rpms/selinux-policy/F-8 policy-20070703.patch, 1.109, 1.110 selinux-policy.spec, 1.558, 1.559

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Fri Oct 26 13:38:09 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3190

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Fri Oct 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-36
- Allow unconfined_t to run crontab -e as root


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.109
retrieving revision 1.110
diff -u -r1.109 -r1.110
--- policy-20070703.patch	25 Oct 2007 23:54:07 -0000	1.109
+++ policy-20070703.patch	26 Oct 2007 13:38:05 -0000	1.110
@@ -6142,7 +6142,7 @@
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.8/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.if	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.if	2007-10-26 09:03:07.000000000 -0400
 @@ -35,6 +35,7 @@
  #
  template(`cron_per_role_template',`
@@ -6227,15 +6227,21 @@
  
  	##############################
  	#
-@@ -195,6 +175,7 @@
+@@ -192,9 +172,13 @@
+ 	# dac_override is to create the file in the directory under /tmp
+ 	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
+ 	allow $1_crontab_t self:process signal_perms;
++	allow $1_crontab_t self:fifo_file rw_fifo_file_perms;
  
  	# Transition from the user domain to the derived domain.
  	domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
 +	allow $2 $1_crontab_t:fd use;
++
++	auth_domtrans_upd_passwd_chk($1_crontab_t)
  
  	# crontab shows up in user ps
  	ps_process_pattern($2,$1_crontab_t)
-@@ -205,9 +186,6 @@
+@@ -205,9 +189,6 @@
  	# Allow crond to read those crontabs in cron spool.
  	allow crond_t $1_cron_spool_t:file manage_file_perms;
  
@@ -6245,7 +6251,15 @@
  	# create files in /var/spool/cron
  	manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
  	filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
-@@ -243,10 +221,12 @@
+@@ -236,6 +217,7 @@
+ 	libs_use_shared_libs($1_crontab_t)
+ 
+ 	logging_send_syslog_msg($1_crontab_t)
++	logging_send_audit_msgs($1_crontab_t)
+ 
+ 	miscfiles_read_localization($1_crontab_t)
+ 
+@@ -243,10 +225,12 @@
  
  	userdom_manage_user_tmp_dirs($1,$1_crontab_t)
  	userdom_manage_user_tmp_files($1,$1_crontab_t)
@@ -6258,7 +6272,7 @@
  
  	tunable_policy(`fcron_crond',`
  		# fcron wants an instant update of a crontab change for the administrator
-@@ -438,6 +418,25 @@
+@@ -438,6 +422,25 @@
  
  ########################################
  ## <summary>
@@ -6286,7 +6300,7 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.te	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.te	2007-10-26 08:41:15.000000000 -0400
 @@ -50,6 +50,7 @@
  
  type crond_tmp_t;
@@ -7340,7 +7354,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
 --- nsaserefpolicy/policy/modules/services/exim.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if	2007-10-22 17:22:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.if	2007-10-26 09:02:10.000000000 -0400
 @@ -0,0 +1,157 @@
 +## <summary>Exim service</summary>
 +
@@ -7423,7 +7437,7 @@
 +
 +########################################
 +## <summary>
-+##     Manage exim logs
++##     append exim logs
 +## </summary>
 +## <param name="domain">
 +##     <summary>
@@ -7431,13 +7445,13 @@
 +##     </summary>
 +## </param>
 +#
-+interface(`exim_manage_logs',`
++interface(`exim_append_log',`
 +	gen_require(`
 +		type exim_log_t;
 +	')
 +
 +	files_search_var($1)
-+	manage_files_pattern($1, exim_log_t, exim_log_t)
++	append_files_pattern($1, exim_log_t, exim_log_t)
 +')
 +
 +########################################
@@ -7501,12 +7515,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-22 17:07:28.000000000 -0400
-@@ -0,0 +1,232 @@
-+# $Id$
-+# Draft SELinux refpolicy module for the Exim MTA
-+# 
-+# Devin Carraway <selinux/at/devin.com>
++++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-26 09:02:43.000000000 -0400
+@@ -0,0 +1,229 @@
 +
 +policy_module(exim, 1.0.0)
 +
@@ -7640,7 +7650,8 @@
 +
 +## logging
 +logging_send_syslog_msg(exim_t)
-+exim_manage_logs(exim_t)
++
++manage_files_pattern(exim_t, exim_log_t, exim_log_t)
 +logging_log_filetrans(exim_t, exim_log_t, { file dir })
 +
 +corecmd_search_bin(exim_t)
@@ -8484,7 +8495,7 @@
  ## <summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te	2007-10-26 09:07:59.000000000 -0400
 @@ -6,6 +6,7 @@
  # Declarations
  #
@@ -8547,7 +8558,7 @@
  ')
  
