rpms/selinux-policy-targeted/devel policy-20050502.patch, 1.1, 1.2 selinux-policy-targeted.spec, 1.292, 1.293
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon May 2 20:16:49 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv19790
Modified Files:
policy-20050502.patch selinux-policy-targeted.spec
Log Message:
* Mon May 2 2005 Dan Walsh <dwalsh at redhat.com> 1.23.14-2
- Allow all domains on ppc execmem priv, otherwise it crashes
policy-20050502.patch:
domains/misc/kernel.te | 2 ++
domains/program/ifconfig.te | 2 ++
domains/program/modutil.te | 2 +-
domains/program/unused/apmd.te | 2 +-
domains/program/unused/auditd.te | 1 +
domains/program/unused/automount.te | 9 +++++++--
domains/program/unused/consoletype.te | 1 +
domains/program/unused/cups.te | 4 +++-
domains/program/unused/hald.te | 7 ++++---
domains/program/unused/hotplug.te | 2 +-
domains/program/unused/i18n_input.te | 2 ++
domains/program/unused/kudzu.te | 1 +
domains/program/unused/lvm.te | 2 +-
domains/program/unused/pamconsole.te | 2 +-
domains/program/unused/udev.te | 4 ++--
domains/program/unused/updfstab.te | 6 ++++++
domains/program/unused/xdm.te | 1 +
domains/program/unused/xserver.te | 1 +
file_contexts/distros.fc | 3 ++-
file_contexts/program/cups.fc | 1 +
file_contexts/program/rhgb.fc | 1 -
file_contexts/types.fc | 1 +
macros/core_macros.te | 1 -
macros/program/su_macros.te | 5 +++--
net_contexts | 2 ++
targeted/domains/unconfined.te | 5 +++++
tunables/distro.tun | 2 +-
tunables/tunable.tun | 6 +++---
28 files changed, 56 insertions(+), 22 deletions(-)
Index: policy-20050502.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050502.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20050502.patch 2 May 2005 19:02:02 -0000 1.1
+++ policy-20050502.patch 2 May 2005 20:16:46 -0000 1.2
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.14/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/misc/kernel.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/misc/kernel.te 2005-05-02 14:57:26.000000000 -0400
@@ -36,6 +36,7 @@
# Send signal to any process.
@@ -19,7 +19,7 @@
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.23.14/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.14/domains/program/ifconfig.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/ifconfig.te 2005-05-02 14:57:26.000000000 -0400
@@ -21,7 +21,9 @@
general_domain_access(ifconfig_t)
@@ -32,7 +32,7 @@
allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.14/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.14/domains/program/modutil.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/modutil.te 2005-05-02 14:57:26.000000000 -0400
@@ -143,7 +143,7 @@
allow insmod_t proc_t:dir search;
allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
@@ -44,7 +44,7 @@
# Write to /proc/mtrr.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.23.14/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/apmd.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/apmd.te 2005-05-02 14:57:26.000000000 -0400
@@ -31,7 +31,7 @@
allow apmd_t device_t:lnk_file read;
@@ -56,7 +56,7 @@
allow apmd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.14/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/auditd.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/auditd.te 2005-05-02 14:57:26.000000000 -0400
@@ -56,3 +56,4 @@
allow auditctl_t sysctl_kernel_t:file read;
allow auditd_t self:process setsched;
@@ -64,7 +64,7 @@
+allow auditctl_t initrc_devpts_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.23.14/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/automount.te 2005-05-02 14:53:00.000000000 -0400
++++ policy-1.23.14/domains/program/unused/automount.te 2005-05-02 14:57:26.000000000 -0400
@@ -26,7 +26,7 @@
allow automount_t { etc_t etc_runtime_t }:file { getattr read };
allow automount_t proc_t:file { getattr read };
@@ -87,7 +87,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.14/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/consoletype.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/consoletype.te 2005-05-02 14:57:26.000000000 -0400
@@ -57,6 +57,7 @@
ifdef(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
@@ -98,7 +98,7 @@
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.14/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/cups.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/cups.te 2005-05-02 14:57:26.000000000 -0400
@@ -22,6 +22,7 @@
logdir_domain(cupsd)
@@ -120,7 +120,7 @@
allow cupsd_config_t initrc_exec_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.14/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/hald.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/hald.te 2005-05-02 14:57:26.000000000 -0400
