rpms/selinux-policy/devel policy-20070525.patch,1.4,1.5

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Jun 26 12:09:39 UTC 2007


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13462

Modified Files:
	policy-20070525.patch 
Log Message:
* Fri May 25 2007 Dan Walsh <dwalsh at redhat.com> 3.0.1-1
- Remove ifdef strict policy from upstream


policy-20070525.patch:

Index: policy-20070525.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070525.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20070525.patch	26 Jun 2007 11:15:55 -0000	1.4
+++ policy-20070525.patch	26 Jun 2007 12:09:30 -0000	1.5
@@ -1,3 +1,11 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts	2007-06-26 07:57:11.000000000 -0400
+@@ -0,0 +1,4 @@
++system_r:local_login_t:s0	guest_r:guest_t:s0
++system_r:remote_login_t:s0	guest_r:guest_t:s0
++system_r:sshd_t:s0		guest_r:guest_t:s0
++system_r:crond_t:s0		guest_r:guest_crond_t:s0
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts
 --- nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts	2007-06-19 17:06:27.000000000 -0400
@@ -4650,8 +4658,16 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.1/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ftp.te	2007-06-19 17:06:27.000000000 -0400
-@@ -156,6 +156,7 @@
++++ serefpolicy-3.0.1/policy/modules/services/ftp.te	2007-06-26 07:22:44.000000000 -0400
+@@ -88,6 +88,7 @@
+ allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+ allow ftpd_t self:tcp_socket create_stream_socket_perms;
+ allow ftpd_t self:udp_socket create_socket_perms;
++allow ftpd_t self:key { search write link };
+ 
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
+ 
+@@ -156,6 +157,7 @@
  
  auth_use_nsswitch(ftpd_t)
  auth_domtrans_chk_passwd(ftpd_t)
@@ -4659,15 +4675,17 @@
  # Append to /var/log/wtmp.
  auth_append_login_records(ftpd_t)
  #kerberized ftp requires the following
-@@ -167,6 +168,7 @@
+@@ -167,7 +169,9 @@
  libs_use_ld_so(ftpd_t)
  libs_use_shared_libs(ftpd_t)
  
 +logging_send_audit_msgs(ftpd_t)
  logging_send_syslog_msg(ftpd_t)
++logging_set_loginuid(ftpd_t)
  
  miscfiles_read_localization(ftpd_t)
-@@ -216,6 +218,14 @@
+ miscfiles_read_public_files(ftpd_t)
+@@ -216,6 +220,14 @@
  	userdom_manage_all_users_home_content_dirs(ftpd_t)
  	userdom_manage_all_users_home_content_files(ftpd_t)
  	userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -9661,7 +9679,7 @@
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/userdomain.if	2007-06-21 14:03:09.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/userdomain.if	2007-06-26 07:46:18.000000000 -0400
 @@ -62,6 +62,10 @@
  
  	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -9749,7 +9767,7 @@
  ')
  
  #######################################
-@@ -677,16 +674,6 @@
+@@ -677,67 +674,39 @@
  		attribute unpriv_userdomain;
  	')
  
@@ -9766,12 +9784,16 @@
  	userdom_untrusted_content_template($1)
  
  	userdom_basic_networking_template($1)
-@@ -695,49 +682,29 @@
  
- 	userdom_xwindows_client_template($1)
+ 	userdom_exec_generic_pgms_template($1)
  
--	userdom_change_password_template($1)
+-	userdom_xwindows_client_template($1)
 -
+-	userdom_change_password_template($1)
++	optional_policy(`
++		userdom_xwindows_client_template($1)
++	')
+ 
  	##############################
  	#
  	# User domain Local policy
@@ -9816,7 +9838,7 @@
  	files_exec_etc_files($1_t)
  	files_search_locks($1_t)
  	# Check to see if cdrom is mounted
-@@ -750,12 +717,6 @@
+@@ -750,12 +719,6 @@
  	# Stat lost+found.
  	files_getattr_lost_found_dirs($1_t)
  
@@ -9829,7 +9851,7 @@
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
  	selinux_validate_context($1_t)
-@@ -768,31 +729,16 @@
+@@ -768,31 +731,16 @@
  	storage_getattr_fixed_disk_dev($1_t)
  
  	auth_read_login_records($1_t)
@@ -9863,7 +9885,7 @@
  	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
  	seutil_exec_checkpolicy($1_t)
  	seutil_exec_setfiles($1_t)
-@@ -807,19 +753,12 @@
+@@ -807,19 +755,12 @@
  		files_read_default_symlinks($1_t)
  		files_read_default_sockets($1_t)
  		files_read_default_pipes($1_t)
@@ -9883,7 +9905,7 @@
  	optional_policy(`
  		alsa_read_rw_config($1_t)
  	')
-@@ -834,34 +773,14 @@
+@@ -834,34 +775,14 @@
  	')
  
  	optional_policy(`
@@ -9918,7 +9940,7 @@
  	')
  
  	optional_policy(`
-@@ -889,17 +808,19 @@
+@@ -889,17 +810,19 @@
  	')
  
  	optional_policy(`
@@ -9944,7 +9966,7 @@
  	')
  
  	optional_policy(`
-@@ -913,16 +834,6 @@
+@@ -913,16 +836,6 @@
  	')
  
  	optional_policy(`
@@ -9961,7 +9983,7 @@
  		resmgr_stream_connect($1_t)
  	')
  
-@@ -932,11 +843,6 @@
+@@ -932,11 +845,6 @@
  	')
  
  	optional_policy(`
@@ -9973,7 +9995,7 @@
  		samba_stream_connect_winbind($1_t)
  	')
  
-@@ -967,21 +873,122 @@
+@@ -967,21 +875,122 @@
  ##	</summary>
  ## </param>
  #
@@ -10102,7 +10124,7 @@
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
-@@ -990,15 +997,45 @@
+@@ -990,15 +999,45 @@
  	typeattribute $1_tmp_t user_tmpfile;
  	typeattribute $1_tty_device_t user_ttynode;
  
@@ -10152,7 +10174,7 @@
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1038,14 +1075,6 @@
+@@ -1038,14 +1077,6 @@
  	')
  
  	optional_policy(`
@@ -10167,7 +10189,7 @@
  		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
  		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
  	')
-@@ -1059,12 +1088,8 @@
+@@ -1059,12 +1090,8 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -10181,7 +10203,7 @@
  	# Do not audit write denials to /etc/ld.so.cache.
  	dontaudit $1_t ld_so_cache_t:file write;
  
-@@ -1107,6 +1132,8 @@
+@@ -1107,6 +1134,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -10190,7 +10212,7 @@
  	##############################
  	#
  	# Declarations
-@@ -1132,7 +1159,7 @@
+@@ -1132,7 +1161,7 @@
  	# $1_t local policy
  	#
  
@@ -10199,7 +10221,7 @@
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1144,8 +1171,6 @@
+@@ -1144,8 +1173,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -10208,7 +10230,7 @@
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -3083,7 +3108,7 @@
+@@ -3083,7 +3110,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -10217,7 +10239,7 @@
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5553,6 +5578,26 @@
+@@ -5553,6 +5580,26 @@
  
  ########################################
  ## <summary>
@@ -10244,7 +10266,7 @@
  ##	Unconfined access to user domains.  (Deprecated)
  ## </summary>
  ## <param name="domain">
-@@ -5564,3 +5609,124 @@
+@@ -5564,3 +5611,124 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')




More information about the fedora-extras-commits mailing list