rpms/selinux-policy/devel policy-20060915.patch,1.6,1.7
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Sep 19 21:08:46 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv14926
Modified Files:
policy-20060915.patch
Log Message:
* Mon Sep 19 2006 Dan Walsh <dwalsh at redhat.com> 2.3.14-5
- Fixes to make pppd work
policy-20060915.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 2
config/appconfig-strict-mls/initrc_context | 2
config/appconfig-strict-mls/seusers | 2
config/appconfig-targeted-mcs/seusers | 2
config/appconfig-targeted-mls/initrc_context | 2
config/appconfig-targeted-mls/seusers | 2
policy/flask/mkaccess_vector.sh | 3
policy/global_tunables | 9
policy/mcs | 197 +++++++++++++
policy/mls | 225 ++++++++++++++-
policy/modules/admin/amanda.fc | 6
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 10
policy/modules/admin/consoletype.te | 7
policy/modules/admin/firstboot.te | 1
policy/modules/admin/logwatch.te | 2
policy/modules/admin/rpm.fc | 4
policy/modules/admin/rpm.te | 2
policy/modules/admin/su.if | 2
policy/modules/admin/usermanage.te | 5
policy/modules/apps/java.fc | 2
policy/modules/apps/mono.te | 9
policy/modules/kernel/corecommands.fc | 2
policy/modules/kernel/corenetwork.te.in | 13
policy/modules/kernel/corenetwork.te.m4 | 13
policy/modules/kernel/devices.fc | 10
policy/modules/kernel/domain.te | 8
policy/modules/kernel/files.fc | 27 -
policy/modules/kernel/files.if | 46 +++
policy/modules/kernel/filesystem.if | 19 +
policy/modules/kernel/kernel.te | 24 -
policy/modules/kernel/mcs.te | 17 -
policy/modules/kernel/mls.te | 10
policy/modules/kernel/selinux.te | 2
policy/modules/kernel/storage.fc | 48 +--
policy/modules/kernel/terminal.fc | 2
policy/modules/kernel/terminal.if | 2
policy/modules/services/amavis.te | 1
policy/modules/services/apache.fc | 9
policy/modules/services/apache.te | 6
policy/modules/services/automount.te | 3
policy/modules/services/bluetooth.fc | 3
policy/modules/services/bluetooth.te | 11
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.if | 65 ++++
policy/modules/services/ccs.te | 87 ++++++
policy/modules/services/clamav.te | 1
policy/modules/services/cups.te | 31 +-
policy/modules/services/dbus.if | 1
policy/modules/services/dhcp.te | 7
policy/modules/services/kerberos.if | 2
policy/modules/services/lpd.fc | 1
policy/modules/services/networkmanager.fc | 1
policy/modules/services/networkmanager.te | 4
policy/modules/services/ntp.te | 3
policy/modules/services/oddjob.fc | 8
policy/modules/services/oddjob.if | 76 +++++
policy/modules/services/oddjob.te | 73 +++++
policy/modules/services/oddjob_mkhomedir.fc | 6
policy/modules/services/oddjob_mkhomedir.if | 24 +
policy/modules/services/oddjob_mkhomedir.te | 29 ++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 6
policy/modules/services/ppp.fc | 4
policy/modules/services/ppp.if | 19 +
policy/modules/services/ppp.te | 21 +
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 386 +++++++++++++++++++++++++++
policy/modules/services/rpc.te | 3
policy/modules/services/sendmail.te | 14
policy/modules/services/setroubleshoot.te | 7
policy/modules/services/snmp.if | 19 +
policy/modules/services/xfs.te | 2
policy/modules/services/xserver.if | 24 +
policy/modules/system/authlogin.te | 1
policy/modules/system/fstools.te | 4
policy/modules/system/hostname.te | 5
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 12
policy/modules/system/libraries.fc | 5
policy/modules/system/logging.fc | 8
policy/modules/system/selinuxutil.fc | 6
policy/modules/system/selinuxutil.te | 4
policy/modules/system/setrans.fc | 2
policy/modules/system/setrans.te | 1
policy/modules/system/unconfined.te | 2
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.if | 2
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 3
policy/users | 14
94 files changed, 1869 insertions(+), 165 deletions(-)
Index: policy-20060915.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060915.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20060915.patch 19 Sep 2006 19:14:48 -0000 1.6
+++ policy-20060915.patch 19 Sep 2006 21:08:44 -0000 1.7
@@ -657,6 +657,18 @@
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.3.14/policy/modules/admin/rpm.te
