rpms/selinux-policy/devel policy-20070501.patch, NONE, 1.1 .cvsignore, 1.112, 1.113 selinux-policy.spec, 1.445, 1.446 sources, 1.120, 1.121 policy-20070219.patch, 1.64, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue May 1 20:53:31 UTC 2007
- Previous message (by thread): rpms/evolution/devel evolution-2.10.1-e-attachment-bar.patch, NONE, 1.1 evolution.spec, 1.252, 1.253
- Next message (by thread): rpms/samba/devel samba.spec, 1.116, 1.117 samba-3.0.24-vista-patchset.patch, 1.1, NONE samba-3.0.24-vista_msdfs_errcodes.patch, 1.1, NONE samba-3.0.25rc2-idmap-fix.patch, 1.1, NONE samba-3.0.25rc2-pie.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv8177
Modified Files:
.cvsignore selinux-policy.spec sources
Added Files:
policy-20070501.patch
Removed Files:
policy-20070219.patch
Log Message:
* Mon Apr 30 2007 Dan Walsh <dwalsh at redhat.com> 2.6.2-1
- Update to latest from upstream
policy-20070501.patch:
Changelog | 2
Rules.modular | 12 +
policy/flask/access_vectors | 4
policy/global_booleans | 2
policy/global_tunables | 15 -
policy/mls | 31 ++-
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.fc | 1
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 53 +++++
policy/modules/admin/amtu.te | 57 +++++
policy/modules/admin/bootloader.te | 3
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/kudzu.te | 6
policy/modules/admin/logrotate.te | 1
policy/modules/admin/logwatch.te | 6
policy/modules/admin/netutils.te | 1
policy/modules/admin/readahead.te | 6
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 85 ++++++--
policy/modules/admin/rpm.te | 2
policy/modules/admin/su.if | 14 -
policy/modules/admin/sudo.if | 9
policy/modules/admin/usermanage.if | 2
policy/modules/admin/usermanage.te | 40 +++
policy/modules/admin/vbetool.te | 1
policy/modules/apps/gnome.if | 26 ++
policy/modules/apps/gpg.fc | 2
policy/modules/apps/loadkeys.if | 44 +---
policy/modules/apps/mozilla.if | 1
policy/modules/apps/slocate.te | 2
policy/modules/apps/uml.if | 27 --
policy/modules/kernel/corecommands.fc | 6
policy/modules/kernel/corecommands.if | 20 +
policy/modules/kernel/corenetwork.te.in | 16 +
policy/modules/kernel/devices.fc | 1
policy/modules/kernel/devices.if | 36 +++
policy/modules/kernel/domain.if | 18 +
policy/modules/kernel/domain.te | 46 ++++
policy/modules/kernel/files.fc | 1
policy/modules/kernel/files.if | 83 +++++++-
policy/modules/kernel/filesystem.if | 39 +++
policy/modules/kernel/filesystem.te | 19 +
policy/modules/kernel/kernel.if | 42 +++-
policy/modules/kernel/kernel.te | 3
policy/modules/kernel/mls.if | 20 +
policy/modules/kernel/mls.te | 3
policy/modules/kernel/selinux.if | 38 +++
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 21 +-
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 2
policy/modules/services/aide.te | 4
policy/modules/services/amavis.if | 19 +
policy/modules/services/amavis.te | 4
policy/modules/services/apache.fc | 14 -
policy/modules/services/apache.if | 171 +++++++++++++++-
policy/modules/services/apache.te | 79 +++++++
policy/modules/services/apcupsd.fc | 9
policy/modules/services/apcupsd.if | 108 ++++++++++
policy/modules/services/apcupsd.te | 92 ++++++++
policy/modules/services/automount.te | 2
policy/modules/services/avahi.if | 19 +
policy/modules/services/avahi.te | 4
policy/modules/services/bind.te | 1
policy/modules/services/clamav.te | 1
policy/modules/services/consolekit.te | 33 ++-
policy/modules/services/cron.fc | 1
policy/modules/services/cron.if | 33 +--
policy/modules/services/cron.te | 48 +++-
policy/modules/services/cups.te | 13 +
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 67 ++++++
policy/modules/services/dbus.te | 7
policy/modules/services/dhcp.te | 2
policy/modules/services/djbdns.te | 5
policy/modules/services/dovecot.fc | 2
policy/modules/services/dovecot.if | 40 +++
policy/modules/services/dovecot.te | 59 +++++
policy/modules/services/ftp.te | 5
policy/modules/services/hal.fc | 8
policy/modules/services/hal.if | 77 +++++++
