rpms/selinux-policy/devel policy-20060829.patch,1.17,1.18
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 13 10:23:15 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv20247
Modified Files:
policy-20060829.patch
Log Message:
* Mon Sep 11 2006 Dan Walsh <dwalsh at redhat.com> 2.3.13-4
- Fixed typealias of firstboot_rw_t
policy-20060829.patch:
Makefile | 23 -
Rules.modular | 10
policy/mcs | 3
policy/modules/admin/anaconda.te | 6
policy/modules/admin/bootloader.fc | 1
policy/modules/admin/bootloader.te | 2
policy/modules/admin/consoletype.te | 7
policy/modules/admin/firstboot.te | 1
policy/modules/admin/rpm.fc | 2
policy/modules/apps/java.fc | 2
policy/modules/apps/mono.te | 9
policy/modules/kernel/corenetwork.te.in | 3
policy/modules/kernel/files.fc | 1
policy/modules/kernel/files.if | 46 +++
policy/modules/kernel/filesystem.if | 19 +
policy/modules/kernel/terminal.if | 2
policy/modules/services/amavis.te | 1
policy/modules/services/apache.fc | 9
policy/modules/services/apache.te | 1
policy/modules/services/automount.te | 1
policy/modules/services/bluetooth.fc | 3
policy/modules/services/bluetooth.te | 11
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.if | 65 ++++
policy/modules/services/ccs.te | 87 ++++++
policy/modules/services/clamav.te | 1
policy/modules/services/cron.te | 1
policy/modules/services/dbus.if | 1
policy/modules/services/lpd.fc | 1
policy/modules/services/oddjob.fc | 8
policy/modules/services/oddjob.if | 76 +++++
policy/modules/services/oddjob.te | 73 +++++
policy/modules/services/oddjob_mkhomedir.fc | 6
policy/modules/services/oddjob_mkhomedir.if | 24 +
policy/modules/services/oddjob_mkhomedir.te | 29 ++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 6
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 +++++++++++++
policy/modules/services/ricci.te | 386 ++++++++++++++++++++++++++++
policy/modules/services/rpc.te | 2
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/xserver.if | 24 +
policy/modules/system/hostname.te | 5
policy/modules/system/init.te | 3
policy/modules/system/libraries.fc | 2
policy/modules/system/selinuxutil.te | 3
policy/modules/system/userdomain.if | 268 +++++++++++++------
policy/modules/system/userdomain.te | 65 +---
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 2
52 files changed, 1406 insertions(+), 146 deletions(-)
Index: policy-20060829.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060829.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- policy-20060829.patch 11 Sep 2006 20:56:05 -0000 1.17
+++ policy-20060829.patch 13 Sep 2006 10:23:13 -0000 1.18
@@ -45,6 +45,19 @@
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
$(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.3.13/policy/mcs
+--- nsaserefpolicy/policy/mcs 2006-08-02 10:34:09.000000000 -0400
++++ serefpolicy-2.3.13/policy/mcs 2006-09-13 05:16:44.000000000 -0400
+@@ -139,6 +139,9 @@
+ mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+
++mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
++ ( h1 dom h2 );
++
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.3.13/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2006-09-01 14:10:19.000000000 -0400
+++ serefpolicy-2.3.13/policy/modules/admin/anaconda.te 2006-09-08 12:02:39.000000000 -0400
@@ -95,6 +108,17 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-2.3.13/policy/modules/admin/firstboot.te
+--- nsaserefpolicy/policy/modules/admin/firstboot.te 2006-09-05 07:41:01.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/firstboot.te 2006-09-12 07:41:01.000000000 -0400
+@@ -58,6 +58,7 @@
+ auth_dontaudit_getattr_shadow(firstboot_t)
+
+ corecmd_exec_all_executables(firstboot_t)
++corecmd_etc_runtime_alias(firstboot_rw_t)
+
+ files_exec_etc_files(firstboot_t)
+ files_manage_etc_files(firstboot_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.13/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.13/policy/modules/admin/rpm.fc 2006-09-08 12:02:39.000000000 -0400
@@ -177,7 +201,7 @@
# /emul
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.3.13/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-08-29 09:00:26.000000000 -0400
-+++ serefpolicy-2.3.13/policy/modules/kernel/files.if 2006-09-08 12:02:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/kernel/files.if 2006-09-12 07:40:51.000000000 -0400
@@ -386,7 +386,7 @@
attribute file_type, security_file_type;
')
@@ -187,7 +211,7 @@
')
########################################
-@@ -4417,3 +4417,22 @@
+@@ -4417,3 +4417,47 @@
typeattribute $1 files_unconfined_type;
')
@@ -210,17 +234,31 @@
+ allow $1 { file_type -security_file_type }:dir create_dir_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.3.13/policy/modules/kernel/files.te
---- nsaserefpolicy/policy/modules/kernel/files.te 2006-09-05 07:41:00.000000000 -0400
-+++ serefpolicy-2.3.13/policy/modules/kernel/files.te 2006-09-08 16:02:39.000000000 -0400
-@@ -58,6 +58,7 @@
- #
- type etc_runtime_t;
- files_type(etc_runtime_t)
-+typealias firstboot_rw_t alias etc_runtime_t;
-
- #
- # file_t is the default type of a file that has not yet been
++########################################
++## <summary>
++## Create a aliased type to etc_runtime_t files.
