rpms/selinux-policy/FC-6 policy-20061106.patch, 1.45, 1.46 selinux-policy.spec, 1.366, 1.367
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue May 22 14:05:19 UTC 2007
- Previous message (by thread): rpms/net-tools/FC-6 net-tools-1.60-selinux.patch, 1.1, 1.2 net-tools.spec, 1.78, 1.79
- Next message (by thread): rpms/quagga/FC-6 quagga-0.99.7-pic.patch, NONE, 1.1 .cvsignore, 1.14, 1.15 quagga.spec, 1.33, 1.34 sources, 1.14, 1.15 quagga-0.98.5-pie.patch, 1.3, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv9259
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Tue May 22 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-72
- Allow prelink sys_resource, Add transition rule to allow apps to run java in different context
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/default_contexts | 6
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 2
policy/global_tunables | 94 +++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 6
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 57 ++
policy/modules/admin/amtu.te | 56 ++
policy/modules/admin/backup.te | 5
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 14
policy/modules/admin/consoletype.te | 21
policy/modules/admin/ddcprobe.te | 10
policy/modules/admin/dmesg.te | 7
policy/modules/admin/dmidecode.te | 5
policy/modules/admin/firstboot.if | 24 -
policy/modules/admin/kudzu.te | 14
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 14
policy/modules/admin/netutils.te | 19
policy/modules/admin/portage.te | 5
policy/modules/admin/prelink.te | 20
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 24 -
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 86 +++
policy/modules/admin/rpm.te | 49 --
policy/modules/admin/su.if | 38 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 13
policy/modules/admin/tripwire.te | 11
policy/modules/admin/usbmodules.te | 5
policy/modules/admin/usermanage.if | 2
policy/modules/admin/usermanage.te | 58 ++
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.te | 5
policy/modules/apps/evolution.if | 107 ++++
policy/modules/apps/evolution.te | 1
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 ++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 70 +++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 39 -
policy/modules/apps/mozilla.if | 208 +++++++--
policy/modules/apps/mplayer.if | 84 +++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 6
policy/modules/apps/thunderbird.if | 81 +++
policy/modules/apps/userhelper.if | 20
policy/modules/apps/webalizer.te | 6
policy/modules/apps/wine.fc | 1
policy/modules/apps/yam.te | 5
policy/modules/kernel/corecommands.fc | 29 +
policy/modules/kernel/corecommands.if | 77 +++
policy/modules/kernel/corenetwork.if.in | 140 ++++++
policy/modules/kernel/corenetwork.te.in | 14
policy/modules/kernel/devices.fc | 8
policy/modules/kernel/devices.if | 18
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 58 ++
policy/modules/kernel/domain.te | 22
policy/modules/kernel/files.fc | 2
policy/modules/kernel/files.if | 224 +++++++++
policy/modules/kernel/filesystem.if | 62 ++
policy/modules/kernel/filesystem.te | 30 +
policy/modules/kernel/kernel.if | 84 +++
policy/modules/kernel/kernel.te | 22
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/storage.fc | 3
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 21
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.te | 11
policy/modules/services/amavis.if | 19
policy/modules/services/amavis.te | 3
policy/modules/services/apache.fc | 17
policy/modules/services/apache.if | 157 ++++++
policy/modules/services/apache.te | 43 +
policy/modules/services/apm.te | 3
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/avahi.if | 40 +
policy/modules/services/bind.fc | 1
policy/modules/services/bind.te | 6
policy/modules/services/bluetooth.te | 10
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 11
policy/modules/services/clamav.te | 3
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 92 ++-
policy/modules/services/cron.te | 58 ++
policy/modules/services/cups.fc | 4
policy/modules/services/cups.te | 19
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 5
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 66 ++
policy/modules/services/dbus.te | 4
policy/modules/services/dcc.te | 9
policy/modules/services/dhcp.te | 2
