rpms/selinux-policy/F-8 policy-20070703.patch, 1.109, 1.110 selinux-policy.spec, 1.558, 1.559
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Oct 26 13:38:09 UTC 2007
- Previous message (by thread): rpms/ntp/devel ntp-4.2.4p4-bcast.patch, NONE, 1.1 ntp-4.2.4p4-bsdadv.patch, NONE, 1.1 ntp-4.2.4p4-mlock.patch, NONE, 1.1 ntp-4.2.4p4-multilisten.patch, NONE, 1.1 .cvsignore, 1.25, 1.26 ntp-4.2.4-htmldoc.patch, 1.3, 1.4 ntp.spec, 1.73, 1.74 sources, 1.26, 1.27 ntp-4.2.4p0-bcast.patch, 1.1, NONE ntp-4.2.4p2-loopback.patch, 1.1, NONE ntp-4.2.4p2-mlock.patch, 1.1, NONE ntp-4.2.4p2-multilisten.patch, 1.1, NONE
- Next message (by thread): rpms/selinux-policy/devel policy-20071023.patch,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3190
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Oct 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-36
- Allow unconfined_t to run crontab -e as root
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.109
retrieving revision 1.110
diff -u -r1.109 -r1.110
--- policy-20070703.patch 25 Oct 2007 23:54:07 -0000 1.109
+++ policy-20070703.patch 26 Oct 2007 13:38:05 -0000 1.110
@@ -6142,7 +6142,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.8/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.if 2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.if 2007-10-26 09:03:07.000000000 -0400
@@ -35,6 +35,7 @@
#
template(`cron_per_role_template',`
@@ -6227,15 +6227,21 @@
##############################
#
-@@ -195,6 +175,7 @@
+@@ -192,9 +172,13 @@
+ # dac_override is to create the file in the directory under /tmp
+ allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
+ allow $1_crontab_t self:process signal_perms;
++ allow $1_crontab_t self:fifo_file rw_fifo_file_perms;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+ allow $2 $1_crontab_t:fd use;
++
++ auth_domtrans_upd_passwd_chk($1_crontab_t)
# crontab shows up in user ps
ps_process_pattern($2,$1_crontab_t)
-@@ -205,9 +186,6 @@
+@@ -205,9 +189,6 @@
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file manage_file_perms;
@@ -6245,7 +6251,15 @@
# create files in /var/spool/cron
manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
-@@ -243,10 +221,12 @@
+@@ -236,6 +217,7 @@
+ libs_use_shared_libs($1_crontab_t)
+
+ logging_send_syslog_msg($1_crontab_t)
++ logging_send_audit_msgs($1_crontab_t)
+
+ miscfiles_read_localization($1_crontab_t)
+
+@@ -243,10 +225,12 @@
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
userdom_manage_user_tmp_files($1,$1_crontab_t)
@@ -6258,7 +6272,7 @@
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -438,6 +418,25 @@
+@@ -438,6 +422,25 @@
########################################
## <summary>
@@ -6286,7 +6300,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.te 2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.te 2007-10-26 08:41:15.000000000 -0400
@@ -50,6 +50,7 @@
type crond_tmp_t;
@@ -7340,7 +7354,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-22 17:22:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-26 09:02:10.000000000 -0400
@@ -0,0 +1,157 @@
+## <summary>Exim service</summary>
+
@@ -7423,7 +7437,7 @@
+
+########################################
+## <summary>
-+## Manage exim logs
++## append exim logs
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7431,13 +7445,13 @@
+## </summary>
+## </param>
+#
-+interface(`exim_manage_logs',`
++interface(`exim_append_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ files_search_var($1)
-+ manage_files_pattern($1, exim_log_t, exim_log_t)
++ append_files_pattern($1, exim_log_t, exim_log_t)
+')
+
+########################################
@@ -7501,12 +7515,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-22 17:07:28.000000000 -0400
-@@ -0,0 +1,232 @@
-+# $Id$
-+# Draft SELinux refpolicy module for the Exim MTA
-+#
-+# Devin Carraway <selinux/at/devin.com>