@@ -10,12 +10,12 @@
#
# hald_exec_t is the type of the hald executable.
@@ -155,7 +155,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.14/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/hotplug.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/hotplug.te 2005-05-02 14:57:26.000000000 -0400
@@ -156,4 +156,4 @@
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
@@ -164,7 +164,7 @@
+allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.23.14/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/i18n_input.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/i18n_input.te 2005-05-02 14:57:26.000000000 -0400
@@ -14,6 +14,7 @@
can_ypbind(i18n_input_t)
@@ -180,7 +180,7 @@
+allow i18n_input_t usr_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.14/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/kudzu.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/kudzu.te 2005-05-02 14:57:26.000000000 -0400
@@ -26,6 +26,7 @@
allow kudzu_t mouse_device_t:chr_file { read write };
allow kudzu_t proc_net_t:dir r_dir_perms;
@@ -191,7 +191,7 @@
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.23.14/domains/program/unused/lvm.te
--- nsapolicy/domains/program/unused/lvm.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/lvm.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/lvm.te 2005-05-02 14:57:26.000000000 -0400
@@ -112,7 +112,7 @@
allow lvm_t lvm_control_t:chr_file rw_file_perms;
allow initrc_t lvm_control_t:chr_file { getattr read unlink };
@@ -203,7 +203,7 @@
dontaudit lvm_t file_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.14/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/pamconsole.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/pamconsole.te 2005-05-02 14:57:26.000000000 -0400
@@ -45,5 +45,5 @@
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
@@ -213,7 +213,7 @@
allow pam_console_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.14/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/udev.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/udev.te 2005-05-02 14:57:26.000000000 -0400
@@ -38,8 +38,8 @@
allow udev_t device_t:lnk_file create_lnk_perms;
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
@@ -227,7 +227,7 @@
allow udev_t tmpfs_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.23.14/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te 2005-04-27 10:28:53.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/updfstab.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/updfstab.te 2005-05-02 14:57:26.000000000 -0400
@@ -31,6 +31,8 @@
ifdef(`dbusd.te', `
dbusd_client(system, updfstab)
@@ -247,7 +247,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.14/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/xdm.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/xdm.te 2005-05-02 14:57:26.000000000 -0400
@@ -344,3 +344,4 @@
# Run telinit->init to shutdown.
@@ -255,7 +255,7 @@
+allow xdm_t self:sem create_sem_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xserver.te policy-1.23.14/domains/program/unused/xserver.te
--- nsapolicy/domains/program/unused/xserver.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/xserver.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/domains/program/unused/xserver.te 2005-05-02 14:57:26.000000000 -0400