policy/modules/services/hal.te | 151 ++++++++++++++
policy/modules/services/inetd.te | 5
policy/modules/services/kerberos.if | 79 ++-----
policy/modules/services/kerberos.te | 34 +++
policy/modules/services/mailman.if | 19 +
policy/modules/services/mta.if | 19 +
policy/modules/services/mta.te | 2
policy/modules/services/nis.if | 4
policy/modules/services/nis.te | 4
policy/modules/services/nscd.te | 15 +
policy/modules/services/ntp.te | 4
policy/modules/services/oddjob.te | 2
policy/modules/services/pcscd.te | 1
policy/modules/services/pegasus.if | 18 +
policy/modules/services/pegasus.te | 9
policy/modules/services/postfix.if | 20 +
policy/modules/services/postfix.te | 29 ++
policy/modules/services/ppp.te | 2
policy/modules/services/procmail.te | 7
policy/modules/services/pyzor.te | 7
policy/modules/services/radius.te | 4
policy/modules/services/rlogin.te | 1
policy/modules/services/rpc.if | 5
policy/modules/services/rpc.te | 2
policy/modules/services/rpcbind.fc | 6
policy/modules/services/rpcbind.if | 104 ++++++++++
policy/modules/services/rpcbind.te | 83 ++++++++
policy/modules/services/rsync.te | 1
policy/modules/services/rwho.fc | 2
policy/modules/services/rwho.if | 85 ++++++++
policy/modules/services/rwho.te | 31 +--
policy/modules/services/samba.fc | 3
policy/modules/services/samba.if | 86 ++++++++
policy/modules/services/samba.te | 92 ++++++++
policy/modules/services/sasl.te | 1
policy/modules/services/sendmail.if | 22 ++
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 17 +
policy/modules/services/spamassassin.te | 12 -
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 22 ++
policy/modules/services/squid.te | 12 +
policy/modules/services/ssh.if | 39 +++
policy/modules/services/ssh.te | 9
policy/modules/services/w3c.fc | 2
policy/modules/services/w3c.if | 1
policy/modules/services/w3c.te | 14 +
policy/modules/system/application.fc | 1
policy/modules/system/application.if | 104 ++++++++++
policy/modules/system/application.te | 14 +
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 183 +++++++++++++++--
policy/modules/system/authlogin.te | 37 +++
policy/modules/system/clock.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 1
policy/modules/system/fusermount.fc | 6
policy/modules/system/fusermount.if | 41 +++
policy/modules/system/fusermount.te | 50 ++++
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 14 +
policy/modules/system/init.if | 44 ++++
policy/modules/system/init.te | 41 +++
policy/modules/system/ipsec.if | 20 +
policy/modules/system/ipsec.te | 1
policy/modules/system/iptables.te | 5
policy/modules/system/libraries.fc | 4
policy/modules/system/libraries.te | 4
policy/modules/system/locallogin.te | 12 +
policy/modules/system/logging.if | 141 +++++++++++++
policy/modules/system/logging.te | 23 +-
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 8
policy/modules/system/modutils.te | 7
policy/modules/system/mount.fc | 3
policy/modules/system/mount.if | 37 +++
policy/modules/system/mount.te | 70 ++++++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 6
policy/modules/system/selinuxutil.te | 76 ++++---
policy/modules/system/sysnetwork.te | 5
policy/modules/system/udev.te | 12 +
policy/modules/system/unconfined.fc | 1
policy/modules/system/unconfined.if | 15 -
policy/modules/system/unconfined.te | 24 ++
policy/modules/system/userdomain.if | 329 +++++++++++++++++++-------------
policy/modules/system/userdomain.te | 81 +++++--
policy/modules/system/xen.te | 35 +++
policy/support/misc_patterns.spt | 5
policy/support/obj_perm_sets.spt | 12 +
175 files changed, 3836 insertions(+), 556 deletions(-)
--- NEW FILE policy-20070501.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-2.6.2/Changelog
--- nsaserefpolicy/Changelog 2007-04-30 22:35:02.000000000 -0400
+++ serefpolicy-2.6.2/Changelog 2007-04-30 10:52:21.000000000 -0400
@@ -1,6 +1,3 @@
-- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
-- Patch to allow slocate to getattr other filesystems and directories on those
- filesystems from Dan Walsh.
