rpms/selinux-policy/devel booleans-targeted.conf, 1.21, 1.22 policy-20061106.patch, 1.10, 1.11 selinux-policy.spec, 1.339, 1.340
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Nov 10 20:37:10 UTC 2006
- Previous message (by thread): rpms/compiz/devel .cvsignore, 1.15, 1.16 aiglx-defaults.patch, 1.2, 1.3 compiz.spec, 1.59, 1.60 fedora-logo.patch, 1.3, 1.4 icon-menu.patch, 1.1, 1.2 sources, 1.17, 1.18
- Next message (by thread): rpms/glibc/devel .cvsignore, 1.186, 1.187 glibc-fedora.patch, 1.198, 1.199 glibc.spec, 1.282, 1.283 sources, 1.210, 1.211
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12520
Modified Files:
booleans-targeted.conf policy-20061106.patch
selinux-policy.spec
Log Message:
* Fri Nov 10 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-10
- Allow xen to connect to xen port
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- booleans-targeted.conf 1 Nov 2006 00:09:08 -0000 1.21
+++ booleans-targeted.conf 10 Nov 2006 20:37:08 -0000 1.22
@@ -8,7 +8,7 @@
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftpd to read cifs directories.
#
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 3
policy/global_tunables | 36 ++
policy/mls | 3
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.te | 1
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 5
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 38 --
policy/modules/apps/java.fc | 2
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 12
policy/modules/kernel/corenetwork.te.in | 17 -
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 66 ++++
policy/modules/kernel/files.te | 2
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.if | 56 +++
policy/modules/services/aide.te | 52 +++
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 10
policy/modules/services/automount.te | 1
policy/modules/services/bind.te | 1
policy/modules/services/ccs.fc | 10
policy/modules/services/ccs.if | 83 +++++
policy/modules/services/ccs.te | 89 +++++
policy/modules/services/cron.if | 26 -
policy/modules/services/cron.te | 5
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 4
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/hal.fc | 4
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.te | 1
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 3
policy/modules/services/oddjob.te | 3
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 16 +
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 479 ++++++++++++++++++++++++++++++++
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 6
policy/modules/services/sasl.te | 2
policy/modules/services/snmp.te | 1
policy/modules/services/spamassassin.te | 4
policy/modules/services/squid.te | 7
policy/modules/services/ssh.te | 2
policy/modules/services/telnet.te | 1
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 2
policy/modules/system/authlogin.te | 1
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 6
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 14
policy/modules/system/iscsi.if | 2
policy/modules/system/libraries.fc | 12
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 13
policy/modules/system/modutils.te | 6
policy/modules/system/mount.te | 19 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.if | 4
policy/modules/system/selinuxutil.te | 13
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 11
policy/modules/system/userdomain.if | 201 +++++++++++++
policy/modules/system/userdomain.te | 10
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 29 +
95 files changed, 1808 insertions(+), 145 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- policy-20061106.patch 10 Nov 2006 13:31:34 -0000 1.10
+++ policy-20061106.patch 10 Nov 2006 20:37:08 -0000 1.11
@@ -239,7 +239,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.te 2006-11-09 14:03:18.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.te 2006-11-10 13:44:31.000000000 -0500
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -249,7 +249,26 @@
domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
-@@ -254,6 +256,9 @@
+@@ -176,6 +178,7 @@
+ unconfined_domain(rpm_t)
+ ')
+
++
+ ifdef(`targeted_policy',`
+ unconfined_domain(rpm_t)
+ # yum-updatesd requires this
+@@ -189,6 +192,10 @@
+ ')
+
+ optional_policy(`
++ hal_dbus_chat(rpm_t)
++')
++
++optional_policy(`
+ cron_system_entry(rpm_t,rpm_exec_t)
+ ')
+
+@@ -254,6 +261,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -259,7 +278,7 @@
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
-@@ -368,31 +373,3 @@
+@@ -368,31 +378,3 @@
usermanage_domtrans_useradd(rpm_script_t)
')
@@ -547,7 +566,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.3/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-09-29 14:28:01.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/files.if 2006-11-09 14:03:18.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/files.if 2006-11-10 15:09:35.000000000 -0500
@@ -353,8 +353,7 @@
########################################
@@ -1384,6 +1403,17 @@
dontaudit $1_lpr_t $2:unix_stream_socket { read write };
# Transition from the user domain to the derived domain.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.4.3/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if 2006-09-15 13:14:25.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/services/mta.if 2006-11-10 12:33:27.000000000 -0500
+@@ -820,6 +820,7 @@
+ type mqueue_spool_t;
+ ')
+
++ dontaudit $1 mqueue_spool_t:dir search_perms;
+ dontaudit $1 mqueue_spool_t:file { getattr read write };
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.3/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-10-19 11:47:39.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/services/mta.te 2006-11-09 14:03:18.000000000 -0500
@@ -2691,9 +2721,61 @@
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-2.4.3/policy/modules/system/lvm.fc
+--- nsaserefpolicy/policy/modules/system/lvm.fc 2006-08-29 09:00:29.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/system/lvm.fc 2006-11-10 13:52:25.000000000 -0500
+@@ -88,3 +88,4 @@
+ /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+ /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+ /var/run/multipathd.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.3/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te 2006-10-19 11:47:40.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/system/lvm.te 2006-11-10 13:55:37.000000000 -0500
+@@ -13,6 +13,9 @@
+ type clvmd_var_run_t;
+ files_pid_file(clvmd_var_run_t)
+
++type lvm_var_lib_t;
++files_typee(lvm_var_lib_t)
++
+ type lvm_t;
+ type lvm_exec_t;
+ init_system_domain(lvm_t,lvm_exec_t)
+@@ -121,7 +124,9 @@
+
+ # DAC overrides and mknod for modifying /dev entries (vgmknodes)
+ # rawio needed for dmraid
+-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
++allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
++# lvm needs net_admin for multipath
++
+ dontaudit lvm_t self:capability sys_tty_config;
+ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+ # LVM will complain a lot if it cannot set its priority.
