rpms/selinux-policy/F-7 policy-20070501.patch, 1.52, 1.53 selinux-policy.spec, 1.492, 1.493
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Sep 10 18:25:14 UTC 2007
- Previous message (by thread): rpms/kdelibs/devel kdelibs-3.93.0-kde149704.diff, 1.1.2.1, 1.1.2.2 kdelibs.spec, 1.223.2.17, 1.223.2.18
- Next message (by thread): rpms/sugar/OLPC-2 .cvsignore, 1.47, 1.48 sources, 1.48, 1.49 sugar.spec, 1.56, 1.57
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27741
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Mon Sep 10 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-42
- Allow modprobe to setsched on kernel
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- policy-20070501.patch 4 Sep 2007 20:18:57 -0000 1.52
+++ policy-20070501.patch 10 Sep 2007 18:25:11 -0000 1.53
@@ -469,12 +469,12 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-2.6.4/policy/modules/admin/dmidecode.te
--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/dmidecode.te 2007-08-30 10:26:28.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/dmidecode.te 2007-09-07 17:06:51.000000000 -0400
@@ -22,6 +22,7 @@
# Allow dmidecode to read /dev/mem
dev_read_raw_memory(dmidecode_t)
-+dev_search_sysfs(dmidecode_t)
++dev_read_sysfs(dmidecode_t)
mls_file_read_up(dmidecode_t)
@@ -2512,8 +2512,33 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.6.4/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/kernel.if 2007-08-07 09:42:35.000000000 -0400
-@@ -333,6 +333,24 @@
++++ serefpolicy-2.6.4/policy/modules/kernel/kernel.if 2007-09-10 08:58:54.000000000 -0400
+@@ -108,6 +108,24 @@
+
+ ########################################
+ ## <summary>
++## Set the priority of kernel threads.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_setsched',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:process setsched;
++')
++
++########################################
++## <summary>
+ ## Send a SIGCHLD signal to kernel threads.
+ ## </summary>
+ ## <param name="domain">
+@@ -333,6 +351,24 @@
########################################
## <summary>
@@ -2538,7 +2563,7 @@
## Allow link to the kernel key ring.
## </summary>
## <param name="domain">
-@@ -1848,6 +1866,26 @@
+@@ -1848,6 +1884,26 @@
########################################
## <summary>
@@ -2565,7 +2590,7 @@
## Do not audit attempts to list unlabeled directories.
## </summary>
## <param name="domain">
-@@ -2158,9 +2196,6 @@
+@@ -2158,9 +2214,6 @@
')
allow $1 unlabeled_t:association { sendto recvfrom };
@@ -2887,7 +2912,7 @@
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-08-30 13:53:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-09-05 07:17:12.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -2899,6 +2924,22 @@
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
+@@ -65,13 +61,13 @@
+ dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+ # Allow the script process to search the cgi directory, and users directory
+- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
++ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+
+ append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t)
+ logging_search_logs(httpd_$1_script_t)
+
+ can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
++ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+ allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
@@ -120,10 +116,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
@@ -3567,7 +3608,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-2.6.4/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-09-10 10:51:56.000000000 -0400
@@ -16,6 +16,9 @@
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
@@ -3587,7 +3628,7 @@
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
-@@ -35,16 +40,23 @@
+@@ -35,16 +40,24 @@
manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
@@ -3610,10 +3651,11 @@
+corenet_tcp_bind_apcupsd_port(apcupsd_t)
+corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+corenet_tcp_connect_apcupsd_port(apcupsd_t)
++allow apcupsd_t self:udp_socket create_socket_perms;
dev_rw_generic_usb_dev(apcupsd_t)
-@@ -53,6 +65,15 @@
+@@ -53,6 +66,15 @@
files_read_etc_files(apcupsd_t)
files_search_locks(apcupsd_t)
@@ -3629,13 +3671,15 @@
libs_use_ld_so(apcupsd_t)
libs_use_shared_libs(apcupsd_t)
-@@ -61,7 +82,39 @@
+@@ -61,7 +83,41 @@
miscfiles_read_localization(apcupsd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(apcupsd_t)
- term_dontaudit_use_generic_ptys(apcupsd_t)
++sysnet_dns_name_resolve(apcupsd_t)
++
+userdom_use_unpriv_users_ttys(apcupsd_t)
+userdom_use_unpriv_users_ptys(apcupsd_t)
+
@@ -6605,7 +6649,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-2.6.4/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.fc 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/postfix.fc 2007-09-04 17:47:25.000000000 -0400
@@ -5,6 +5,7 @@
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
