rpms/selinux-policy/devel booleans-targeted.conf, 1.21, 1.22 policy-20061106.patch, 1.10, 1.11 selinux-policy.spec, 1.339, 1.340

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri Nov 10 20:37:10 UTC 2006


Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12520

Modified Files:
	booleans-targeted.conf policy-20061106.patch 
	selinux-policy.spec 
Log Message:
* Fri Nov 10 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-10
- Allow xen to connect to xen port



Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- booleans-targeted.conf	1 Nov 2006 00:09:08 -0000	1.21
+++ booleans-targeted.conf	10 Nov 2006 20:37:08 -0000	1.22
@@ -8,7 +8,7 @@
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+allow_execstack = false
 
 # Allow ftpd to read cifs directories.
 # 

policy-20061106.patch:
 Rules.modular                           |   10 
 policy/flask/access_vectors             |    3 
 policy/global_tunables                  |   36 ++
 policy/mls                              |    3 
 policy/modules/admin/acct.te            |    1 
 policy/modules/admin/amanda.te          |    1 
 policy/modules/admin/consoletype.te     |    8 
 policy/modules/admin/dmesg.te           |    1 
 policy/modules/admin/logwatch.te        |    1 
 policy/modules/admin/netutils.te        |    2 
 policy/modules/admin/prelink.te         |    5 
 policy/modules/admin/rpm.fc             |    3 
 policy/modules/admin/rpm.if             |   24 +
 policy/modules/admin/rpm.te             |   38 --
 policy/modules/apps/java.fc             |    2 
 policy/modules/kernel/corecommands.if   |   17 +
 policy/modules/kernel/corenetwork.if.in |   12 
 policy/modules/kernel/corenetwork.te.in |   17 -
 policy/modules/kernel/corenetwork.te.m4 |    4 
 policy/modules/kernel/devices.fc        |    3 
 policy/modules/kernel/devices.te        |    6 
 policy/modules/kernel/domain.te         |    7 
 policy/modules/kernel/files.if          |   66 ++++
 policy/modules/kernel/files.te          |    2 
 policy/modules/kernel/filesystem.te     |    6 
 policy/modules/kernel/terminal.fc       |    1 
 policy/modules/kernel/terminal.te       |    1 
 policy/modules/services/aide.fc         |    3 
 policy/modules/services/aide.if         |   56 +++
 policy/modules/services/aide.te         |   52 +++
 policy/modules/services/apache.fc       |   10 
 policy/modules/services/apache.te       |   10 
 policy/modules/services/automount.te    |    1 
 policy/modules/services/bind.te         |    1 
 policy/modules/services/ccs.fc          |   10 
 policy/modules/services/ccs.if          |   83 +++++
 policy/modules/services/ccs.te          |   89 +++++
 policy/modules/services/cron.if         |   26 -
 policy/modules/services/cron.te         |    5 
 policy/modules/services/cups.fc         |    2 
 policy/modules/services/cups.te         |    4 
 policy/modules/services/cvs.te          |    1 
 policy/modules/services/dbus.fc         |    1 
 policy/modules/services/dbus.if         |    1 
 policy/modules/services/hal.fc          |    4 
 policy/modules/services/hal.te          |    8 
 policy/modules/services/kerberos.te     |    1 
 policy/modules/services/lpd.if          |   52 +--
 policy/modules/services/mta.if          |    1 
 policy/modules/services/mta.te          |    1 
 policy/modules/services/nscd.if         |   20 +
 policy/modules/services/nscd.te         |    3 
 policy/modules/services/oddjob.te       |    3 
 policy/modules/services/pegasus.if      |   31 ++
 policy/modules/services/pegasus.te      |    5 
 policy/modules/services/procmail.te     |   16 +
 policy/modules/services/ricci.fc        |   20 +
 policy/modules/services/ricci.if        |  184 ++++++++++++
 policy/modules/services/ricci.te        |  479 ++++++++++++++++++++++++++++++++
 policy/modules/services/rsync.te        |    1 
 policy/modules/services/samba.if        |    2 
 policy/modules/services/samba.te        |    6 
 policy/modules/services/sasl.te         |    2 
 policy/modules/services/snmp.te         |    1 
 policy/modules/services/spamassassin.te |    4 
 policy/modules/services/squid.te        |    7 
 policy/modules/services/ssh.te          |    2 
 policy/modules/services/telnet.te       |    1 
 policy/modules/services/xserver.if      |   40 ++
 policy/modules/system/authlogin.if      |    2 
 policy/modules/system/authlogin.te      |    1 
 policy/modules/system/fstools.fc        |    1 
 policy/modules/system/fstools.te        |    2 
 policy/modules/system/getty.te          |    3 
 policy/modules/system/hostname.te       |    6 
 policy/modules/system/init.fc           |    3 
 policy/modules/system/init.te           |   14 
 policy/modules/system/iscsi.if          |    2 
 policy/modules/system/libraries.fc      |   12 
 policy/modules/system/libraries.te      |    6 
 policy/modules/system/locallogin.if     |   37 ++
 policy/modules/system/logging.te        |    1 
 policy/modules/system/lvm.fc            |    1 
 policy/modules/system/lvm.te            |   13 
 policy/modules/system/modutils.te       |    6 
 policy/modules/system/mount.te          |   19 -
 policy/modules/system/raid.te           |    7 
 policy/modules/system/selinuxutil.if    |    4 
 policy/modules/system/selinuxutil.te    |   13 
 policy/modules/system/unconfined.if     |   19 +
 policy/modules/system/unconfined.te     |   11 
 policy/modules/system/userdomain.if     |  201 +++++++++++++
 policy/modules/system/userdomain.te     |   10 
 policy/modules/system/xen.fc            |    1 
 policy/modules/system/xen.te            |   29 +
 95 files changed, 1808 insertions(+), 145 deletions(-)

Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- policy-20061106.patch	10 Nov 2006 13:31:34 -0000	1.10
+++ policy-20061106.patch	10 Nov 2006 20:37:08 -0000	1.11
@@ -239,7 +239,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.3/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.te	2006-11-09 14:03:18.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.te	2006-11-10 13:44:31.000000000 -0500
 @@ -9,6 +9,8 @@
  type rpm_t;
  type rpm_exec_t;
@@ -249,7 +249,26 @@
  domain_obj_id_change_exemption(rpm_t)
  domain_role_change_exemption(rpm_t)
  domain_system_change_exemption(rpm_t)
-@@ -254,6 +256,9 @@
+@@ -176,6 +178,7 @@
+ 	unconfined_domain(rpm_t)
+ ')
+ 
++
+ ifdef(`targeted_policy',`
+ 	unconfined_domain(rpm_t)
+ 	# yum-updatesd requires this
+@@ -189,6 +192,10 @@
+ ')
+ 
+ optional_policy(`
++	hal_dbus_chat(rpm_t)
++')
++
++optional_policy(`
+ 	cron_system_entry(rpm_t,rpm_exec_t)
+ ')
+ 
+@@ -254,6 +261,9 @@
  kernel_read_kernel_sysctls(rpm_script_t)
  kernel_read_system_state(rpm_script_t)
  
@@ -259,7 +278,7 @@
  dev_list_sysfs(rpm_script_t)
  
  # ideally we would not need this
-@@ -368,31 +373,3 @@
+@@ -368,31 +378,3 @@
  	usermanage_domtrans_useradd(rpm_script_t)
  ')
  
@@ -547,7 +566,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.3/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2006-09-29 14:28:01.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/files.if	2006-11-09 14:03:18.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/files.if	2006-11-10 15:09:35.000000000 -0500
 @@ -353,8 +353,7 @@
  
  ########################################
@@ -1384,6 +1403,17 @@
  	dontaudit $1_lpr_t $2:unix_stream_socket { read write };
  
  	# Transition from the user domain to the derived domain.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.4.3/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if	2006-09-15 13:14:25.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/services/mta.if	2006-11-10 12:33:27.000000000 -0500
+@@ -820,6 +820,7 @@
+ 		type mqueue_spool_t;
+ 	')
+ 
++	dontaudit $1 mqueue_spool_t:dir search_perms;
+ 	dontaudit $1 mqueue_spool_t:file { getattr read write };
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.3/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2006-10-19 11:47:39.000000000 -0400
 +++ serefpolicy-2.4.3/policy/modules/services/mta.te	2006-11-09 14:03:18.000000000 -0500
@@ -2691,9 +2721,61 @@
  
