rpms/selinux-policy/devel policy-20060915.patch, 1.26, 1.27 selinux-policy.spec, 1.305, 1.306

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Oct 4 19:31:44 UTC 2006 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv7386

Modified Files:
	policy-20060915.patch selinux-policy.spec 
Log Message:
* Wed Oct 4 2006 Dan Walsh <dwalsh at redhat.com> 2.3.18-3
- Make xentapctrl work


policy-20060915.patch:
 Rules.modular                                |   10 
 config/appconfig-strict-mcs/seusers          |    3 
 config/appconfig-strict-mls/initrc_context   |    2 
 config/appconfig-strict-mls/seusers          |    3 
 config/appconfig-strict/seusers              |    1 
 config/appconfig-targeted-mcs/seusers        |    3 
 config/appconfig-targeted-mls/initrc_context |    2 
 config/appconfig-targeted-mls/seusers        |    3 
 config/appconfig-targeted/seusers            |    1 
 policy/flask/access_vectors                  |    2 
 policy/global_tunables                       |   15 +
 policy/mcs                                   |    6 
 policy/mls                                   |   36 +-
 policy/modules/admin/acct.te                 |    1 
 policy/modules/admin/amanda.te               |    2 
 policy/modules/admin/bootloader.fc           |    2 
 policy/modules/admin/bootloader.te           |    7 
 policy/modules/admin/consoletype.te          |    8 
 policy/modules/admin/dmesg.te                |    1 
 policy/modules/admin/netutils.te             |    2 
 policy/modules/admin/prelink.te              |    7 
 policy/modules/admin/rpm.fc                  |    2 
 policy/modules/admin/rpm.if                  |   21 +
 policy/modules/admin/rpm.te                  |    5 
 policy/modules/admin/su.if                   |    2 
 policy/modules/admin/usermanage.te           |    5 
 policy/modules/apps/java.fc                  |    2 
 policy/modules/apps/java.te                  |    2 
 policy/modules/apps/mono.te                  |    3 
 policy/modules/kernel/corecommands.fc        |    1 
 policy/modules/kernel/corecommands.if        |   17 +
 policy/modules/kernel/corenetwork.te.in      |   17 -
 policy/modules/kernel/devices.fc             |    9 
 policy/modules/kernel/files.fc               |   27 -
 policy/modules/kernel/filesystem.if          |   22 +
 policy/modules/kernel/filesystem.te          |    1 
 policy/modules/kernel/kernel.if              |    2 
 policy/modules/kernel/kernel.te              |   25 -
 policy/modules/kernel/mcs.te                 |   18 -
 policy/modules/kernel/mls.te                 |   10 
 policy/modules/kernel/selinux.te             |    2 
 policy/modules/kernel/storage.fc             |   49 +--
 policy/modules/kernel/storage.if             |    1 
 policy/modules/kernel/terminal.fc            |    2 
 policy/modules/kernel/terminal.if            |   20 +
 policy/modules/services/apache.fc            |    9 
 policy/modules/services/apache.te            |    3 
 policy/modules/services/automount.te         |    4 
 policy/modules/services/ccs.fc               |    8 
 policy/modules/services/ccs.if               |   65 ++++
 policy/modules/services/ccs.te               |   87 ++++++
 policy/modules/services/cron.if              |   25 -
 policy/modules/services/cron.te              |    6 
 policy/modules/services/cups.te              |    5 
 policy/modules/services/cvs.te               |    1 
 policy/modules/services/dbus.if              |    1 
 policy/modules/services/dovecot.te           |    2 
 policy/modules/services/hal.te               |    1 
 policy/modules/services/lpd.fc               |    5 
 policy/modules/services/mta.te               |    1 
 policy/modules/services/nscd.if              |   20 +
 policy/modules/services/nscd.te              |    3 
 policy/modules/services/pegasus.if           |   31 ++
 policy/modules/services/pegasus.te           |    5 
 policy/modules/services/procmail.te          |    1 
 policy/modules/services/rhgb.te              |   24 +
 policy/modules/services/ricci.fc             |   20 +
 policy/modules/services/ricci.if             |  184 ++++++++++++
 policy/modules/services/ricci.te             |  388 +++++++++++++++++++++++++++
 policy/modules/services/rsync.te             |    1 
 policy/modules/services/setroubleshoot.te    |    2 
 policy/modules/services/spamassassin.te      |    4 
 policy/modules/services/ssh.te               |    2 
 policy/modules/services/xserver.if           |    2 
 policy/modules/services/xserver.te           |    2 
 policy/modules/system/authlogin.if           |    2 
 policy/modules/system/fstools.te             |    3 
 policy/modules/system/hostname.te            |    6 
 policy/modules/system/init.fc                |    3 
 policy/modules/system/init.te                |    4 
 policy/modules/system/iscsi.fc               |    7 
 policy/modules/system/iscsi.if               |   24 +
 policy/modules/system/iscsi.te               |   74 +++++
 policy/modules/system/libraries.fc           |    1 
 policy/modules/system/locallogin.if          |   37 ++
 policy/modules/system/logging.fc             |    8 
 policy/modules/system/logging.te             |    4 
 policy/modules/system/mount.fc               |    1 
 policy/modules/system/mount.te               |    1 
 policy/modules/system/raid.te                |    3 
 policy/modules/system/selinuxutil.fc         |    6 
 policy/modules/system/selinuxutil.if         |    4 
 policy/modules/system/selinuxutil.te         |    5 
 policy/modules/system/setrans.fc             |    2 
 policy/modules/system/setrans.te             |    2 
 policy/modules/system/unconfined.if          |    1 
 policy/modules/system/unconfined.te          |   16 -
 policy/modules/system/userdomain.if          |  165 +++++++++++
 policy/modules/system/userdomain.te          |    6 
 policy/modules/system/xen.fc                 |    1 
 policy/modules/system/xen.te                 |    9 
 policy/users                                 |   14 
 102 files changed, 1519 insertions(+), 184 deletions(-)

