rpms/selinux-policy/F-9 policy-20071130.patch, 1.194, 1.195 selinux-policy.spec, 1.697, 1.698
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Jul 25 01:36:32 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3428
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Jul 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-80
- Allow system_crond_t to restart init scripts
- Allow dnsmasq to bind to any udp port
- Change dhclient to be able to red networkmanager_var_run
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- policy-20071130.patch 21 Jul 2008 00:50:59 -0000 1.194
+++ policy-20071130.patch 25 Jul 2008 01:35:46 -0000 1.195
@@ -2006,7 +2006,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.3.1/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-07-24 13:59:46.000000000 -0400
@@ -0,0 +1,56 @@
+
+policy_module(kismet,1.0.0)
@@ -2035,7 +2035,7 @@
+# kismet local policy
+#
+
-+allow kismet_t self:capability { net_admin setuid setgid };
++allow kismet_t self:capability { net_admin net_raw setuid setgid };
+
+corecmd_exec_bin(kismet_t)
+
@@ -2142,8 +2142,14 @@
init_domtrans_script(logrotate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.3.1/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/logwatch.te 2008-07-15 14:02:51.000000000 -0400
-@@ -59,10 +59,9 @@
++++ serefpolicy-3.3.1/policy/modules/admin/logwatch.te 2008-07-24 07:12:06.000000000 -0400
+@@ -54,15 +54,15 @@
+ domain_read_all_domains_state(logwatch_t)
+
+ files_list_var(logwatch_t)
++files_read_var_symlinks(logwatch_t)
+ files_read_etc_files(logwatch_t)
+ files_read_etc_runtime_files(logwatch_t)
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
@@ -2156,7 +2162,7 @@
fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
-@@ -88,9 +87,6 @@
+@@ -88,9 +88,6 @@
sysnet_dns_name_resolve(logwatch_t)
@@ -2166,7 +2172,7 @@
mta_send_mail(logwatch_t)
optional_policy(`
-@@ -132,4 +128,5 @@
+@@ -132,4 +129,5 @@
optional_policy(`
samba_read_log(logwatch_t)
@@ -9175,7 +9181,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.3.1/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/selinux.te 2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/selinux.te 2008-07-24 13:57:00.000000000 -0400
@@ -10,6 +10,7 @@
attribute can_setenforce;
attribute can_setsecparam;
@@ -9184,18 +9190,19 @@
#
# security_t is the target type when checking
-@@ -22,6 +23,11 @@
+@@ -21,6 +22,12 @@
+ mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
-
++genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
++
+type boolean_t, booleans_type;
+fs_type(boolean_t)
+mls_trusted_object(boolean_t)
+#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
-+
+
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
- neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.3.1/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-07-15 14:02:51.000000000 -0400
@@ -12812,7 +12819,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.3.1/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.te 2008-07-24 07:27:14.000000000 -0400
@@ -12,14 +12,6 @@
## <desc>
@@ -12996,16 +13003,17 @@
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
-@@ -323,7 +358,7 @@
+@@ -323,7 +358,8 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_crond_t)
+init_telinit(system_crond_t)
++init_spec_domtrans_script(system_crond_t)
auth_use_nsswitch(system_crond_t)
-@@ -333,6 +368,7 @@
+@@ -333,6 +369,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
@@ -13013,7 +13021,7 @@
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-@@ -348,18 +384,6 @@
+@@ -348,18 +385,6 @@
')
')
@@ -13032,7 +13040,7 @@
optional_policy(`
# Needed for certwatch
apache_exec_modules(system_crond_t)
-@@ -383,6 +407,14 @@
+@@ -383,6 +408,14 @@
')
optional_policy(`
@@ -13047,7 +13055,7 @@
mrtg_append_create_logs(system_crond_t)
')
-@@ -415,8 +447,7 @@
+@@ -415,8 +448,7 @@
')
optional_policy(`
@@ -13057,7 +13065,7 @@
')
optional_policy(`
-@@ -424,15 +455,12 @@
+@@ -424,15 +456,12 @@
')
optional_policy(`
@@ -15132,7 +15140,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.3.1/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.te 2008-07-24 06:51:59.000000000 -0400
@@ -16,6 +16,9 @@
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
@@ -15161,6 +15169,15 @@
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
+@@ -55,7 +58,7 @@
+ corenet_tcp_bind_all_nodes(dnsmasq_t)
+ corenet_udp_bind_all_nodes(dnsmasq_t)
+ corenet_tcp_bind_dns_port(dnsmasq_t)
+-corenet_udp_bind_dns_port(dnsmasq_t)
++corenet_udp_bind_all_ports(dnsmasq_t)
+ corenet_udp_bind_dhcpd_port(dnsmasq_t)
+ corenet_sendrecv_dns_server_packets(dnsmasq_t)
+ corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
@@ -94,3 +97,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
@@ -17909,15 +17926,19 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.3.1/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.fc 2008-07-15 14:02:52.000000000 -0400
-@@ -11,6 +11,7 @@
++++ serefpolicy-3.3.1/policy/modules/services/mta.fc 2008-07-22 06:33:02.000000000 -0400
+@@ -11,9 +11,10 @@
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-
++/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+ /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -22,6 +23,4 @@
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
@@ -18876,8 +18897,8 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-07-15 14:02:52.000000000 -0400
-@@ -1,7 +1,11 @@
