rpms/selinux-policy/FC-5 modules-targeted.conf, 1.22, 1.23 policy-20060505.patch, 1.4, 1.5 selinux-policy.spec, 1.171, 1.172
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jun 6 21:36:01 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv31743
Modified Files:
modules-targeted.conf policy-20060505.patch
selinux-policy.spec
Log Message:
* Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.43-4.fc5
- Bump for fc5
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/modules-targeted.conf,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- modules-targeted.conf 24 May 2006 03:19:52 -0000 1.22
+++ modules-targeted.conf 6 Jun 2006 21:35:57 -0000 1.23
@@ -1078,11 +1078,3 @@
# Policy for OPENVPN full-featured SSL VPN solution
#
openvpn = base
-
-# Layer: apps
-# Module: unconfined_execmem
-#
-# unconfined_execmem executable
-#
-unconfined_execmem = base
-
policy-20060505.patch:
Rules.modular | 2
config/appconfig-strict-mls/default_type | 1
policy/global_tunables | 16 +++++++
policy/modules/admin/consoletype.te | 9 +++-
policy/modules/admin/rpm.if | 20 +++++++++
policy/modules/admin/rpm.te | 9 ++++
policy/modules/apps/webalizer.te | 1
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.te | 5 ++
policy/modules/kernel/corecommands.fc | 6 --
policy/modules/kernel/files.if | 15 +++++++
policy/modules/kernel/filesystem.if | 23 +++++++++++
policy/modules/kernel/kernel.te | 10 ++++
policy/modules/services/amavis.fc | 2
policy/modules/services/amavis.if | 62 ++++++++++++++++++++++++++++++
policy/modules/services/amavis.te | 10 ++++
policy/modules/services/apache.if | 1
policy/modules/services/bluetooth.te | 5 ++
policy/modules/services/clamav.te | 21 ++++++++++
policy/modules/services/cups.te | 10 +++-
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.te | 1
policy/modules/services/dovecot.te | 1
policy/modules/services/ftp.te | 20 +++++++++
policy/modules/services/hal.te | 4 +
policy/modules/services/ldap.fc | 1
policy/modules/services/mysql.te | 2
policy/modules/services/networkmanager.fc | 1
policy/modules/services/nscd.te | 5 ++
policy/modules/services/ntp.te | 4 +
policy/modules/services/pegasus.if | 31 +++++++++++++++
policy/modules/services/pegasus.te | 15 +++++--
policy/modules/services/postfix.te | 7 +--
policy/modules/services/pyzor.te | 11 +++++
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 4 +
policy/modules/services/spamassassin.fc | 1
policy/modules/services/spamassassin.te | 8 +++
policy/modules/services/xfs.te | 4 +
policy/modules/services/xserver.if | 43 ++++++++++++++++++++
policy/modules/system/hostname.te | 5 +-
policy/modules/system/init.te | 1
policy/modules/system/libraries.fc | 19 ++++++++-
policy/modules/system/logging.te | 8 +++
policy/modules/system/unconfined.fc | 4 +
policy/modules/system/unconfined.if | 28 +++++++++++++
policy/modules/system/unconfined.te | 25 +++++++++++-
policy/modules/system/userdomain.te | 42 ++++++++++++++++++--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.if | 2
policy/modules/system/xen.te | 27 ++++++++++++-
policy/rolemap | 1
policy/support/misc_macros.spt | 2
policy/users | 6 +-
54 files changed, 532 insertions(+), 33 deletions(-)
Index: policy-20060505.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/policy-20060505.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20060505.patch 28 May 2006 11:03:47 -0000 1.4
+++ policy-20060505.patch 6 Jun 2006 21:35:58 -0000 1.5
@@ -56,6 +56,33 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.2.43/policy/modules/admin/rpm.if
+--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-03-23 14:33:29.000000000 -0500
++++ serefpolicy-2.2.43/policy/modules/admin/rpm.if 2006-06-06 11:10:50.000000000 -0400
+@@ -237,3 +237,23 @@
+ dontaudit $1 rpm_var_lib_t:file create_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
+ ')
++
++########################################
++## <summary>
++## Execute the rpm client in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_exec',`
++ gen_require(`
++ type rpm_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1,rpm_exec_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.43/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-04-19 17:43:32.000000000 -0400
+++ serefpolicy-2.2.43/policy/modules/admin/rpm.te 2006-05-26 14:03:15.000000000 -0400
@@ -75,71 +102,6 @@
',`
optional_policy(`
bootloader_domtrans(rpm_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc serefpolicy-2.2.43/policy/modules/apps/unconfined_execmem.fc
---- nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/apps/unconfined_execmem.fc 2006-05-26 14:03:15.000000000 -0400
-@@ -0,0 +1,3 @@
-+/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.if serefpolicy-2.2.43/policy/modules/apps/unconfined_execmem.if
---- nsaserefpolicy/policy/modules/apps/unconfined_execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/apps/unconfined_execmem.if 2006-05-26 14:03:15.000000000 -0400
-@@ -0,0 +1,29 @@
-+## <summary>Unconfined domain with execmem/execstack privs</summary>
-+
-+########################################
-+## <summary>
-+## Execute the application that requires dexecmem program in the unconfined_execmem domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`unconfined_execmem_domtrans',`
-+ ifdef(`targeted_policy',`
-+ gen_require(`
-+ type unconfined_execmem_t, unconfined_execmem_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
-+
-+ allow $1 unconfined_execmem_t:fd use;
-+ allow unconfined_execmem_t $1:fd use;
-+ allow unconfined_execmem_t $1:fifo_file rw_file_perms;
-+ allow unconfined_execmem_t $1:process sigchld;
-+ ',`
-+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
-+ ')
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.te serefpolicy-2.2.43/policy/modules/apps/unconfined_execmem.te
---- nsaserefpolicy/policy/modules/apps/unconfined_execmem.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/apps/unconfined_execmem.te 2006-05-26 14:03:15.000000000 -0400
-@@ -0,0 +1,21 @@
-+
-+policy_module(unconfined_execmem,1.1.2)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type unconfined_execmem_t;
-+type unconfined_execmem_exec_t;
-+init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+ifdef(`targeted_policy',`
-+ allow unconfined_execmem_t self:process { execstack execmem };
-+ unconfined_domain_noaudit(unconfined_execmem_t)
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.43/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2006-03-24 11:15:44.000000000 -0500
+++ serefpolicy-2.2.43/policy/modules/apps/webalizer.te 2006-05-26 14:03:15.000000000 -0400
@@ -157,6 +119,19 @@
@@ -1 +1,2 @@
/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.2.43/policy/modules/apps/wine.te
+--- nsaserefpolicy/policy/modules/apps/wine.te 2006-03-07 10:31:08.000000000 -0500
++++ serefpolicy-2.2.43/policy/modules/apps/wine.te 2006-05-28 07:09:11.000000000 -0400
+@@ -22,4 +22,9 @@
+ unconfined_domain_noaudit(wine_t)
+ role system_r types wine_t;
+ allow wine_t file_type:file execmod;
++
++ optional_policy(`
++ hal_dbus_chat(wine_t)
++ ')
++
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.43/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.43/policy/modules/kernel/corecommands.fc 2006-05-26 14:03:15.000000000 -0400
@@ -182,7 +157,7 @@
/usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.43/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-05-12 09:22:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/files.if 2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.43/policy/modules/kernel/files.if 2006-06-06 11:06:54.000000000 -0400
@@ -1882,6 +1882,21 @@
')
@@ -244,7 +219,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.43/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-05-26 14:02:27.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/kernel.te 2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.43/policy/modules/kernel/kernel.te 2006-06-06 15:30:41.000000000 -0400
@@ -28,6 +28,7 @@
ifdef(`enable_mls',`
@@ -253,6 +228,22 @@
')
#
+@@ -50,6 +51,15 @@
+ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
+
+ #
++# Oprofilefs
++#
++
++type oprofilefs_t;
++fs_type(oprofilefs_t)
++allow oprofilefs_t self:filesystem associate;
++genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
++
++#
+ # Procfs types
+ #
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-2.2.43/policy/modules/services/amavis.fc
--- nsaserefpolicy/policy/modules/services/amavis.fc 2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.43/policy/modules/services/amavis.fc 2006-05-26 14:03:15.000000000 -0400
@@ -468,8 +459,16 @@
files_read_etc_files(clamscan_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.43/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-05-26 14:02:27.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/cups.te 2006-05-28 06:50:31.000000000 -0400
-@@ -81,7 +81,7 @@
++++ serefpolicy-2.2.43/policy/modules/services/cups.te 2006-05-28 10:28:11.000000000 -0400
+@@ -74,14 +74,14 @@
+ #
+
+ # /usr/lib/cups/backend/serial needs sys_admin(?!)
