rpms/selinux-policy/devel policy-20070703.patch, 1.60, 1.61 selinux-policy.spec, 1.523, 1.524
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Sep 19 17:41:31 UTC 2007
- Previous message (by thread): rpms/sugar/OLPC-2 sources,1.57,1.58 sugar.spec,1.68,1.69
- Next message (by thread): rpms/bcel/devel bcel-5.2-build.xml, NONE, 1.1 bcel-5.2-jpp-depmap.xml, NONE, 1.1 bcel-5.2-project_properties.patch, NONE, 1.1 bcel-5.2.pom, NONE, 1.1 .cvsignore, 1.9, 1.10 bcel.spec, 1.29, 1.30 sources, 1.8, 1.9
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18763
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Wed Sep 19 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-3
- Allow xserver to search devpts_t
- Dontaudit ldconfig output to homedir
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -r1.60 -r1.61
--- policy-20070703.patch 19 Sep 2007 01:11:31 -0000 1.60
+++ policy-20070703.patch 19 Sep 2007 17:40:59 -0000 1.61
@@ -302,8 +302,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.8/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2007-09-17 16:20:18.000000000 -0400
-@@ -1,4 +1,7 @@
++++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2007-09-19 10:53:23.000000000 -0400
+@@ -1,4 +1,8 @@
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@@ -311,10 +311,19 @@
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
++/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-17 16:20:18.000000000 -0400
-@@ -19,20 +19,24 @@
++++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-19 10:54:14.000000000 -0400
+@@ -14,25 +14,35 @@
+ type alsa_etc_rw_t;
+ files_type(alsa_etc_rw_t)
+
++type alsa_var_lib_t;
++files_type(alsa_var_lib_t)
++
+ ########################################
+ #
# Local policy
#
@@ -333,6 +342,9 @@
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
++manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
++manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
++
+files_search_home(alsa_t)
files_read_etc_files(alsa_t)
@@ -342,7 +354,7 @@
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
-@@ -43,7 +47,13 @@
+@@ -43,7 +53,13 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
@@ -5978,8 +5990,17 @@
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-17 16:20:18.000000000 -0400
-@@ -293,6 +293,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-19 13:28:57.000000000 -0400
+@@ -155,6 +155,8 @@
+ selinux_compute_relabel_context(hald_t)
+ selinux_compute_user_contexts(hald_t)
+
++dev_read_raw_memory(hald_t)
++
+ storage_raw_read_removable_device(hald_t)
+ storage_raw_write_removable_device(hald_t)
+ storage_raw_read_fixed_disk(hald_t)
+@@ -293,6 +295,7 @@
#
allow hald_acl_t self:capability { dac_override fowner };
@@ -9321,7 +9342,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-19 11:59:57.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -9331,7 +9352,7 @@
domain_mmap_low($1_xserver_t)
-@@ -141,7 +143,7 @@
+@@ -141,10 +143,11 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@@ -9340,7 +9361,11 @@
init_getpgid($1_xserver_t)
-@@ -353,12 +355,6 @@
++ term_search_ptys($1_xserver_t)
+ term_setattr_unallocated_ttys($1_xserver_t)
+ term_use_unallocated_ttys($1_xserver_t)
+
+@@ -353,12 +356,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -9353,7 +9378,7 @@
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +383,14 @@
+@@ -387,6 +384,14 @@
')
optional_policy(`
@@ -9368,7 +9393,7 @@
nis_use_ypbind($1_xauth_t)
')
-@@ -537,16 +541,14 @@
+@@ -537,16 +542,14 @@
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -9387,7 +9412,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +557,46 @@
+@@ -555,25 +558,46 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -9443,7 +9468,7 @@
')
')
-@@ -626,6 +649,24 @@
+@@ -626,6 +650,24 @@
########################################
## <summary>
@@ -9468,7 +9493,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +700,73 @@
+@@ -659,6 +701,73 @@
########################################
## <summary>
@@ -9542,7 +9567,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -987,6 +1095,37 @@
+@@ -987,6 +1096,37 @@
########################################
## <summary>
@@ -9580,7 +9605,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1275,7 @@
+@@ -1136,7 +1276,7 @@
type xdm_xserver_tmp_t;
')
@@ -9589,7 +9614,7 @@
')
########################################
-@@ -1325,3 +1464,62 @@
+@@ -1325,3 +1465,62 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -9654,7 +9679,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-19 11:59:42.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@@ -10927,7 +10952,7 @@
+/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-09-19 13:33:20.000000000 -0400
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
@@ -10964,7 +10989,15 @@
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
-@@ -96,4 +104,11 @@
+@@ -79,6 +87,7 @@
+ logging_send_syslog_msg(ldconfig_t)
+
+ userdom_use_all_users_fds(ldconfig_t)
++userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t)
+
+ ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+@@ -96,4 +105,11 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
@@ -12959,7 +12992,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-19 13:32:51.000000000 -0400
@@ -45,7 +45,7 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@@ -13699,12 +13732,13 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4599,7 +4718,25 @@
-
- ########################################
- ## <summary>
--## Search all users home directories.
-+## Search all users home directories.
+@@ -4615,6 +4734,24 @@
+ files_list_home($1)
+ allow $1 home_dir_type:dir search_dir_perms;
+ ')
++########################################
++## <summary>
++## Read all users home directories symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13712,36 +13746,17 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_search_all_users_home_dirs',`
++interface(`userdom_read_all_users_home_dirs_symlinks',`
+ gen_require(`
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
-+ allow $1 home_dir_type:dir search_dir_perms;
-+')
-+########################################
-+## <summary>
-+## Read all users home directories symlinks.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4607,13 +4744,13 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_search_all_users_home_dirs',`
-+interface(`userdom_read_all_users_home_dirs_symlinks',`
- gen_require(`
- attribute home_dir_type;
- ')
-
- files_list_home($1)
-- allow $1 home_dir_type:dir search_dir_perms;
+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
- ')
++')
########################################
+ ## <summary>
@@ -4633,6 +4770,14 @@
files_list_home($1)
@@ -13766,7 +13781,7 @@
')
########################################
-@@ -5559,3 +5704,318 @@
+@@ -5559,3 +5704,336 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -14067,6 +14082,24 @@
+ allow $1 user_home_type:file execute;
+')
+
++########################################
++## <summary>
++## dontaudit attempts to write to user home dir files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_write_unpriv_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file write;
++')
++
+
+########################################
+## <summary>
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.523
retrieving revision 1.524
diff -u -r1.523 -r1.524
--- selinux-policy.spec 19 Sep 2007 01:11:31 -0000 1.523
+++ selinux-policy.spec 19 Sep 2007 17:40:59 -0000 1.524
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,10 @@
%endif
%changelog
+* Wed Sep 19 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-3
+- Allow xserver to search devpts_t
+- Dontaudit ldconfig output to homedir
+
* Tue Sep 18 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-2
- Remove hplip_etc_t change back to etc_t.
- Previous message (by thread): rpms/sugar/OLPC-2 sources,1.57,1.58 sugar.spec,1.68,1.69
- Next message (by thread): rpms/bcel/devel bcel-5.2-build.xml, NONE, 1.1 bcel-5.2-jpp-depmap.xml, NONE, 1.1 bcel-5.2-project_properties.patch, NONE, 1.1 bcel-5.2.pom, NONE, 1.1 .cvsignore, 1.9, 1.10 bcel.spec, 1.29, 1.30 sources, 1.8, 1.9
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list