- Fixes for RHEL4 from the CLIP project.
- Replace the old lrrd fc entries with munin ones.
- Move program admin template usage out of userdom_admin_user_template() to
@@ -8,8 +5,6 @@
parties.
- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
template instead of an interface.
-- Added modules:
- rwho (Nalin Dahyabhai)
* Tue Apr 17 2007 Chris PeBenito <selinux at tresys.com> - 20070417
- Patch for sasl's use of kerberos from Dan Walsh.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.6.2/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-02-26 09:43:33.000000000 -0500
+++ serefpolicy-2.6.2/policy/flask/access_vectors 2007-04-30 11:26:06.000000000 -0400
@@ -598,6 +598,8 @@
shmempwd
shmemgrp
shmemhost
+ getserv
+ shmemserv
}
# Define the access vector interpretation for controlling
@@ -623,6 +625,8 @@
send
recv
relabelto
+ flow_in
+ flow_out
}
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.6.2/policy/global_booleans
--- nsaserefpolicy/policy/global_booleans 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.6.2/policy/global_booleans 2007-04-30 11:26:06.000000000 -0400
@@ -4,7 +4,6 @@
# file should be used.
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Enabling secure mode disallows programs, such as
@@ -13,7 +12,6 @@
## </p>
## </desc>
gen_bool(secure_mode,false)
-')
## <desc>
## <p>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.6.2/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-03-26 16:24:14.000000000 -0400
+++ serefpolicy-2.6.2/policy/global_tunables 2007-04-30 11:26:06.000000000 -0400
@@ -102,12 +102,6 @@
## </desc>
gen_tunable(use_samba_home_dirs,false)
-########################################
-#
-# Strict policy specific
-#
-
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow email client to various content.
@@ -143,4 +137,11 @@
## </p>
## </desc>
gen_tunable(write_untrusted_content,false)
-')
+
+## <desc>
+## <p>
+## Allow users to connect to console (s390)
+## </p>
+## </desc>
+gen_tunable(allow_console_login,false)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.6.2/policy/mls
--- nsaserefpolicy/policy/mls 2007-03-09 13:02:20.000000000 -0500
+++ serefpolicy-2.6.2/policy/mls 2007-04-30 11:26:06.000000000 -0400
@@ -89,12 +89,14 @@
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsfilewrite ) or
+ (( t2 == mlsrangedobject ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t2 == mlstrustedobject ));
+# Directory "write" ops
mlsconstrain dir { add_name remove_name reparent rmdir }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
@@ -165,8 +167,20 @@
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
+# the socket "read+write" ops
+# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
+# require equal levels for unprivileged subjects, or read *and* write overrides)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+ (( l1 eq l2 ) or
+ (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread )) and
+ ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ))));
+
+
# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen getopt recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -177,8 +191,9 @@
( t1 == mlsnetread ));
# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom setopt shutdown }
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
@@ -274,7 +289,8 @@
# the netif/node "write" ops (implicit single level socket doing the write)
mlsconstrain { netif node } { tcp_send udp_send rawip_send }
- (( l1 dom l2 ) and ( l1 domby h2 ));
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
# these access vectors have no MLS restrictions
# node enforce_dest
@@ -581,7 +597,8 @@
( t2 == unlabeled_t ));
mlsconstrain association { sendto }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
( t2 == unlabeled_t ));
mlsconstrain association { polmatch }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.6.2/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2007-03-26 10:39:08.000000000 -0400
+++ serefpolicy-2.6.2/policy/modules/admin/acct.te 2007-04-30 11:26:06.000000000 -0400
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
init_system_domain(acct_t,acct_exec_t)
+application_executable_file(acct_exec_t)
type acct_data_t;
logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-2.6.2/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.6.2/policy/modules/admin/alsa.fc 2007-04-30 11:26:06.000000000 -0400
@@ -1,4 +1,5 @@
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amtu.fc serefpolicy-2.6.2/policy/modules/admin/amtu.fc
--- nsaserefpolicy/policy/modules/admin/amtu.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.2/policy/modules/admin/amtu.fc 2007-04-30 11:26:06.000000000 -0400
@@ -0,0 +1,3 @@
+
+/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amtu.if serefpolicy-2.6.2/policy/modules/admin/amtu.if
--- nsaserefpolicy/policy/modules/admin/amtu.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.2/policy/modules/admin/amtu.if 2007-04-30 11:26:06.000000000 -0400
@@ -0,0 +1,53 @@
+## <summary>
+## abstract Machine Test Utility
+## </summary>
+
+########################################
+## <summary>
[...8057 lines suppressed...]