++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-26 09:02:43.000000000 -0400
+@@ -0,0 +1,229 @@
+
+policy_module(exim, 1.0.0)
+
@@ -7640,7 +7650,8 @@
+
+## logging
+logging_send_syslog_msg(exim_t)
-+exim_manage_logs(exim_t)
++
++manage_files_pattern(exim_t, exim_log_t, exim_log_t)
+logging_log_filetrans(exim_t, exim_log_t, { file dir })
+
+corecmd_search_bin(exim_t)
@@ -8484,7 +8495,7 @@
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-26 09:07:59.000000000 -0400
@@ -6,6 +6,7 @@
# Declarations
#
@@ -8547,7 +8558,7 @@
')
optional_policy(`
-+ exim_domtrans(system_mail_t)
++ exim_append_log(system_mail_t)
+')
+
+optional_policy(`
@@ -9912,6 +9923,18 @@
########################################
#
# postgresql Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.0.8/policy/modules/services/ppp.fc
+--- nsaserefpolicy/policy/modules/services/ppp.fc 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ppp.fc 2007-10-26 08:55:32.000000000 -0400
+@@ -25,7 +25,7 @@
+ #
+ # /var
+ #
+-/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
++/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+ /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+ /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+ # Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.0.8/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ppp.if 2007-10-22 13:22:31.000000000 -0400
@@ -16252,7 +16275,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-25 15:22:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-26 08:42:39.000000000 -0400
@@ -5,36 +5,52 @@
#
# Declarations
@@ -16313,7 +16336,7 @@
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,31 +58,29 @@
+@@ -42,37 +58,36 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16352,7 +16375,14 @@
')
optional_policy(`
-@@ -107,6 +121,10 @@
+ cron_per_role_template(unconfined,unconfined_t,unconfined_r)
+ # this is disallowed usage:
+ unconfined_domain(unconfined_crond_t)
++ unconfined_domain(unconfined_crontab_t)
+ ')
+
+ optional_policy(`
+@@ -107,6 +122,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -16363,7 +16393,7 @@
')
optional_policy(`
-@@ -114,15 +132,15 @@
+@@ -114,15 +133,15 @@
')
optional_policy(`
@@ -16382,7 +16412,7 @@
')
optional_policy(`
-@@ -130,15 +148,10 @@
+@@ -130,15 +149,10 @@
')
optional_policy(`
@@ -16400,7 +16430,7 @@
')
optional_policy(`
-@@ -155,32 +168,23 @@
+@@ -155,32 +169,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16437,7 +16467,7 @@
')
optional_policy(`
-@@ -205,11 +209,22 @@
+@@ -205,11 +210,22 @@
')
optional_policy(`
@@ -16462,7 +16492,7 @@
')
########################################
-@@ -225,8 +240,21 @@
+@@ -225,8 +241,21 @@
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.558
retrieving revision 1.559
diff -u -r1.558 -r1.559
--- selinux-policy.spec 25 Oct 2007 23:48:40 -0000 1.558
+++ selinux-policy.spec 26 Oct 2007 13:38:05 -0000 1.559
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 35%{?dist}
+Release: 36%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,9 @@
%endif
%changelog
+* Fri Oct 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-36
+- Allow unconfined_t to run crontab -e as root
+
* Thu Oct 25 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-35
- Add ecryptfs definition
- Previous message (by thread): rpms/ntp/devel ntp-4.2.4p4-bcast.patch, NONE, 1.1 ntp-4.2.4p4-bsdadv.patch, NONE, 1.1 ntp-4.2.4p4-mlock.patch, NONE, 1.1 ntp-4.2.4p4-multilisten.patch, NONE, 1.1 .cvsignore, 1.25, 1.26 ntp-4.2.4-htmldoc.patch, 1.3, 1.4 ntp.spec, 1.73, 1.74 sources, 1.26, 1.27 ntp-4.2.4p0-bcast.patch, 1.1, NONE ntp-4.2.4p2-loopback.patch, 1.1, NONE ntp-4.2.4p2-mlock.patch, 1.1, NONE ntp-4.2.4p2-multilisten.patch, 1.1, NONE
- Next message (by thread): rpms/selinux-policy/devel policy-20071023.patch,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list