+-allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
++allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
+ dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+ allow cupsd_t self:process { setsched signal_perms };
+ allow cupsd_t self:fifo_file rw_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
@@ -577,6 +576,20 @@
optional_policy(`
corecmd_exec_shell(ftpd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.43/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2006-05-19 10:07:51.000000000 -0400
++++ serefpolicy-2.2.43/policy/modules/services/hal.te 2006-06-06 11:58:26.000000000 -0400
+@@ -144,6 +144,10 @@
+
+ sysnet_read_config(hald_t)
+
++# needed for nss_ldap
++sysnet_use_ldap(hald_t)
++miscfiles_read_certs(hald_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(hald_t)
+ userdom_dontaudit_search_sysadm_home_dirs(hald_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-2.2.43/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2005-10-06 17:29:17.000000000 -0400
+++ serefpolicy-2.2.43/policy/modules/services/ldap.fc 2006-05-26 14:03:15.000000000 -0400
@@ -638,6 +651,111 @@
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.43/policy/modules/services/pegasus.if
+--- nsaserefpolicy/policy/modules/services/pegasus.if 2005-10-25 13:40:18.000000000 -0400
++++ serefpolicy-2.2.43/policy/modules/services/pegasus.if 2006-06-06 10:37:18.000000000 -0400
+@@ -1 +1,32 @@
+ ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run pegasus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pegasus_domtrans',`
++ gen_require(`
++ type pegasus_t, pegasus_exec_t;
++ ')
++
++ ifdef(`targeted_policy',`
++ if(pegasus_disable_trans) {
++ can_exec($1,pegasus_exec_t)
++ } else {
++ domain_auto_trans($1,pegasus_exec_t,pegasus_t)
++ }
++ ', `
++ domain_auto_trans($1,pegasus_exec_t,pegasus_t)
++ ')
++
++ allow $1 pegasus_t:fd use;
++ allow pegasus_t $1:fd use;
++ allow pegasus_t $1:fifo_file rw_file_perms;
++ allow pegasus_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.43/policy/modules/services/pegasus.te
+--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-04-26 11:23:32.000000000 -0400
++++ serefpolicy-2.2.43/policy/modules/services/pegasus.te 2006-06-06 11:11:18.000000000 -0400
+@@ -30,7 +30,7 @@
+ # Local policy
+ #
+
+-allow pegasus_t self:capability { dac_override net_bind_service audit_write };
++allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service audit_write };
+ dontaudit pegasus_t self:capability sys_tty_config;
+ allow pegasus_t self:process signal;
+ allow pegasus_t self:fifo_file rw_file_perms;
+@@ -65,6 +65,7 @@
+ kernel_read_fs_sysctls(pegasus_t)
+ kernel_read_system_state(pegasus_t)
+ kernel_search_vm_sysctl(pegasus_t)
++kernel_read_net_sysctls(pegasus_t)
+
+ corenet_tcp_sendrecv_all_if(pegasus_t)
+ corenet_raw_sendrecv_all_if(pegasus_t)
+@@ -82,6 +83,7 @@
+ corecmd_exec_sbin(pegasus_t)
+ corecmd_exec_bin(pegasus_t)
+ corecmd_exec_shell(pegasus_t)
++can_exec(pegasus_t,pegasus_exec_t)
+
+ dev_read_sysfs(pegasus_t)
+ dev_read_urand(pegasus_t)
+@@ -94,13 +96,12 @@
+
+ auth_use_nsswitch(pegasus_t)
+ auth_domtrans_chk_passwd(pegasus_t)
++auth_read_shadow(pegasus_t)
+
+ domain_use_interactive_fds(pegasus_t)
+ domain_read_all_domains_state(pegasus_t)
+
+-files_read_etc_files(pegasus_t)
+-files_list_var_lib(pegasus_t)
+-files_read_var_lib_files(pegasus_t)
++files_read_all_files(pegasus_t)
+ files_read_var_lib_symlinks(pegasus_t)
+
+ hostname_exec(pegasus_t)
+@@ -108,6 +109,7 @@
+ init_use_fds(pegasus_t)
+ init_use_script_ptys(pegasus_t)
+ init_rw_utmp(pegasus_t)
++init_stream_connect_script(pegasus_t)
+
+ libs_use_ld_so(pegasus_t)
+ libs_use_shared_libs(pegasus_t)
+@@ -126,11 +128,16 @@
+ unconfined_signull(pegasus_t)
+ ')
+
++
+ optional_policy(`
+ logging_send_syslog_msg(pegasus_t)
+ ')
+
+ optional_policy(`
++ rpm_exec(pegasus_t)
++')
++
++optional_policy(`
+ nscd_socket_use(pegasus_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.43/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2006-05-12 09:22:08.000000000 -0400
+++ serefpolicy-2.2.43/policy/modules/services/postfix.te 2006-05-26 14:03:15.000000000 -0400
@@ -864,7 +982,7 @@
libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.43/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/libraries.fc 2006-05-28 06:50:17.000000000 -0400
++++ serefpolicy-2.2.43/policy/modules/system/libraries.fc 2006-06-06 15:41:44.000000000 -0400
@@ -34,8 +34,10 @@
#
/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -873,12 +991,30 @@
-/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/lib64/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-+/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-+/lib64(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
++/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
++/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
ifdef(`distro_gentoo',`
