,14 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
@@ -10084,7 +10098,7 @@
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -359,14 +420,16 @@
+@@ -359,14 +422,16 @@
lpd_read_config(cupsd_config_t)
ifdef(`distro_redhat',`
@@ -10103,7 +10117,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -382,6 +445,7 @@
+@@ -382,6 +447,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -10111,7 +10125,7 @@
')
optional_policy(`
-@@ -491,7 +555,10 @@
+@@ -491,7 +557,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -10123,7 +10137,7 @@
cups_stream_connect(hplip_t)
-@@ -500,6 +567,10 @@
+@@ -500,6 +569,10 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -10134,7 +10148,7 @@
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -529,7 +600,8 @@
+@@ -529,7 +602,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -10144,7 +10158,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -553,7 +625,9 @@
+@@ -553,7 +627,9 @@
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -10155,7 +10169,7 @@
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -635,3 +709,49 @@
+@@ -635,3 +711,49 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -23802,7 +23816,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.10/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-03-24 09:03:48.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-03-26 20:09:40.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -24085,7 +24099,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +865,11 @@
+@@ -790,3 +865,17 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -24096,6 +24110,12 @@
+
+optional_policy(`
+ xserver_rw_xdm_home_files(daemon)
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_dontaudit_rw_nfs_files(daemon)
++ ')
++ tunable_policy(`use_samba_home_dirs',`
++ fs_dontaudit_rw_cifs_files(daemon)
++ ')
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.10/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400
@@ -27414,7 +27434,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-03-24 09:03:48.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-03-26 20:35:29.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -29354,8 +29374,8 @@
+# No application file contexts.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 14:24:01.000000000 -0400
-@@ -0,0 +1,110 @@
++++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 20:45:05.000000000 -0400
+@@ -0,0 +1,113 @@
+## <summary>Virtual machine emulator and virtualizer</summary>
+
+########################################
@@ -29385,6 +29405,9 @@
+
+ # start with basic domain
+ domain_type($1)
++
++ # could be started by libvirt
++ domain_user_exemption_target($1)
+')
+
+########################################
@@ -29468,8 +29491,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 14:21:16.000000000 -0400
-@@ -0,0 +1,81 @@
++++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 20:44:37.000000000 -0400
+@@ -0,0 +1,80 @@
+
+policy_module(virtualization, 1.1.2)
+
@@ -29513,7 +29536,6 @@
+dev_rw_qemu(virtualdomain)
+
+domain_use_interactive_fds(virtualdomain)
-+domain_user_exemption_target(virtualdomain)
+
+files_read_etc_files(virtualdomain)
+files_read_usr_files(virtualdomain)
- Previous message (by thread): rpms/boinc-client/F-9 boinc-client.spec,1.20,1.21
- Next message (by thread): rpms/xorg-x11-drv-nouveau/devel .cvsignore, 1.22, 1.23 nouveau-fedora.patch, 1.12, 1.13 sources, 1.23, 1.24 xorg-x11-drv-nouveau.spec, 1.28, 1.29
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list