+# tunable_policy(`allow_sysadm_manage_security',`
+ userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
+# ')
', `
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
')
@@ -504,15 +520,15 @@
unconfined_alias_domain(sysadm_t)
# User home directory type.
- type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
- files_type(user_home_t)
- files_associate_tmp(user_home_t)
- fs_associate_tmpfs(user_home_t)
-
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
- files_type(user_home_dir_t)
- files_associate_tmp(user_home_dir_t)
- fs_associate_tmpfs(user_home_dir_t)
+ typealias user_home_t alias { staff_home_t sysadm_home_t };
+# files_type(user_home_t)
+# files_associate_tmp(user_home_t)
+# fs_associate_tmpfs(user_home_t)
+
+ typealias user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t };
+# files_type(user_home_dir_t)
+# files_associate_tmp(user_home_dir_t)
+# fs_associate_tmpfs(user_home_dir_t)
# compatibility for switching from strict
# dominance { role secadm_r { role system_r; }}
@@ -548,4 +564,13 @@
optional_policy(`
samba_per_role_template(user)
')
+
+ optional_policy(`
+ gnome_per_role_template(user, user_t, user_r)
+ ')
+
+')
+
+tunable_policy(`allow_console_login', `
+ term_use_console(userdomain)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.6.2/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.2/policy/modules/system/xen.te 2007-04-30 11:26:06.000000000 -0400
@@ -25,6 +25,10 @@
domain_type(xend_t)
init_daemon_domain(xend_t, xend_exec_t)
+# tmp files
+type xend_tmp_t;
+files_tmp_file(xend_tmp_t)
+
# var/lib files
type xend_var_lib_t;
files_type(xend_var_lib_t)
@@ -88,6 +92,7 @@
allow xend_t xen_image_t:dir list_dir_perms;
manage_dirs_pattern(xend_t,xen_image_t,xen_image_t)
manage_files_pattern(xend_t,xen_image_t,xen_image_t)
+read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
allow xend_t xenctl_t:fifo_file manage_file_perms;
@@ -105,6 +110,10 @@
manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
+allow xend_t xend_tmp_t:dir create_dir_perms;
+allow xend_t xend_tmp_t:file create_file_perms;
+files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
+
# var/lib files for xend
manage_dirs_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
manage_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
@@ -165,8 +174,13 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
+
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xend_t)
+ storage_raw_write_fixed_disk(xend_t)
+#')
-storage_raw_read_fixed_disk(xend_t)
storage_raw_read_removable_device(xend_t)
term_getattr_all_user_ptys(xend_t)
@@ -284,6 +298,12 @@
files_read_usr_files(xenstored_t)
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xenstored_t)
+ storage_raw_write_fixed_disk(xenstored_t)
+#')
+storage_raw_read_removable_device(xenstored_t)
+
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
@@ -317,6 +337,11 @@
allow xm_t xen_image_t:dir rw_dir_perms;
allow xm_t xen_image_t:file read_file_perms;
+allow xm_t xen_image_t:blk_file r_file_perms;
+
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xm_t)
+#')
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
@@ -352,3 +377,11 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
+files_search_mnt(xend_t)
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
+fs_getattr_all_fs(xend_t)
+fs_read_dos_files(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-2.6.2/policy/support/misc_patterns.spt
--- nsaserefpolicy/policy/support/misc_patterns.spt 2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.6.2/policy/support/misc_patterns.spt 2007-04-30 11:26:06.000000000 -0400
@@ -41,11 +41,6 @@
#
# Other process permissions
#
-define(`send_audit_msgs_pattern',`
- allow $1 self:capability audit_write;
- allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-')
-
define(`ps_process_pattern',`
allow $1 $2:dir { search getattr read };
allow $1 $2:{ file lnk_file } { read getattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-2.6.2/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.6.2/policy/support/obj_perm_sets.spt 2007-04-30 11:26:06.000000000 -0400
@@ -215,7 +215,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
@@ -324,3 +324,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
+')
+
+define(`all_nscd', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
+define(`all_dbus', `{ acquire_svc send_msg } ')
+define(`all_passwd', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.6.2/Rules.modular
--- nsaserefpolicy/Rules.modular 2007-03-22 14:30:10.000000000 -0400
+++ serefpolicy-2.6.2/Rules.modular 2007-04-30 11:26:06.000000000 -0400
@@ -167,7 +167,7 @@
# these have to run individually because order matters:
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
@@ -219,6 +219,16 @@
########################################
#
+# Validate File Contexts
+#
+validatefc: $(base_pkg) $(base_fc)
+ @echo "Validating file context."