/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
-@@ -115,6 +117,7 @@
+@@ -43,6 +45,9 @@
+ /lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+ ')
+
++/lib/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/lib64/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ #
+ # /opt
+ #
+@@ -56,6 +61,7 @@
+ /opt/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/cisco-vpnclient/lib/libvpnapi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ ifdef(`distro_gentoo',`
+ /opt/netscape/plugins/libflashplayer.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -115,6 +121,7 @@
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -886,9 +1022,11 @@
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_redhat',`
-@@ -227,6 +230,12 @@
+@@ -226,7 +233,14 @@
+ /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/matlab.*/bin/glnx86/libmwlapack.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/acroread/(.*/)?sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -899,6 +1037,11 @@
') dnl end distro_redhat
#
+@@ -248,3 +262,4 @@
+ /var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+ /var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+ /var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.43/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.43/policy/modules/system/logging.te 2006-05-26 14:03:15.000000000 -0400
@@ -929,10 +1072,69 @@
domain_use_interactive_fds(auditd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.43/policy/modules/system/unconfined.fc
+--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-01-06 17:55:18.000000000 -0500
++++ serefpolicy-2.2.43/policy/modules/system/unconfined.fc 2006-06-06 12:30:30.000000000 -0400
+@@ -3,3 +3,7 @@
+ # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+ # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+ /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++
++/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.43/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-05-19 13:46:37.000000000 -0400
++++ serefpolicy-2.2.43/policy/modules/system/unconfined.if 2006-06-06 12:30:13.000000000 -0400
+@@ -449,3 +449,31 @@
+
+ allow $1 unconfined_t:dbus acquire_svc;
+ ')
++
++########################################
++## <summary>
++## Execute the application that requires dexecmem program in the unconfined_execmem domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_execmem_domtrans',`
++ ifdef(`targeted_policy',`
++ gen_require(`
++ type unconfined_execmem_t, unconfined_execmem_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
++
++ allow $1 unconfined_execmem_t:fd use;
++ allow unconfined_execmem_t $1:fd use;
++ allow unconfined_execmem_t $1:fifo_file rw_file_perms;
++ allow unconfined_execmem_t $1:process sigchld;
++ ',`
++ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
++ ')
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.43/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/unconfined.te 2006-05-26 14:03:15.000000000 -0400
-@@ -107,6 +107,10 @@
++++ serefpolicy-2.2.43/policy/modules/system/unconfined.te 2006-06-06 12:29:22.000000000 -0400
+@@ -13,7 +13,11 @@
+ ')
+ type unconfined_exec_t;
+ init_system_domain(unconfined_t,unconfined_exec_t)
+-role system_r types unconfined_t;
++
++type unconfined_execmem_t;
++type unconfined_execmem_exec_t;
++init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
++
+
+ ########################################
+ #
+@@ -107,6 +111,10 @@
')
optional_policy(`
@@ -943,6 +1145,26 @@
lpd_domtrans_checkpc(unconfined_t)
')
+@@ -173,4 +181,19 @@
+ optional_policy(`
+ xserver_domtrans_xdm_xserver(unconfined_t)
+ ')
++
++ optional_policy(`
++ pegasus_domtrans(unconfined_t)
++ ')
++
++')
++
++########################################
++#
++# Local policy
++#
++
++ifdef(`targeted_policy',`
++ allow unconfined_execmem_t self:process { execstack execmem };
++ unconfined_domain_noaudit(unconfined_execmem_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.43/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.43/policy/modules/system/userdomain.te 2006-05-26 14:03:15.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/selinux-policy.spec,v
retrieving revision 1.171
retrieving revision 1.172
diff -u -r1.171 -r1.172
--- selinux-policy.spec 28 May 2006 11:03:47 -0000 1.171
+++ selinux-policy.spec 6 Jun 2006 21:35:58 -0000 1.172
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.2.43
-Release: 2.fc5
+Release: 4.fc5
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -326,6 +326,15 @@
%endif
%changelog
+* Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.43-4.fc5
+- Bump for fc5
+
+* Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.43-4
+- Add oprofilefs
+
+* Sun May 28 2006 Dan Walsh <dwalsh at redhat.com> 2.2.43-3
+- Fix for hplip and Picasus
+
* Sun May 28 2006 Dan Walsh <dwalsh at redhat.com> 2.2.43-2.fc5
- Bump for fc5
More information about the fedora-cvs-commits
mailing list