rpms/selinux-policy/devel policy-20051208.patch, 1.3, 1.4 selinux-policy.spec, 1.38, 1.39

Sun Dec 11 17:29:18 UTC 2005

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv25158

Modified Files:
	policy-20051208.patch selinux-policy.spec 
Log Message:
* Sun Dec  10 2005 Dan Walsh <dwalsh at redhat.com> 2.1.2-2
- Allow unconfined_t to execmod texrel_shlib_t


policy-20051208.patch:
 Makefile                            |    2 +-
 base.pp                             |binary
 policy/global_tunables              |    6 ++++++
 policy/modules/services/apache.te   |   23 +++++++++++++++--------
 policy/modules/services/gpm.te      |    3 +--
 policy/modules/services/nis.if      |    2 ++
 policy/modules/system/mount.te      |    5 ++---
 policy/modules/system/unconfined.if |    3 ++-
 8 files changed, 29 insertions(+), 15 deletions(-)

Index: policy-20051208.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20051208.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4

--- policy-20051208.patch	10 Dec 2005 05:19:29 -0000	1.3
+++ policy-20051208.patch	11 Dec 2005 17:29:15 -0000	1.4
@@ -1,6 +1,7 @@
+Binary files nsaserefpolicy/base.pp and serefpolicy-2.1.2/base.pp differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.2/Makefile
 --- nsaserefpolicy/Makefile	2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.2/Makefile	2005-12-10 00:10:25.000000000 -0500
++++ serefpolicy-2.1.2/Makefile	2005-12-10 00:15:32.000000000 -0500
 @@ -92,7 +92,7 @@
  
  # enable MLS if requested.
@@ -12,7 +13,7 @@
  endif
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.1.2/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2005-12-02 17:53:25.000000000 -0500
-+++ serefpolicy-2.1.2/policy/global_tunables	2005-12-10 00:14:31.000000000 -0500
++++ serefpolicy-2.1.2/policy/global_tunables	2005-12-10 00:15:32.000000000 -0500
 @@ -68,6 +68,12 @@
  ## Allow http daemon to tcp connect 
  gen_tunable(httpd_can_network_connect,false)
@@ -28,7 +29,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.1.2/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.2/policy/modules/services/apache.te	2005-12-10 00:10:25.000000000 -0500
++++ serefpolicy-2.1.2/policy/modules/services/apache.te	2005-12-10 00:15:32.000000000 -0500
 @@ -226,14 +226,6 @@
  corenet_udp_bind_all_nodes(httpd_t)
  corenet_tcp_bind_http_port(httpd_t)
@@ -66,9 +67,22 @@
  tunable_policy(`httpd_can_network_connect',`
  	allow httpd_t self:tcp_socket create_socket_perms;
  	allow httpd_t self:udp_socket create_socket_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-2.1.2/policy/modules/services/gpm.te
+--- nsaserefpolicy/policy/modules/services/gpm.te	2005-12-09 23:35:05.000000000 -0500
++++ serefpolicy-2.1.2/policy/modules/services/gpm.te	2005-12-11 12:21:37.000000000 -0500
+@@ -91,8 +91,7 @@
+ 	udev_read_db(gpm_t)
+ ')
+ 
+-ifdef(`TODO',`
+ # Access the mouse.
+ # cjp: why write?
++#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175450
+ allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
+-')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.1.2/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2005-12-06 19:49:50.000000000 -0500
-+++ serefpolicy-2.1.2/policy/modules/services/nis.if	2005-12-10 00:10:25.000000000 -0500
++++ serefpolicy-2.1.2/policy/modules/services/nis.if	2005-12-10 00:15:32.000000000 -0500
 @@ -150,8 +150,10 @@
  interface(`nis_signal_ypbind',`
  	gen_require(`
@@ -82,7 +96,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.1.2/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.2/policy/modules/system/mount.te	2005-12-10 00:10:25.000000000 -0500
++++ serefpolicy-2.1.2/policy/modules/system/mount.te	2005-12-10 00:15:32.000000000 -0500
 @@ -47,6 +47,7 @@
  fs_use_tmpfs_chr_dev(mount_t)
  
@@ -102,3 +116,23 @@
  	corenet_tcp_sendrecv_all_if(mount_t)
  	corenet_raw_sendrecv_all_if(mount_t)
  	corenet_udp_sendrecv_all_if(mount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.1.2/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if	2005-12-02 17:53:54.000000000 -0500
++++ serefpolicy-2.1.2/policy/modules/system/unconfined.if	2005-12-11 12:14:08.000000000 -0500
+@@ -29,6 +29,8 @@
+ 	allow $1 self:dbus *;
+ 	allow $1 self:passwd *;
+ 
++	libs_use_shared_libs($1)
++
+ 	kernel_unconfined($1)
+ 	corenet_unconfined($1)
+ 	dev_unconfined($1)
+@@ -79,7 +81,6 @@
+ 	if (allow_execmod) {
+ 		ifdef(`targeted_policy', `', `
+ 			# Allow text relocations on system shared libraries, e.g. libGL.
+-			allow $1 texrel_shlib_t:file execmod;
+ 			allow $1 home_type:file execmod;
+ 		')
+ 	}


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- selinux-policy.spec	10 Dec 2005 05:19:29 -0000	1.38
+++ selinux-policy.spec	11 Dec 2005 17:29:15 -0000	1.39
@@ -10,7 +10,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.1.2
-Release: 1
+Release: 2
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -240,6 +240,9 @@
 
 
 %changelog
+* Sun Dec  10 2005 Dan Walsh <dwalsh at redhat.com> 2.1.2-2
+- Allow unconfined_t to execmod texrel_shlib_t
+
 * Sat Dec  9 2005 Dan Walsh <dwalsh at redhat.com> 2.1.2-1
 - Update to upstream 
 - Turn off allow_execmem and allow_execmod booleans