@@ -20,3 +20,4 @@
# Everything else is in the xserver_domain macro in
# macros/program/xserver_macros.te.
@@ -263,7 +263,7 @@
+allow initrc_t xserver_log_t:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.14/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-05-02 14:06:56.000000000 -0400
-+++ policy-1.23.14/file_contexts/distros.fc 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/file_contexts/distros.fc 2005-05-02 14:57:26.000000000 -0400
@@ -37,7 +37,8 @@
/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
@@ -276,7 +276,7 @@
# /emul/ia32-linux/usr
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.23.14/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.14/file_contexts/program/cups.fc 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/file_contexts/program/cups.fc 2005-05-02 14:57:26.000000000 -0400
@@ -25,6 +25,7 @@
/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t
')
@@ -285,23 +285,15 @@
/var/spool/cups(/.*)? system_u:object_r:print_spool_t
/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t
/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.23.14/file_contexts/program/i18n_input.fc
---- nsapolicy/file_contexts/program/i18n_input.fc 2005-05-02 14:06:56.000000000 -0400
-+++ policy-1.23.14/file_contexts/program/i18n_input.fc 2005-05-02 14:51:59.000000000 -0400
-@@ -9,3 +9,4 @@
- /usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t
- /usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t
- /var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t
-+/var/run/\.iroha_unix(/.*)? system_u:object_r:i18n_input_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rhgb.fc policy-1.23.14/file_contexts/program/rhgb.fc
--- nsapolicy/file_contexts/program/rhgb.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.14/file_contexts/program/rhgb.fc 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/file_contexts/program/rhgb.fc 2005-05-02 14:57:26.000000000 -0400
@@ -1,2 +1 @@
/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
-/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.14/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-05-02 14:06:56.000000000 -0400
-+++ policy-1.23.14/file_contexts/types.fc 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/file_contexts/types.fc 2005-05-02 14:57:26.000000000 -0400
@@ -129,6 +129,7 @@
/dev/nvram -c system_u:object_r:memory_device_t
/dev/random -c system_u:object_r:random_device_t
@@ -312,7 +304,7 @@
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.23.14/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.14/macros/core_macros.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/macros/core_macros.te 2005-05-02 14:57:26.000000000 -0400
@@ -341,7 +341,6 @@
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
@@ -323,7 +315,7 @@
# Access selinuxfs.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.23.14/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.14/macros/program/su_macros.te 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/macros/program/su_macros.te 2005-05-02 14:57:26.000000000 -0400
@@ -61,7 +61,7 @@
')
@@ -347,7 +339,7 @@
define(`su_mini_domain', `
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.14/net_contexts
--- nsapolicy/net_contexts 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/net_contexts 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/net_contexts 2005-05-02 14:57:26.000000000 -0400
@@ -227,6 +227,8 @@
portcon tcp 3128 system_u:object_r:http_cache_port_t
portcon tcp 8080 system_u:object_r:http_cache_port_t
@@ -357,9 +349,21 @@
ifdef(`clockspeed.te', `portcon udp 4041 system_u:object_r:clockspeed_port_t')
ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.14/targeted/domains/unconfined.te
+--- nsapolicy/targeted/domains/unconfined.te 2005-05-02 14:06:57.000000000 -0400
++++ policy-1.23.14/targeted/domains/unconfined.te 2005-05-02 16:12:08.000000000 -0400
+@@ -77,3 +77,8 @@
+
+ # allow reading of default file context
+ bool read_default_t true;
++
++if (allow_execmem) {
++allow domain self:process execmem;
++}
++
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.14/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.14/tunables/distro.tun 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/tunables/distro.tun 2005-05-02 14:57:26.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -371,7 +375,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.14/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-04-14 15:01:54.000000000 -0400
-+++ policy-1.23.14/tunables/tunable.tun 2005-05-02 14:51:59.000000000 -0400
++++ policy-1.23.14/tunables/tunable.tun 2005-05-02 14:57:26.000000000 -0400
@@ -2,7 +2,7 @@
dnl define(`user_can_mount')
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.292
retrieving revision 1.293
diff -u -r1.292 -r1.293
--- selinux-policy-targeted.spec 2 May 2005 19:02:02 -0000 1.292
+++ selinux-policy-targeted.spec 2 May 2005 20:16:46 -0000 1.293
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.14
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -234,6 +234,9 @@
exit 0
%changelog
+* Mon May 2 2005 Dan Walsh <dwalsh at redhat.com> 1.23.14-2
+- Allow all domains on ppc execmem priv, otherwise it crashes
+
* Mon May 2 2005 Dan Walsh <dwalsh at redhat.com> 1.23.14-1
- Update to latest from NSA
* Added afs policy from Andrew Reisse.
More information about the fedora-cvs-commits
mailing list