rpms/selinux-policy/devel policy-20070525.patch,1.4,1.5
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jun 26 12:09:39 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13462
Modified Files:
policy-20070525.patch
Log Message:
* Fri May 25 2007 Dan Walsh <dwalsh at redhat.com> 3.0.1-1
- Remove ifdef strict policy from upstream
policy-20070525.patch:
Index: policy-20070525.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070525.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20070525.patch 26 Jun 2007 11:15:55 -0000 1.4
+++ policy-20070525.patch 26 Jun 2007 12:09:30 -0000 1.5
@@ -1,3 +1,11 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts 2007-06-26 07:57:11.000000000 -0400
+@@ -0,0 +1,4 @@
++system_r:local_login_t:s0 guest_r:guest_t:s0
++system_r:remote_login_t:s0 guest_r:guest_t:s0
++system_r:sshd_t:s0 guest_r:guest_t:s0
++system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts 2007-06-19 17:06:27.000000000 -0400
@@ -4650,8 +4658,16 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.1/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ftp.te 2007-06-19 17:06:27.000000000 -0400
-@@ -156,6 +156,7 @@
++++ serefpolicy-3.0.1/policy/modules/services/ftp.te 2007-06-26 07:22:44.000000000 -0400
+@@ -88,6 +88,7 @@
+ allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+ allow ftpd_t self:tcp_socket create_stream_socket_perms;
+ allow ftpd_t self:udp_socket create_socket_perms;
++allow ftpd_t self:key { search write link };
+
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
+
+@@ -156,6 +157,7 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -4659,15 +4675,17 @@
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
-@@ -167,6 +168,7 @@
+@@ -167,7 +169,9 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
+logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
++logging_set_loginuid(ftpd_t)
miscfiles_read_localization(ftpd_t)
-@@ -216,6 +218,14 @@
+ miscfiles_read_public_files(ftpd_t)
+@@ -216,6 +220,14 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -9661,7 +9679,7 @@
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/userdomain.if 2007-06-21 14:03:09.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/userdomain.if 2007-06-26 07:46:18.000000000 -0400
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -9749,7 +9767,7 @@
')
#######################################
-@@ -677,16 +674,6 @@
+@@ -677,67 +674,39 @@
attribute unpriv_userdomain;
')
@@ -9766,12 +9784,16 @@
userdom_untrusted_content_template($1)
userdom_basic_networking_template($1)
-@@ -695,49 +682,29 @@
- userdom_xwindows_client_template($1)
+ userdom_exec_generic_pgms_template($1)
-- userdom_change_password_template($1)
+- userdom_xwindows_client_template($1)
-
+- userdom_change_password_template($1)
++ optional_policy(`
++ userdom_xwindows_client_template($1)
++ ')
+
##############################
#
# User domain Local policy
@@ -9816,7 +9838,7 @@
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
-@@ -750,12 +717,6 @@
+@@ -750,12 +719,6 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
@@ -9829,7 +9851,7 @@
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
-@@ -768,31 +729,16 @@
+@@ -768,31 +731,16 @@
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
@@ -9863,7 +9885,7 @@
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
-@@ -807,19 +753,12 @@
+@@ -807,19 +755,12 @@
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
@@ -9883,7 +9905,7 @@
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -834,34 +773,14 @@
+@@ -834,34 +775,14 @@
')
optional_policy(`
@@ -9918,7 +9940,7 @@
')
optional_policy(`
-@@ -889,17 +808,19 @@
+@@ -889,17 +810,19 @@
')
optional_policy(`
@@ -9944,7 +9966,7 @@
')
optional_policy(`
-@@ -913,16 +834,6 @@
+@@ -913,16 +836,6 @@
')
optional_policy(`
@@ -9961,7 +9983,7 @@
resmgr_stream_connect($1_t)
')
-@@ -932,11 +843,6 @@
+@@ -932,11 +845,6 @@
')
optional_policy(`
@@ -9973,7 +9995,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -967,21 +873,122 @@
+@@ -967,21 +875,122 @@
## </summary>
## </param>
#
@@ -10102,7 +10124,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -990,15 +997,45 @@
+@@ -990,15 +999,45 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -10152,7 +10174,7 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1038,14 +1075,6 @@
+@@ -1038,14 +1077,6 @@
')
optional_policy(`
@@ -10167,7 +10189,7 @@
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
-@@ -1059,12 +1088,8 @@
+@@ -1059,12 +1090,8 @@
setroubleshoot_stream_connect($1_t)
')
@@ -10181,7 +10203,7 @@
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
-@@ -1107,6 +1132,8 @@
+@@ -1107,6 +1134,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -10190,7 +10212,7 @@
##############################
#
# Declarations
-@@ -1132,7 +1159,7 @@
+@@ -1132,7 +1161,7 @@
# $1_t local policy
#
@@ -10199,7 +10221,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1144,8 +1171,6 @@
+@@ -1144,8 +1173,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -10208,7 +10230,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -3083,7 +3108,7 @@
+@@ -3083,7 +3110,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -10217,7 +10239,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5553,6 +5578,26 @@
+@@ -5553,6 +5580,26 @@
########################################
## <summary>
@@ -10244,7 +10266,7 @@
## Unconfined access to user domains. (Deprecated)
## </summary>
## <param name="domain">
-@@ -5564,3 +5609,124 @@
+@@ -5564,3 +5611,124 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
More information about the fedora-extras-commits
mailing list