Index: policy-20060915.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060915.patch,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- policy-20060915.patch	3 Oct 2006 20:35:40 -0000	1.26
+++ policy-20060915.patch	4 Oct 2006 19:31:42 -0000	1.27
@@ -1029,6 +1029,26 @@
 +/opt/fortitude/modules.local(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
 +/opt/fortitude/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/opt/fortitude/run(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.18/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te	2006-09-22 14:07:06.000000000 -0400
++++ serefpolicy-2.3.18/policy/modules/services/apache.te	2006-10-04 10:56:30.000000000 -0400
+@@ -204,6 +204,8 @@
+ allow httpd_t squirrelmail_spool_t:file create_file_perms;
+ allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
+ 
++apache_domtrans_rotatelogs(httpd_t)
++
+ kernel_read_kernel_sysctls(httpd_t)
+ # for modules that want to access /proc/meminfo
+ kernel_read_system_state(httpd_t)
+@@ -296,6 +298,7 @@
+ ')
+ ')
+ 
++
+ tunable_policy(`httpd_can_network_connect',`
+ 	corenet_tcp_connect_all_ports(httpd_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.3.18/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2006-09-22 14:07:05.000000000 -0400
 +++ serefpolicy-2.3.18/policy/modules/services/automount.te	2006-10-03 12:02:36.000000000 -0400
@@ -2342,7 +2362,7 @@
 +/var/run/pcscd\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.18/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2006-09-29 14:28:02.000000000 -0400
-+++ serefpolicy-2.3.18/policy/modules/system/init.te	2006-10-03 12:02:36.000000000 -0400
++++ serefpolicy-2.3.18/policy/modules/system/init.te	2006-10-04 10:15:21.000000000 -0400
 @@ -151,6 +151,7 @@
  mcs_process_set_categories(init_t)
  
@@ -2964,10 +2984,35 @@
  		usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
  		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
  		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.3.18/policy/modules/system/xen.fc
+--- nsaserefpolicy/policy/modules/system/xen.fc	2006-09-22 14:07:07.000000000 -0400
++++ serefpolicy-2.3.18/policy/modules/system/xen.fc	2006-10-04 10:20:01.000000000 -0400
+@@ -19,3 +19,4 @@
+ /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+ 
+ /xen(/.*)?			gen_context(system_u:object_r:xen_image_t,s0)
++/dev/xen/tapctrl.*	-p	gen_context(system_u:object_r:xenctl_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.18/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2006-09-22 14:07:07.000000000 -0400
-+++ serefpolicy-2.3.18/policy/modules/system/xen.te	2006-10-03 12:02:36.000000000 -0400
-@@ -132,6 +132,7 @@
++++ serefpolicy-2.3.18/policy/modules/system/xen.te	2006-10-04 10:22:45.000000000 -0400
+@@ -63,12 +63,15 @@
+ domain_type(xm_t)
+ init_daemon_domain(xm_t, xm_exec_t)
+ 
++type xenctl_t;
++files_type(xenctl_t)
++
+ ########################################
+ #
+ # xend local policy
+ #
+ 
+-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
++allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
+ dontaudit xend_t self:capability { sys_ptrace };
+ allow xend_t self:process { signal sigkill };
+ dontaudit xend_t self:process ptrace;
+@@ -132,6 +135,7 @@
  corenet_tcp_bind_soundd_port(xend_t)
  corenet_tcp_bind_generic_port(xend_t)
  corenet_tcp_bind_vnc_port(xend_t)
@@ -2975,6 +3020,13 @@
  corenet_sendrecv_xen_server_packets(xend_t)
  corenet_sendrecv_soundd_server_packets(xend_t)
  corenet_rw_tun_tap_dev(xend_t)
+@@ -317,3 +321,6 @@
+ xen_append_log(xm_t)
+ xen_stream_connect(xm_t)
+ xen_stream_connect_xenstore(xm_t)
++
++allow xend_t xenctl_t:fifo_file create_file_perms;
++dev_filetrans(xend_t, xenctl_t, fifo_file)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.3.18/policy/users
 --- nsaserefpolicy/policy/users	2006-07-14 17:04:46.000000000 -0400
 +++ serefpolicy-2.3.18/policy/users	2006-10-03 12:02:36.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.305
retrieving revision 1.306
diff -u -r1.305 -r1.306
--- selinux-policy.spec	3 Oct 2006 20:35:40 -0000	1.305
+++ selinux-policy.spec	4 Oct 2006 19:31:42 -0000	1.306
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.3.18
-Release: 2
+Release: 3
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -349,6 +349,9 @@
 %endif
 
 %changelog
+* Wed Oct 4 2006 Dan Walsh <dwalsh at redhat.com> 2.3.18-3
+- Make xentapctrl work
+
 * Tue Oct 3 2006 Dan Walsh <dwalsh at redhat.com> 2.3.18-2
 - Don't transition unconfined_t to bootloader_t
 - Fix label in /dev/xen/blktap

More information about the fedora-cvs-commits mailing list