rpms/selinux-policy/devel policy-20071130.patch, 1.18, 1.19 selinux-policy.spec, 1.575, 1.576
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Dec 21 07:58:10 UTC 2007
- Previous message (by thread): rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.339, 1.340 policycoreutils-sepolgen.patch, 1.7, 1.8 policycoreutils.spec, 1.487, 1.488
- Next message (by thread): rpms/selinux-policy/F-7 policy-20070501.patch, 1.83, 1.84 selinux-policy.spec, 1.512, 1.513
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20260
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Dec 20 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-4
- Let all uncofined domains communicate with dbus unconfined
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- policy-20071130.patch 20 Dec 2007 21:26:31 -0000 1.18
+++ policy-20071130.patch 21 Dec 2007 07:58:04 -0000 1.19
@@ -6003,7 +6003,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-21 02:47:15.000000000 -0500
@@ -91,7 +91,7 @@
# SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@@ -6043,13 +6043,39 @@
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
-@@ -366,3 +367,35 @@
+@@ -263,6 +264,7 @@
+
+ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
++ allow dbusd_unconfined $1_dbusd_t:dbus *;
+ ')
+
+ ########################################
+@@ -366,3 +368,53 @@
allow $1 system_dbusd_t:dbus *;
')
+
+########################################
+## <summary>
++## Allow unconfined access to the system DBUS.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dbus_unconfined',`
++ gen_require(`
++ attribute dbusd_unconfined;
++ ')
++
++ typeattribute $1 dbusd_unconfined;
++')
++
++########################################
++## <summary>
+## Create a domain for processes
+## which can be started by the system dbus
+## </summary>
@@ -6079,6 +6105,17 @@
+
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.2.5/policy/modules/services/dbus.te
+--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/dbus.te 2007-12-21 02:47:39.000000000 -0500
+@@ -9,6 +9,7 @@
+ #
+ # Delcarations
+ #
++attribute dbusd_unconfined;
+
+ type dbusd_etc_t alias etc_dbusd_t;
+ files_type(dbusd_etc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.5/policy/modules/services/dcc.if
--- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/dcc.if 2007-12-19 05:38:09.000000000 -0500
@@ -12898,7 +12935,7 @@
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/mount.te 2007-12-21 02:36:38.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -12982,7 +13019,19 @@
')
optional_policy(`
-@@ -192,4 +200,26 @@
+@@ -175,6 +183,11 @@
+ ')
+ ')
+
++# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
++optional_policy(`
++ lvm_domtrans(mount_t)
++')
++
+ # for kernel package installation
+ optional_policy(`
+ rpm_rw_pipes(mount_t)
+@@ -192,4 +205,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -12995,9 +13044,9 @@
+#
+# ntfs local policy
+#
-+allow mount_t self:fifo_file { read write };
++allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
-+allow mount_t self:unix_dgram_socket { connect create };
++allow mount_t self:unix_dgram_socket create_socket_perms;
+
+corecmd_exec_shell(mount_t)
+
@@ -13843,7 +13892,7 @@
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.5/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-19 16:24:05.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-21 02:48:29.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -13878,7 +13927,15 @@
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -581,7 +581,6 @@
+@@ -70,6 +70,7 @@
+ optional_policy(`
+ # Communicate via dbusd.
+ dbus_system_bus_unconfined($1)
++ dbus_unconfined($1)
+ ')
+
+ optional_policy(`
+@@ -581,7 +582,6 @@
interface(`unconfined_dbus_connect',`
gen_require(`
type unconfined_t;
@@ -13886,7 +13943,7 @@
')
allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,7 +588,7 @@
+@@ -589,7 +589,7 @@
########################################
## <summary>
@@ -13895,7 +13952,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -597,20 +596,53 @@
+@@ -597,20 +597,53 @@
## </summary>
## </param>
#
@@ -13956,7 +14013,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -618,31 +650,132 @@
+@@ -618,31 +651,132 @@
## </summary>
## </param>
#
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.575
retrieving revision 1.576
diff -u -r1.575 -r1.576
--- selinux-policy.spec 20 Dec 2007 21:26:31 -0000 1.575
+++ selinux-policy.spec 21 Dec 2007 07:58:04 -0000 1.576
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,9 @@
%endif
%changelog
+* Thu Dec 20 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-4
+- Let all uncofined domains communicate with dbus unconfined
+
* Thu Dec 20 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-3
- Run rpm in system_r
- Previous message (by thread): rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.339, 1.340 policycoreutils-sepolgen.patch, 1.7, 1.8 policycoreutils.spec, 1.487, 1.488
- Next message (by thread): rpms/selinux-policy/F-7 policy-20070501.patch, 1.83, 1.84 selinux-policy.spec, 1.512, 1.513
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list