++## </summary>
++## <desc>
++## <p>
++## Create a aliased type to etc runtime files.
++## </p>
++## <p>
++## This is added to remove types that should have been etc_runtime_t
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Alias type for etc_runtime_t.
++## </summary>
++## </param>
++#
++interface(`corecmd_etc_runtime_alias',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ typealias etc_runtime_t alias $1;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.13/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-06 13:04:50.000000000 -0400
+++ serefpolicy-2.3.13/policy/modules/kernel/filesystem.if 2006-09-08 12:02:39.000000000 -0400
@@ -272,8 +310,8 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.3.13/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.13/policy/modules/services/apache.fc 2006-09-08 13:47:00.000000000 -0400
-@@ -80,3 +80,13 @@
++++ serefpolicy-2.3.13/policy/modules/services/apache.fc 2006-09-11 11:16:19.000000000 -0400
+@@ -80,3 +80,12 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -285,7 +323,6 @@
+/opt/fortitude/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/opt/fortitude/modules.local(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/opt/fortitude/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/opt/fortitude/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-09-05 07:41:01.000000000 -0400
@@ -307,9 +344,29 @@
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-2.3.13/policy/modules/services/bluetooth.fc
+--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-07-14 17:04:40.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/bluetooth.fc 2006-09-13 05:11:32.000000000 -0400
+@@ -7,7 +7,7 @@
+ #
+ # /usr
+ #
+-/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
++#/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+ /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+@@ -15,6 +15,7 @@
+ /usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+ #
+ # /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.13/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.13/policy/modules/services/bluetooth.te 2006-09-11 11:07:58.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/bluetooth.te 2006-09-13 05:10:19.000000000 -0400
@@ -217,14 +217,18 @@
fs_rw_tmpfs_files(bluetooth_helper_t)
@@ -330,6 +387,15 @@
xserver_stream_connect_xdm(bluetooth_helper_t)
xserver_use_xdm_fds(bluetooth_helper_t)
xserver_rw_xdm_pipes(bluetooth_helper_t)
+@@ -247,3 +251,8 @@
+ optional_policy(`
+ xserver_stream_connect_xdm(bluetooth_helper_t)
+ ')
++
++optional_policy(`
++ ppp_domtrans(bluetooth_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.13/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.13/policy/modules/services/ccs.fc 2006-09-08 12:02:39.000000000 -0400
@@ -1468,7 +1534,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.3.13/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.13/policy/modules/services/rpc.te 2006-09-08 12:02:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/rpc.te 2006-09-12 14:40:17.000000000 -0400
@@ -53,6 +53,7 @@
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
@@ -1477,6 +1543,31 @@
term_use_controlling_term(rpcd_t)
# cjp: this should really have its own type
+@@ -130,6 +131,7 @@
+ fs_list_rpc(gssd_t)
+ fs_read_rpc_sockets(gssd_t)
+ fs_read_rpc_files(gssd_t)
++fs_rw_rpc_named_pipes(gssd_t)
+
+ files_list_tmp(gssd_t)
+ files_read_generic_tmp_files(gssd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.13/policy/modules/services/setroubleshoot.te
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2006-09-06 13:04:51.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/setroubleshoot.te 2006-09-13 05:05:59.000000000 -0400
+@@ -82,11 +82,13 @@
+ init_read_utmp(setroubleshootd_t)
+ init_dontaudit_write_utmp(setroubleshootd_t)
+ init_use_fds(setroubleshootd_t)
++init_use_script_ptys(setroubleshootd_t)
+
+ libs_use_ld_so(setroubleshootd_t)
+ libs_use_shared_libs(setroubleshootd_t)
+
+ miscfiles_read_localization(setroubleshootd_t)
++nis_use_ypbind(setroubleshootd_t)
+
+ locallogin_dontaudit_use_fds(setroubleshootd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-09-06 13:04:51.000000000 -0400
+++ serefpolicy-2.3.13/policy/modules/services/xserver.if 2006-09-08 12:02:39.000000000 -0400
@@ -1536,6 +1627,25 @@
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.3.13/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-09-05 07:41:01.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/libraries.fc 2006-09-11 11:27:41.000000000 -0400
+@@ -128,6 +128,7 @@
+ /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -263,6 +264,7 @@
+ /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(local/)?lib/xchat/plugins/systray.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.13/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-09-05 07:41:01.000000000 -0400
+++ serefpolicy-2.3.13/policy/modules/system/selinuxutil.te 2006-09-08 12:02:39.000000000 -0400
More information about the fedora-cvs-commits
mailing list