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.if | 44 +
policy/modules/services/dovecot.te | 56 ++
policy/modules/services/fail2ban.fc | 3
policy/modules/services/fail2ban.if | 80 +++
policy/modules/services/fail2ban.te | 74 +++
policy/modules/services/ftp.te | 21
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 114 ++++
policy/modules/services/hal.te | 26 -
policy/modules/services/inetd.te | 28 -
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 25 +
policy/modules/services/kerberos.te | 15
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 57 +-
policy/modules/services/lpd.te | 5
policy/modules/services/mailman.if | 20
policy/modules/services/mailman.te | 1
policy/modules/services/mta.fc | 1
policy/modules/services/mta.if | 20
policy/modules/services/mta.te | 2
policy/modules/services/munin.te | 5
policy/modules/services/networkmanager.fc | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 3
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 34 +
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 28 -
policy/modules/services/ntp.te | 1
policy/modules/services/oav.te | 5
policy/modules/services/oddjob.te | 5
policy/modules/services/openca.if | 4
policy/modules/services/openca.te | 2
policy/modules/services/openvpn.te | 4
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 ++
policy/modules/services/pcscd.te | 79 +++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 11
policy/modules/services/portmap.te | 5
policy/modules/services/portslave.te | 1
policy/modules/services/postfix.fc | 1
policy/modules/services/postfix.if | 22
policy/modules/services/postfix.te | 48 ++
policy/modules/services/ppp.te | 2
policy/modules/services/procmail.te | 29 +
policy/modules/services/pyzor.if | 18
policy/modules/services/pyzor.te | 13
policy/modules/services/radius.te | 2
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 +++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 22
policy/modules/services/rlogin.te | 11
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.if | 3
policy/modules/services/rpc.te | 27 -
policy/modules/services/rshd.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.fc | 6
policy/modules/services/samba.if | 62 ++
policy/modules/services/samba.te | 68 ++
policy/modules/services/sasl.te | 13
policy/modules/services/sendmail.if | 22
policy/modules/services/sendmail.te | 8
policy/modules/services/setroubleshoot.if | 20
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 17
policy/modules/services/spamassassin.fc | 2
policy/modules/services/spamassassin.if | 42 +
policy/modules/services/spamassassin.te | 24 -
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 21
policy/modules/services/squid.te | 11
policy/modules/services/ssh.if | 83 +++
policy/modules/services/ssh.te | 14
policy/modules/services/telnet.te | 3
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++
policy/modules/services/uucp.te | 44 +
policy/modules/services/uwimap.te | 1
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 190 ++++++++
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 180 +++++++
policy/modules/system/authlogin.te | 41 +
policy/modules/system/clock.te | 18
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 11
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 19
policy/modules/system/init.if | 64 ++
policy/modules/system/init.te | 51 ++
policy/modules/system/ipsec.fc | 5
policy/modules/system/ipsec.if | 99 ++++
policy/modules/system/ipsec.te | 121 +++++
policy/modules/system/iptables.te | 23
policy/modules/system/libraries.fc | 43 +
policy/modules/system/libraries.te | 11
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 11
policy/modules/system/logging.fc | 5
policy/modules/system/logging.if | 61 ++
policy/modules/system/logging.te | 33 +
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 44 +
policy/modules/system/lvm.te | 87 +++
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 79 +++
policy/modules/system/modutils.te | 26 -
policy/modules/system/mount.te | 27 -
policy/modules/system/netlabel.te | 10
policy/modules/system/pcmcia.te | 5
policy/modules/system/raid.te | 16
policy/modules/system/selinuxutil.fc | 10
policy/modules/system/selinuxutil.if | 122 +++++
policy/modules/system/selinuxutil.te | 134 ++---
policy/modules/system/sysnetwork.te | 13