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-07-24 08:18:27.000000000 -0400
+@@ -1,7 +1,13 @@
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -18887,12 +18908,14 @@
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++
+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-07-15 14:02:52.000000000 -0400
-@@ -97,3 +97,40 @@
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-07-24 08:11:29.000000000 -0400
+@@ -97,3 +97,58 @@
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
')
@@ -18933,6 +18956,24 @@
+ init_script_domtrans_spec($1, NetworkManager_script_exec_t)
+')
+
++########################################
++## <summary>
++## Read NetworkManager PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_read_pid_files',`
++ gen_require(`
++ type NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 NetworkManager_var_run_t:file read_file_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-07-15 14:02:52.000000000 -0400
@@ -19088,7 +19129,7 @@
+/etc/rc.d/init.d/ypxfrd -- gen_context(system_u:object_r:nis_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.3.1/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/nis.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/nis.if 2008-07-24 08:13:28.000000000 -0400
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -30057,7 +30098,7 @@
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-07-24 07:26:35.000000000 -0400
@@ -211,6 +211,16 @@
kernel_dontaudit_use_fds($1)
')
@@ -33614,7 +33655,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-07-24 08:14:38.000000000 -0400
@@ -20,6 +20,10 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -33684,18 +33725,20 @@
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
-@@ -186,6 +199,10 @@
+@@ -186,6 +199,12 @@
')
optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
++ networkmanager_read_pid_files(dhcpc_t)
+')
+
+optional_policy(`
++ nis_script_domtrans(dhcpc_t)
nis_use_ypbind(dhcpc_t)
nis_signal_ypbind(dhcpc_t)
nis_read_ypbind_pid(dhcpc_t)
-@@ -202,9 +219,7 @@
+@@ -202,9 +221,7 @@
')
optional_policy(`
@@ -33706,7 +33749,7 @@
')
optional_policy(`
-@@ -215,6 +230,7 @@
+@@ -215,6 +232,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -33714,7 +33757,7 @@
')
optional_policy(`
-@@ -226,6 +242,10 @@
+@@ -226,6 +244,10 @@
')
optional_policy(`
@@ -33725,7 +33768,7 @@
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
-@@ -239,7 +259,6 @@
+@@ -239,7 +261,6 @@
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
@@ -33733,7 +33776,7 @@
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-@@ -253,6 +272,7 @@
+@@ -253,6 +274,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -33741,7 +33784,7 @@
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -268,7 +288,10 @@
+@@ -268,7 +290,10 @@
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
kernel_search_network_sysctl(ifconfig_t)
@@ -33752,7 +33795,7 @@
corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -279,8 +302,11 @@
+@@ -279,8 +304,11 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -33764,7 +33807,7 @@
domain_use_interactive_fds(ifconfig_t)
-@@ -303,12 +329,16 @@
+@@ -303,12 +331,16 @@
userdom_use_all_users_fds(ifconfig_t)
@@ -33782,7 +33825,7 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -332,6 +362,14 @@
+@@ -332,6 +364,14 @@
')
optional_policy(`
@@ -38395,7 +38438,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-07-24 07:40:40.000000000 -0400
@@ -0,0 +1,204 @@
+
+policy_module(virt,1.0.0)
@@ -38451,7 +38494,7 @@
+#
+# virtd local policy
+#
-+allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
++allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace sys_resource };
+allow virtd_t self:process { getsched sigkill signal execmem };
+allow virtd_t self:fifo_file rw_file_perms;
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
@@ -38906,8 +38949,8 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.3.1/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/guest.te 2008-07-15 14:02:52.000000000 -0400
-@@ -0,0 +1,21 @@
++++ serefpolicy-3.3.1/policy/modules/users/guest.te 2008-07-24 14:15:43.000000000 -0400
+@@ -0,0 +1,31 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
+
@@ -38929,6 +38972,16 @@
+ dbus_chat_user_bus(xguest,xguest_mozilla_t)
+ dbus_connectto_user_bus(xguest,xguest_mozilla_t)
+')
++
++optional_policy(`
++ gen_require(`
++ type openoffice_exec_t;
++ type xguest_mozilla_t;
++ type xguest_openoffice_t;
++ ')
++
++ domtrans_pattern(xguest_mozilla_t, openoffice_exec_t, xguest_openoffice_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.3.1/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/users/logadm.fc 2008-07-15 14:02:52.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.697
retrieving revision 1.698
diff -u -r1.697 -r1.698
--- selinux-policy.spec 18 Jul 2008 19:21:11 -0000 1.697
+++ selinux-policy.spec 25 Jul 2008 01:35:47 -0000 1.698
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 79%{?dist}
+Release: 80%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,11 @@
%endif
%changelog
+* Thu Jul 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-80
+- Allow system_crond_t to restart init scripts
+- Allow dnsmasq to bind to any udp port
+- Change dhclient to be able to red networkmanager_var_run
+
* Thu Jul 17 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-79
- Allow xguest to communicate with hal
- allow mozilla to communicate with networkmanager
More information about the fedora-extras-commits
mailing list