rpms/selinux-policy/devel policy-20070703.patch, 1.21, 1.22 selinux-policy.spec, 1.483, 1.484
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jul 30 14:38:27 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv32175
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Jul 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.4-3
- Allow xserver to write to ramfs mounted by rhgb
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- policy-20070703.patch 27 Jul 2007 18:21:35 -0000 1.21
+++ policy-20070703.patch 30 Jul 2007 14:37:54 -0000 1.22
@@ -434,7 +434,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.4/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te 2007-07-28 10:42:11.000000000 -0400
@@ -75,11 +75,13 @@
mls_file_read_up(logrotate_t)
mls_file_write_down(logrotate_t)
@@ -449,7 +449,15 @@
# Run helper programs.
corecmd_exec_bin(logrotate_t)
-@@ -114,8 +116,6 @@
+@@ -95,6 +97,7 @@
+ files_read_etc_files(logrotate_t)
+ files_read_etc_runtime_files(logrotate_t)
+ files_read_all_pids(logrotate_t)
++files_search_all(logrotate_t)
+ # Write to /var/spool/slrnpull - should be moved into its own type.
+ files_manage_generic_spool(logrotate_t)
+ files_manage_generic_spool_dirs(logrotate_t)
+@@ -114,8 +117,6 @@
seutil_dontaudit_read_config(logrotate_t)
@@ -458,7 +466,7 @@
userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
-@@ -177,14 +177,6 @@
+@@ -177,14 +178,6 @@
')
optional_policy(`
@@ -2135,6 +2143,24 @@
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.0.4/policy/modules/apps/usernetctl.te
+--- nsaserefpolicy/policy/modules/apps/usernetctl.te 2007-07-25 10:37:37.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/apps/usernetctl.te 2007-07-28 11:05:08.000000000 -0400
+@@ -6,14 +6,6 @@
+ # Declarations
+ #
+
+-## <desc>
+-## <p>
+-## Allow users to control network interfaces
+-## (also needs USERCTL=true)
+-## </p>
+-## </desc>
+-gen_tunable(user_net_control,false)
+-
+ type usernetctl_t;
+ type usernetctl_exec_t;
+ application_domain(usernetctl_t,usernetctl_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.4/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-07-03 07:05:43.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/apps/vmware.fc 2007-07-25 13:27:51.000000000 -0400
@@ -2630,6 +2656,34 @@
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:15.000000000 -0400
+@@ -1192,6 +1192,24 @@
+
+ ########################################
+ ## <summary>
++## unmount a FUSE filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_unmount_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:filesystem unmount;
++')
++
++########################################
++## <summary>
+ ## Search inotifyfs filesystem.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.4/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-25 10:37:36.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te 2007-07-25 13:27:51.000000000 -0400
@@ -6561,8 +6615,8 @@
fs_search_auto_mountpoints($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-25 13:27:51.000000000 -0400
-@@ -59,6 +59,8 @@
++++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-30 09:46:58.000000000 -0400
+@@ -59,10 +59,13 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -6571,7 +6625,12 @@
kernel_read_system_state(rpcd_t)
kernel_search_network_state(rpcd_t)
# for rpc.rquotad
-@@ -76,9 +78,11 @@
+ kernel_read_sysctl(rpcd_t)
++kernel_getattr_core_if(nfsd_t)
+
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
+@@ -76,9 +79,11 @@
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -6583,7 +6642,7 @@
')
########################################
-@@ -91,9 +95,13 @@
+@@ -91,9 +96,13 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -6597,7 +6656,7 @@
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +131,7 @@
+@@ -123,6 +132,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -6605,7 +6664,7 @@
')
tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +152,8 @@
+@@ -143,6 +153,8 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -6614,7 +6673,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -158,6 +169,11 @@
+@@ -158,6 +170,11 @@
miscfiles_read_certs(gssd_t)
@@ -7260,7 +7319,16 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.4/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/xserver.if 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/xserver.if 2007-07-30 10:01:38.000000000 -0400
+@@ -141,7 +141,7 @@
+ fs_getattr_xattr_fs($1_xserver_t)
+ fs_search_nfs($1_xserver_t)
+ fs_search_auto_mountpoints($1_xserver_t)
+- fs_search_ramfs($1_xserver_t)
++ fs_manage_ramfs_files($1_xserver_t)
+
+ init_getpgid($1_xserver_t)
+
@@ -353,12 +353,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -10523,7 +10591,7 @@
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-26 10:11:38.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-28 11:09:17.000000000 -0400
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -11159,21 +11227,23 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
-@@ -1033,14 +1127,6 @@
- ')
-
- optional_policy(`
-- kerberos_use($1_t)
+@@ -1029,15 +1123,7 @@
+ # and may change other protocols
+ tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_all_nodes($1_t)
+- corenet_tcp_bind_generic_port($1_t)
- ')
-
- optional_policy(`
-- loadkeys_run($1_t,$1_r,$1_tty_device_t)
+- kerberos_use($1_t)
- ')
-
- optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+- loadkeys_run($1_t,$1_r,$1_tty_device_t)
++ corenet_tcp_bind_all_unreserved_ports($1_t)
')
+
+ optional_policy(`
@@ -1054,17 +1140,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -11806,7 +11876,7 @@
+## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.4/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.4/policy/modules/users/webadm.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/users/webadm.te 2007-07-27 14:44:20.000000000 -0400
@@ -0,0 +1,70 @@
+policy_module(webadm,1.0.0)
+
@@ -11815,7 +11885,7 @@
+# webadmin local policy
+#
+
-+userdom_login_user_template(webadm)
++userdom_base_user_template(webadm)
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+# Allow webadm_t to restart the apache service
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.483
retrieving revision 1.484
diff -u -r1.483 -r1.484
--- selinux-policy.spec 27 Jul 2007 18:21:35 -0000 1.483
+++ selinux-policy.spec 30 Jul 2007 14:37:54 -0000 1.484
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.4
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -359,6 +359,9 @@
%endif
%changelog
+* Mon Jul 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.4-3
+- Allow xserver to write to ramfs mounted by rhgb
+
* Tue Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.4-2
- Add context for dbus machine id
More information about the fedora-extras-commits
mailing list