  optional_policy(`
-+	exim_domtrans(system_mail_t)
++	exim_append_log(system_mail_t)
 +')
 +
 +optional_policy(`
@@ -9912,6 +9923,18 @@
  ########################################
  #
  # postgresql Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.0.8/policy/modules/services/ppp.fc
+--- nsaserefpolicy/policy/modules/services/ppp.fc	2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ppp.fc	2007-10-26 08:55:32.000000000 -0400
+@@ -25,7 +25,7 @@
+ #
+ # /var
+ #
+-/var/run/(i)?ppp.*pid		--	gen_context(system_u:object_r:pppd_var_run_t,s0)
++/var/run/(i)?ppp.*pid[^/]*	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+ /var/run/pppd[0-9]*\.tdb	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+ /var/run/ppp(/.*)?			gen_context(system_u:object_r:pppd_var_run_t,s0)
+ # Fix pptp sockets
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.0.8/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/ppp.if	2007-10-22 13:22:31.000000000 -0400
@@ -16252,7 +16275,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-25 15:22:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-26 08:42:39.000000000 -0400
 @@ -5,36 +5,52 @@
  #
  # Declarations
@@ -16313,7 +16336,7 @@
  
  libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,31 +58,29 @@
+@@ -42,37 +58,36 @@
  logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16352,7 +16375,14 @@
  ')
  
  optional_policy(`
-@@ -107,6 +121,10 @@
+ 	cron_per_role_template(unconfined,unconfined_t,unconfined_r)
+ 	# this is disallowed usage:
+ 	unconfined_domain(unconfined_crond_t)
++	unconfined_domain(unconfined_crontab_t)
+ ')
+ 
+ optional_policy(`
+@@ -107,6 +122,10 @@
  	optional_policy(`
  		oddjob_dbus_chat(unconfined_t)
  	')
@@ -16363,7 +16393,7 @@
  ')
  
  optional_policy(`
-@@ -114,15 +132,15 @@
+@@ -114,15 +133,15 @@
  ')
  
  optional_policy(`
@@ -16382,7 +16412,7 @@
  ')
  
  optional_policy(`
-@@ -130,15 +148,10 @@
+@@ -130,15 +149,10 @@
  ')
  
  optional_policy(`
@@ -16400,7 +16430,7 @@
  ')
  
  optional_policy(`
-@@ -155,32 +168,23 @@
+@@ -155,32 +169,23 @@
  
  optional_policy(`
  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16437,7 +16467,7 @@
  ')
  
  optional_policy(`
-@@ -205,11 +209,22 @@
+@@ -205,11 +210,22 @@
  ')
  
  optional_policy(`
@@ -16462,7 +16492,7 @@
  ')
  
  ########################################
-@@ -225,8 +240,21 @@
+@@ -225,8 +241,21 @@
  
  	init_dbus_chat_script(unconfined_execmem_t)
  	unconfined_dbus_chat(unconfined_execmem_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.558
retrieving revision 1.559
diff -u -r1.558 -r1.559
--- selinux-policy.spec	25 Oct 2007 23:48:40 -0000	1.558
+++ selinux-policy.spec	26 Oct 2007 13:38:05 -0000	1.559
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 35%{?dist}
+Release: 36%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,9 @@
 %endif
 
 %changelog
+* Fri Oct 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-36
+- Allow unconfined_t to run crontab -e as root
+
 * Thu Oct 25 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-35
 - Add ecryptfs definition

More information about the fedora-extras-commits mailing list