+--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-08-02 10:34:09.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/admin/rpm.te 2006-09-19 17:08:12.000000000 -0400
+@@ -178,6 +178,8 @@
+
+ ifdef(`targeted_policy',`
+ unconfined_domain(rpm_t)
++ # yum-updatesd requires this
++ unconfined_dbus_chat(rpm_t)
+ ',`
+ # cjp: these are here to stop type_transition
+ # conflicts since rpm_t is an alias of
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.3.14/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2006-09-15 13:14:27.000000000 -0400
+++ serefpolicy-2.3.14/policy/modules/admin/su.if 2006-09-19 14:33:19.000000000 -0400
@@ -966,7 +978,7 @@
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.3.14/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-09-15 13:14:21.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/files.if 2006-09-19 10:47:17.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/files.if 2006-09-19 16:24:26.000000000 -0400
@@ -386,7 +386,7 @@
attribute file_type, security_file_type;
')
@@ -1727,7 +1739,7 @@
+/var/run/wpa_supplicant-global -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.3.14/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/networkmanager.te 2006-09-19 14:39:37.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/networkmanager.te 2006-09-19 16:19:24.000000000 -0400
@@ -21,7 +21,7 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -1749,7 +1761,7 @@
optional_policy(`
ppp_domtrans(NetworkManager_t)
-+ ppp_getattr_pid_files(NetworkManager_t)
++ ppp_read_pid_files(NetworkManager_t)
')
optional_policy(`
@@ -2086,14 +2098,14 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-2.3.14/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-07-14 17:04:40.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/ppp.fc 2006-09-19 10:47:17.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ppp.fc 2006-09-19 16:08:25.000000000 -0400
@@ -2,7 +2,8 @@
# /etc
#
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
-/etc/ppp/.* -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-+/etc/ppp/peers(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
++/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
@@ -2107,7 +2119,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-2.3.14/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/ppp.if 2006-09-19 14:39:26.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ppp.if 2006-09-19 16:20:05.000000000 -0400
@@ -237,3 +237,22 @@
files_pid_filetrans($1,pppd_var_run_t,file)
@@ -2115,7 +2127,7 @@
+
+########################################
+## <summary>
-+## getattr pid files.
++## read pid files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -2123,17 +2135,17 @@
+## </summary>
+## </param>
+#
-+interface(`ppp_getattr_pid_files',`
++interface(`ppp_read_pid_files',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
-+ allow $1 pppd_var_run_t:file getattr;
++ allow $1 pppd_var_run_t:file r_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-2.3.14/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2006-07-14 17:04:40.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/ppp.te 2006-09-19 14:06:42.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ppp.te 2006-09-19 17:04:55.000000000 -0400
@@ -64,7 +64,7 @@
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
@@ -2143,15 +2155,42 @@
allow pppd_t self:tcp_socket create_stream_socket_perms;
allow pppd_t self:udp_socket { connect connected_socket_perms };
allow pppd_t self:packet_socket create_socket_perms;
-@@ -82,6 +82,7 @@
+@@ -80,9 +80,11 @@
+ allow pppd_t pppd_etc_t:dir rw_dir_perms;
+ allow pppd_t pppd_etc_t:file r_file_perms;
allow pppd_t pppd_etc_t:lnk_file { getattr read };
- files_etc_filetrans(pppd_t,pppd_etc_t,file)
+-files_etc_filetrans(pppd_t,pppd_etc_t,file)
+allow pppd_t pppd_etc_rw_t:dir rw_dir_perms;
allow pppd_t pppd_etc_rw_t:file create_file_perms;
++# Automatically label newly created files under /etc/ppp with this type
++type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
allow pppd_t pppd_lock_t:file create_file_perms;
-@@ -163,6 +164,8 @@