@@ -9011,7 +9055,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.4/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-09-05 12:06:43.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -9070,7 +9114,7 @@
userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
-@@ -302,6 +311,38 @@
+@@ -302,6 +311,36 @@
')
optional_policy(`
@@ -9099,16 +9143,14 @@
+miscfiles_read_localization(updpwd_t)
+
+auth_manage_shadow(updpwd_t)
++auth_use_nsswitch(updpwd_t)
++
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
+files_manage_etc_files(updpwd_t)
+kernel_read_system_state(updpwd_t)
+logging_send_syslog_msg(updpwd_t)
-+
-+optional_policy(`
-+ nscd_socket_use(updpwd_t)
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.fc serefpolicy-2.6.4/policy/modules/system/brctl.fc
--- nsaserefpolicy/policy/modules/system/brctl.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/system/brctl.fc 2007-08-07 09:42:35.000000000 -0400
@@ -9145,8 +9187,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-2.6.4/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-08-07 09:42:35.000000000 -0400
-@@ -0,0 +1,50 @@
++++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-09-10 08:59:30.000000000 -0400
+@@ -0,0 +1,51 @@
+policy_module(brctl,1.0.0)
+
+########################################
@@ -9169,6 +9211,7 @@
+allow brctl_t self:tcp_socket create_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+
++dev_write_sysfs_dirs(brctl_t)
+dev_rw_sysfs(brctl_t)
+
+# Init script handling
@@ -10451,7 +10494,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.6.4/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/modutils.te 2007-08-21 09:08:39.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/modutils.te 2007-09-10 08:58:12.000000000 -0400
@@ -43,7 +43,7 @@
# insmod local policy
#
@@ -10461,7 +10504,15 @@
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -80,6 +80,8 @@
+@@ -64,6 +64,7 @@
+ kernel_read_kernel_sysctls(insmod_t)
+ kernel_rw_kernel_sysctl(insmod_t)
+ kernel_read_hotplug_sysctls(insmod_t)
++kernel_setsched(insmod_t)
+
+ files_read_kernel_modules(insmod_t)
+ # for locking: (cjp: ????)
+@@ -80,6 +81,8 @@
# cjp: why is this needed? insmod cannot mounton any dir
# and it also transitions to mount
dev_mount_usbfs(insmod_t)
@@ -10470,7 +10521,7 @@
fs_getattr_xattr_fs(insmod_t)
-@@ -102,6 +104,7 @@
+@@ -102,6 +105,7 @@
init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
init_use_script_ptys(insmod_t)
@@ -10478,7 +10529,7 @@
libs_use_ld_so(insmod_t)
libs_use_shared_libs(insmod_t)
-@@ -123,6 +126,18 @@
+@@ -123,6 +127,18 @@
')
optional_policy(`
@@ -10497,7 +10548,7 @@
hotplug_search_config(insmod_t)
')
-@@ -155,6 +170,7 @@
+@@ -155,6 +171,7 @@
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -10505,7 +10556,7 @@
')
optional_policy(`
-@@ -185,6 +201,7 @@
+@@ -185,6 +202,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
@@ -10714,7 +10765,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.6.4/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.if 2007-09-04 16:32:23.000000000 -0400
@@ -445,6 +445,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -10749,6 +10800,35 @@
manage_files_pattern($1,selinux_config_t,selinux_config_t)
read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')
+@@ -791,6 +795,28 @@
+
+ ########################################
+ ## <summary>
++## dontaudit Read the file_contexts files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`seutil_dontaudit_read_file_contexts',`
++ gen_require(`
++ type selinux_config_t, default_context_t, file_context_t;
++ ')
++
++ files_search_etc($1)
++ dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms;
++ dontaudit $1 file_context_t:dir search_dir_perms;
++ dontaudit $1 file_context_t:file r_file_perms;
++')
++
++########################################
++## <summary>
+ ## Read and write the file_contexts files.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-08-07 09:42:35.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.492
retrieving revision 1.493
diff -u -r1.492 -r1.493
--- selinux-policy.spec 4 Sep 2007 20:18:57 -0000 1.492
+++ selinux-policy.spec 10 Sep 2007 18:25:11 -0000 1.493
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 41%{?dist}
+Release: 42%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,10 @@
%endif
%changelog
+* Mon Sep 10 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-42
+- Allow modprobe to setsched on kernel
+
+
* Tue Sep 4 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-41
- Allow ktalkd to look at terminals
- Previous message (by thread): rpms/kdelibs/devel kdelibs-3.93.0-kde149704.diff, 1.1.2.1, 1.1.2.2 kdelibs.spec, 1.223.2.17, 1.223.2.18
- Next message (by thread): rpms/sugar/OLPC-2 .cvsignore, 1.47, 1.48 sources, 1.48, 1.49 sugar.spec, 1.56, 1.57
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list