  ifdef(`enable_mls',`
  	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-2.4.3/policy/modules/system/lvm.fc
+--- nsaserefpolicy/policy/modules/system/lvm.fc	2006-08-29 09:00:29.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/system/lvm.fc	2006-11-10 13:52:25.000000000 -0500
+@@ -88,3 +88,4 @@
+ /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
+ /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
+ /var/run/multipathd.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.3/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te	2006-10-19 11:47:40.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/system/lvm.te	2006-11-10 13:55:37.000000000 -0500
+@@ -13,6 +13,9 @@
+ type clvmd_var_run_t;
+ files_pid_file(clvmd_var_run_t)
+ 
++type lvm_var_lib_t;
++files_typee(lvm_var_lib_t)
++
+ type lvm_t;
+ type lvm_exec_t;
+ init_system_domain(lvm_t,lvm_exec_t)
+@@ -121,7 +124,9 @@
+ 
+ # DAC overrides and mknod for modifying /dev entries (vgmknodes)
+ # rawio needed for dmraid
+-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
++allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
++# lvm needs net_admin for multipath
++
+ dontaudit lvm_t self:capability sys_tty_config;
+ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+ # LVM will complain a lot if it cannot set its priority.
+@@ -147,6 +152,10 @@
+ allow lvm_t lvm_lock_t:file create_file_perms;
+ files_lock_filetrans(lvm_t,lvm_lock_t,file)
+ 
++allow lvm_t lvm_var_lib_t:dir manage_dir_perms;
++allow lvm_t lvm_var_lib_t:file manage_file_perms;
++files_var_lib_filetrans(lvm_t,lvm_var_lib_t,{ dir file })
++
+ allow lvm_t lvm_var_run_t:file manage_file_perms;
+ allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
+ allow lvm_t lvm_var_run_t:dir manage_dir_perms;
+@@ -216,7 +225,7 @@
+ term_dontaudit_getattr_all_user_ttys(lvm_t)
+ term_dontaudit_getattr_pty_dirs(lvm_t)
+ 
+-corecmd_search_sbin(lvm_t)
++corecmd_exec_sbin(lvm_t)
+ corecmd_dontaudit_getattr_sbin_files(lvm_t)
+ 
+ domain_use_interactive_fds(lvm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.4.3/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/modutils.te	2006-11-09 14:03:18.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/modutils.te	2006-11-10 15:11:34.000000000 -0500
 @@ -117,10 +117,6 @@
  	kernel_domtrans_to(insmod_t,insmod_exec_t)
  }
@@ -2705,6 +2787,22 @@
  ifdef(`targeted_policy',`
  	unconfined_domain(insmod_t)
  ')
+@@ -172,6 +168,7 @@
+ # Read conf.modules.
+ allow depmod_t modules_conf_t:file r_file_perms;
+ 
++
+ allow depmod_t modules_dep_t:file create_file_perms;
+ files_kernel_modules_filetrans(depmod_t,modules_dep_t,file)
+ 
+@@ -179,6 +176,7 @@
+ 
+ files_read_kernel_symbol_table(depmod_t)
+ files_read_kernel_modules(depmod_t)
++files_delete_kernel_modules(depmod_t)
+ 
+ fs_getattr_xattr_fs(depmod_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.3/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2006-11-06 11:13:21.000000000 -0500
 +++ serefpolicy-2.4.3/policy/modules/system/mount.te	2006-11-09 14:03:18.000000000 -0500
@@ -3237,7 +3335,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.3/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/xen.te	2006-11-10 08:07:56.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/xen.te	2006-11-10 13:39:54.000000000 -0500
 @@ -86,8 +86,8 @@
  allow xend_t self:tcp_socket create_stream_socket_perms;
  allow xend_t self:packet_socket create_socket_perms;
@@ -3249,7 +3347,15 @@
  allow xend_t xen_image_t:blk_file rw_file_perms;
  
  allow xend_t xenctl_t:fifo_file create_file_perms;
-@@ -152,6 +152,7 @@
+@@ -143,6 +143,7 @@
+ corenet_tcp_bind_generic_port(xend_t)
+ corenet_tcp_bind_vnc_port(xend_t)
+ corenet_tcp_connect_xserver_port(xend_t)
++corenet_tcp_connect_xen_port(xend_t)
+ corenet_sendrecv_xserver_client_packets(xend_t)
+ corenet_sendrecv_xen_server_packets(xend_t)
+ corenet_sendrecv_soundd_server_packets(xend_t)
+@@ -152,6 +153,7 @@
  dev_manage_xen(xend_t)
  dev_filetrans_xen(xend_t)
  dev_rw_sysfs(xend_t)
@@ -3257,7 +3363,7 @@
  
  domain_read_all_domains_state(xend_t)
  domain_dontaudit_read_all_domains_state(xend_t)
-@@ -164,7 +165,11 @@
+@@ -164,7 +166,11 @@
  files_etc_filetrans_etc_runtime(xend_t,file)
  files_read_usr_files(xend_t)
  
@@ -3270,7 +3376,7 @@
  storage_raw_read_removable_device(xend_t)
  
  term_getattr_all_user_ptys(xend_t)
-@@ -236,6 +241,10 @@
+@@ -236,6 +242,10 @@
  
  files_read_usr_files(xenconsoled_t)
  
@@ -3281,7 +3387,7 @@
  term_create_pty(xenconsoled_t,xen_devpts_t);
  term_use_generic_ptys(xenconsoled_t)
  term_use_console(xenconsoled_t)
-@@ -283,6 +292,12 @@
+@@ -283,6 +293,12 @@
  
  files_read_usr_files(xenstored_t)
  
@@ -3294,7 +3400,7 @@
  term_use_generic_ptys(xenstored_t)
  term_use_console(xenconsoled_t)
  
-@@ -353,3 +368,10 @@
+@@ -353,3 +369,10 @@
  xen_append_log(xm_t)
  xen_stream_connect(xm_t)
  xen_stream_connect_xenstore(xm_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.339
retrieving revision 1.340
diff -u -r1.339 -r1.340
--- selinux-policy.spec	10 Nov 2006 13:31:34 -0000	1.339
+++ selinux-policy.spec	10 Nov 2006 20:37:08 -0000	1.340
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.4.3
-Release: 9
+Release: 10
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,9 @@
 %endif
 
 %changelog
+* Fri Nov 10 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-10
+- Allow xen to connect to xen port
+
 * Fri Nov 10 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-9
 - Allow cups to search samba_etc_t directory
 - Allow xend_t to list auto_mountpoints




More information about the fedora-cvs-commits mailing list