+ files_lock_filetrans(pppd_t,pppd_lock_t,file)
+@@ -104,9 +106,6 @@
+ # Access secret files
+ allow pppd_t pppd_secret_t:file r_file_perms;
+
+-# Automatically label newly created files under /etc/ppp with this type
+-type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
+-
+ kernel_read_kernel_sysctls(pppd_t)
+ kernel_read_system_state(pppd_t)
+ kernel_read_net_sysctls(pppd_t)
+@@ -147,7 +146,10 @@
+ domain_use_interactive_fds(pppd_t)
+
+ files_exec_etc_files(pppd_t)
+-files_read_etc_runtime_files(pppd_t)
++files_manage_etc_runtime_files(pppd_t)
++files_etc_filetrans_etc_runtime(pppd_t, { dir file })
++files_dontaudit_write_etc_files(pppd_t)
++
+ # for scripts
+ files_read_etc_files(pppd_t)
+
+@@ -163,6 +165,8 @@
miscfiles_read_localization(pppd_t)
@@ -2160,7 +2199,7 @@
sysnet_read_config(pppd_t)
sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
-@@ -331,3 +334,8 @@
+@@ -331,3 +335,8 @@
allow initrc_t pppd_t:fd use;
allow initrc_t pppd_t:fifo_file rw_file_perms;
allow initrc_t pppd_t:process sigchld;
@@ -2798,6 +2837,32 @@
files_list_tmp(gssd_t)
files_read_generic_tmp_files(gssd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.3.14/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te 2006-07-14 17:04:40.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/sendmail.te 2006-09-19 15:19:26.000000000 -0400
+@@ -104,15 +104,15 @@
+ term_dontaudit_use_unallocated_ttys(sendmail_t)
+ term_dontaudit_use_generic_ptys(sendmail_t)
+ files_dontaudit_read_root_files(sendmail_t)
+-',`
+- allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
+- allow sendmail_t sendmail_tmp_t:file create_file_perms;
+- files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
+-
+- allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock };
+- files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
+ ')
+
++allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
++allow sendmail_t sendmail_tmp_t:file create_file_perms;
++files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
++
++allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock };
++files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
++
+ optional_policy(`
+ nis_use_ypbind(sendmail_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.14/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2006-09-06 13:04:51.000000000 -0400
+++ serefpolicy-2.3.14/policy/modules/services/setroubleshoot.te 2006-09-19 10:47:17.000000000 -0400
@@ -2936,6 +3001,16 @@
role system_r types hostname_t;
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.3.14/policy/modules/system/init.fc
+--- nsaserefpolicy/policy/modules/system/init.fc 2006-08-25 13:29:58.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/init.fc 2006-09-19 15:31:33.000000000 -0400
+@@ -66,3 +66,6 @@
+ /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
+ ')
+
++# Until their is a policy for pcscd we need these
++/var/run/pcscd\.pub -- gen_context(system_u:object_r:initrc_var_run_t,s0)
++/var/run/pcscd\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.14/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-09-15 13:14:26.000000000 -0400
+++ serefpolicy-2.3.14/policy/modules/system/init.te 2006-09-19 14:34:03.000000000 -0400
@@ -3134,7 +3209,7 @@
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.14/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-09-06 13:04:51.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/system/xen.te 2006-09-19 10:47:17.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/xen.te 2006-09-19 16:04:52.000000000 -0400
@@ -68,7 +68,7 @@
# xend local policy
#
@@ -3144,6 +3219,14 @@
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
dontaudit xend_t self:process ptrace;
+@@ -153,6 +153,7 @@
+ files_read_usr_files(xend_t)
+
+ storage_raw_read_fixed_disk(xend_t)
++storage_raw_read_removable_device(xend_t)
+
+ term_getattr_all_user_ptys(xend_t)
+ term_use_generic_ptys(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.3.14/policy/users
--- nsaserefpolicy/policy/users 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.14/policy/users 2006-09-19 10:47:17.000000000 -0400
More information about the fedora-cvs-commits
mailing list