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23
policy/modules/system/tzdata.te | 51 ++
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19
policy/modules/system/unconfined.te | 23
policy/modules/system/userdomain.if | 622 +++++++++++++++++++++++----
policy/modules/system/userdomain.te | 105 ++--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 53 ++
policy/support/*Warnings* | 189 ++++++++
policy/support/file_patterns.spt | 534 +++++++++++++++++++++++
policy/support/obj_perm_sets.spt | 144 ++++++
254 files changed, 7423 insertions(+), 723 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- policy-20061106.patch 17 May 2007 18:13:30 -0000 1.45
+++ policy-20061106.patch 22 May 2007 14:05:17 -0000 1.46
@@ -859,8 +859,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.6/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2007-05-15 11:51:26.000000000 -0400
-@@ -18,6 +18,9 @@
++++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2007-05-21 11:38:21.000000000 -0400
+@@ -18,24 +18,33 @@
type prelink_log_t;
logging_log_file(prelink_log_t)
@@ -870,7 +870,13 @@
########################################
#
# Local policy
-@@ -30,12 +33,18 @@
+ #
+
+-allow prelink_t self:capability { chown dac_override fowner fsetid };
++allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
+ allow prelink_t self:process { execheap execmem execstack signal };
+ allow prelink_t self:fifo_file rw_file_perms;
+
allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)
files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
@@ -2065,14 +2071,46 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.4.6/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/java.if 2007-05-15 11:51:26.000000000 -0400
-@@ -199,3 +199,41 @@
++++ serefpolicy-2.4.6/policy/modules/apps/java.if 2007-05-21 10:45:52.000000000 -0400
+@@ -199,3 +199,73 @@
refpolicywarn(`$0($1) has no effect in strict policy.')
')
')
+
+########################################
+## <summary>
++## Execute a java in the specified domain
++## </summary>
++## <desc>
++## <p>
++## Execute the java command in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`java_spec_domtrans',`
++ gen_require(`
++ type java_exec_t;
++ ')
++
++ domain_trans($1,java_exec_t,$2)
++ type_transition $1 java_exec_t:process $2;
++')
++
++########################################
++## <summary>
+## Run java in javaplugin domain.
+## </summary>
+## <desc>
@@ -11820,7 +11858,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.4.6/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/raid.te 2007-05-15 11:51:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/raid.te 2007-05-21 13:31:02.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@@ -11830,7 +11868,7 @@
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_file_perms;
-@@ -35,15 +35,19 @@
+@@ -35,15 +35,20 @@
dev_read_sysfs(mdadm_t)
# Ignore attempts to read every device file
@@ -11847,10 +11885,11 @@
# RAID block device access
storage_manage_fixed_disk(mdadm_t)
+storage_dev_filetrans_fixed_disk(mdadm_t)
++storage_read_scsi_generic(mdadm_t)
term_dontaudit_use_console(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
-@@ -87,3 +91,12 @@
+@@ -87,3 +92,12 @@
optional_policy(`
udev_read_db(mdadm_t)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.366
retrieving revision 1.367
diff -u -r1.366 -r1.367
--- selinux-policy.spec 17 May 2007 17:38:54 -0000 1.366
+++ selinux-policy.spec 22 May 2007 14:05:17 -0000 1.367
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 71%{?dist}
+Release: 72%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@
%endif
%changelog
+* Tue May 22 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-72
+- Allow prelink sys_resource, Add transition rule to allow apps to run java in different context
+
* Mon May 15 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-71
- Allow netlable to read etc and work with init terminals
- Change file context to have all of policy at SystemLow
- Previous message (by thread): rpms/net-tools/FC-6 net-tools-1.60-selinux.patch, 1.1, 1.2 net-tools.spec, 1.78, 1.79
- Next message (by thread): rpms/quagga/FC-6 quagga-0.99.7-pic.patch, NONE, 1.1 .cvsignore, 1.14, 1.15 quagga.spec, 1.33, 1.34 sources, 1.14, 1.15 quagga-0.98.5-pie.patch, 1.3, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list