+ $(verbose) $(SEMOD_EXP) $(base_pkg) $(tmpdir)/policy.tmp
+ $(verbose) $(SETFILES) -c $(tmpdir)/policy.tmp $(base_fc)
+ @echo "Success."
+
+########################################
+#
# Clean the sources
#
clean:
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.112
retrieving revision 1.113
diff -u -r1.112 -r1.113
--- .cvsignore 23 Apr 2007 17:00:48 -0000 1.112
+++ .cvsignore 1 May 2007 20:53:29 -0000 1.113
@@ -114,3 +114,4 @@
serefpolicy-2.5.11.tgz
serefpolicy-2.5.12.tgz
serefpolicy-2.6.1.tgz
+serefpolicy-2.6.2.tgz
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.445
retrieving revision 1.446
diff -u -r1.445 -r1.446
--- selinux-policy.spec 27 Apr 2007 17:23:49 -0000 1.445
+++ selinux-policy.spec 1 May 2007 20:53:29 -0000 1.446
@@ -16,12 +16,12 @@
%define CHECKPOLICYVER 2.0.1-2
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.6.1
-Release: 3%{?dist}
+Version: 2.6.2
+Release: 1%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
-patch: policy-20070219.patch
+patch: policy-20070501.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -246,7 +246,7 @@
" > /etc/selinux/config
ln -sf ../selinux/config /etc/sysconfig/selinux
- restorecon /etc/selinux/config 2> /dev/null
+ restorecon -R /etc/selinux/config /var/log 2> /dev/null
else
. /etc/selinux/config
# if first time update booleans.local needs to be copied to sandbox
@@ -358,6 +358,12 @@
%endif
%changelog
+* Mon Apr 30 2007 Dan Walsh <dwalsh at redhat.com> 2.6.2-1
+- Update to latest from upstream
+
+* Fri Apr 27 2007 Dan Walsh <dwalsh at redhat.com> 2.6.1-4
+- Allow pcscd_t to send itself signals
+
* Fri Apr 27 2007 Dan Walsh <dwalsh at redhat.com> 2.6.1-3
-
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.120
retrieving revision 1.121
diff -u -r1.120 -r1.121
--- sources 23 Apr 2007 17:00:48 -0000 1.120
+++ sources 1 May 2007 20:53:29 -0000 1.121
@@ -1 +1 @@
-45c746832144dbac9073a3d8e6524a59 serefpolicy-2.6.1.tgz
+6c71fff9af0e76ec96150c819d0613b5 serefpolicy-2.6.2.tgz
--- policy-20070219.patch DELETED ---
- Previous message (by thread): rpms/evolution/devel evolution-2.10.1-e-attachment-bar.patch, NONE, 1.1 evolution.spec, 1.252, 1.253
- Next message (by thread): rpms/samba/devel samba.spec, 1.116, 1.117 samba-3.0.24-vista-patchset.patch, 1.1, NONE samba-3.0.24-vista_msdfs_errcodes.patch, 1.1, NONE samba-3.0.25rc2-idmap-fix.patch, 1.1, NONE samba-3.0.25rc2-pie.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list