+@@ -147,6 +152,10 @@
+ allow lvm_t lvm_lock_t:file create_file_perms;
+ files_lock_filetrans(lvm_t,lvm_lock_t,file)
+
++allow lvm_t lvm_var_lib_t:dir manage_dir_perms;
++allow lvm_t lvm_var_lib_t:file manage_file_perms;
++files_var_lib_filetrans(lvm_t,lvm_var_lib_t,{ dir file })
++
+ allow lvm_t lvm_var_run_t:file manage_file_perms;
+ allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
+ allow lvm_t lvm_var_run_t:dir manage_dir_perms;
+@@ -216,7 +225,7 @@
+ term_dontaudit_getattr_all_user_ttys(lvm_t)
+ term_dontaudit_getattr_pty_dirs(lvm_t)
+
+-corecmd_search_sbin(lvm_t)
++corecmd_exec_sbin(lvm_t)
+ corecmd_dontaudit_getattr_sbin_files(lvm_t)
+
+ domain_use_interactive_fds(lvm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.4.3/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/modutils.te 2006-11-09 14:03:18.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/modutils.te 2006-11-10 15:11:34.000000000 -0500
@@ -117,10 +117,6 @@
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
@@ -2705,6 +2787,22 @@
ifdef(`targeted_policy',`
unconfined_domain(insmod_t)
')
+@@ -172,6 +168,7 @@
+ # Read conf.modules.
+ allow depmod_t modules_conf_t:file r_file_perms;
+
++
+ allow depmod_t modules_dep_t:file create_file_perms;
+ files_kernel_modules_filetrans(depmod_t,modules_dep_t,file)
+
+@@ -179,6 +176,7 @@
+
+ files_read_kernel_symbol_table(depmod_t)
+ files_read_kernel_modules(depmod_t)
++files_delete_kernel_modules(depmod_t)
+
+ fs_getattr_xattr_fs(depmod_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.3/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-06 11:13:21.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/system/mount.te 2006-11-09 14:03:18.000000000 -0500
@@ -3237,7 +3335,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.3/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/xen.te 2006-11-10 08:07:56.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/xen.te 2006-11-10 13:39:54.000000000 -0500
@@ -86,8 +86,8 @@
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
@@ -3249,7 +3347,15 @@
allow xend_t xen_image_t:blk_file rw_file_perms;
allow xend_t xenctl_t:fifo_file create_file_perms;
-@@ -152,6 +152,7 @@
+@@ -143,6 +143,7 @@
+ corenet_tcp_bind_generic_port(xend_t)
+ corenet_tcp_bind_vnc_port(xend_t)
+ corenet_tcp_connect_xserver_port(xend_t)
++corenet_tcp_connect_xen_port(xend_t)
+ corenet_sendrecv_xserver_client_packets(xend_t)
+ corenet_sendrecv_xen_server_packets(xend_t)
+ corenet_sendrecv_soundd_server_packets(xend_t)
+@@ -152,6 +153,7 @@
dev_manage_xen(xend_t)
dev_filetrans_xen(xend_t)
dev_rw_sysfs(xend_t)
@@ -3257,7 +3363,7 @@
domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
-@@ -164,7 +165,11 @@
+@@ -164,7 +166,11 @@
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
@@ -3270,7 +3376,7 @@
storage_raw_read_removable_device(xend_t)
term_getattr_all_user_ptys(xend_t)
-@@ -236,6 +241,10 @@
+@@ -236,6 +242,10 @@
files_read_usr_files(xenconsoled_t)
@@ -3281,7 +3387,7 @@
term_create_pty(xenconsoled_t,xen_devpts_t);
term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
-@@ -283,6 +292,12 @@
+@@ -283,6 +293,12 @@
files_read_usr_files(xenstored_t)
@@ -3294,7 +3400,7 @@
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
-@@ -353,3 +368,10 @@
+@@ -353,3 +369,10 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.339
retrieving revision 1.340
diff -u -r1.339 -r1.340
--- selinux-policy.spec 10 Nov 2006 13:31:34 -0000 1.339
+++ selinux-policy.spec 10 Nov 2006 20:37:08 -0000 1.340
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.3
-Release: 9
+Release: 10
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,9 @@
%endif
%changelog
+* Fri Nov 10 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-10
+- Allow xen to connect to xen port
+
* Fri Nov 10 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-9
- Allow cups to search samba_etc_t directory
- Allow xend_t to list auto_mountpoints
- Previous message (by thread): rpms/compiz/devel .cvsignore, 1.15, 1.16 aiglx-defaults.patch, 1.2, 1.3 compiz.spec, 1.59, 1.60 fedora-logo.patch, 1.3, 1.4 icon-menu.patch, 1.1, 1.2 sources, 1.17, 1.18
- Next message (by thread): rpms/glibc/devel .cvsignore, 1.186, 1.187 glibc-fedora.patch, 1.198, 1.199 glibc.spec, 1.282, 1.283 sources, 1.210, 1.211
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list