rpms/selinux-policy/devel policy-20071130.patch,1.126,1.127

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Apr 15 20:27:16 UTC 2008


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9690

Modified Files:
	policy-20071130.patch 
Log Message:
* Mon Apr 14 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-36
- dontaudit mrtg reading /proc
- Allow iscsi to signal itself
- Allow gnomeclock sys_ptrace


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.126
retrieving revision 1.127
diff -u -r1.126 -r1.127
--- policy-20071130.patch	15 Apr 2008 20:26:17 -0000	1.126
+++ policy-20071130.patch	15 Apr 2008 20:27:09 -0000	1.127
@@ -12096,7 +12096,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te	2008-04-08 11:43:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.te	2008-04-15 15:47:56.000000000 -0400
 @@ -43,14 +43,13 @@
  
  type cupsd_var_run_t;
@@ -12438,7 +12438,7 @@
 +
 +lpd_manage_spool(cups_pdf_t)
 +
-+rw_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
++manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if
 --- nsaserefpolicy/policy/modules/services/cvs.if	2007-01-02 12:57:43.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/cvs.if	2008-04-04 12:06:55.000000000 -0400
@@ -15048,7 +15048,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
 --- nsaserefpolicy/policy/modules/services/gnomeclock.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-04-07 22:47:29.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-04-15 15:52:42.000000000 -0400
 @@ -0,0 +1,53 @@
 +policy_module(gnomeclock,1.0.0)
 +########################################
@@ -15064,7 +15064,7 @@
 +#
 +# gnomeclock local policy
 +#
-+allow gnomeclock_t self:capability { sys_nice sys_time };
++allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
 +allow gnomeclock_t self:process getsched;
 +
 +# internal communication is often done using fifo and unix sockets.
@@ -15826,7 +15826,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.3.1/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.te	2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.te	2008-04-15 15:36:38.000000000 -0400
 @@ -54,6 +54,12 @@
  type krb5kdc_var_run_t;
  files_pid_file(krb5kdc_var_run_t)
@@ -15857,17 +15857,20 @@
  
  corenet_all_recvfrom_unlabeled(kadmind_t)
  corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +125,9 @@
+@@ -118,6 +125,12 @@
  domain_use_interactive_fds(kadmind_t)
  
  files_read_etc_files(kadmind_t)
 +files_read_usr_symlinks(kadmind_t)
 +files_read_usr_files(kadmind_t)
 +files_read_var_files(kadmind_t)
++
++selinux_validate_context(kadmind_t)
++seutil_read_file_contexts(kadmind_t)
  
  libs_use_ld_so(kadmind_t)
  libs_use_shared_libs(kadmind_t)
-@@ -127,6 +137,7 @@
+@@ -127,6 +140,7 @@
  miscfiles_read_localization(kadmind_t)
  
  sysnet_read_config(kadmind_t)
@@ -15875,7 +15878,7 @@
  
  userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
  userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -137,6 +148,7 @@
+@@ -137,6 +151,7 @@
  
  optional_policy(`
  	seutil_sigchld_newrole(kadmind_t)
@@ -15883,7 +15886,7 @@
  ')
  
  optional_policy(`
-@@ -151,7 +163,7 @@
+@@ -151,7 +166,7 @@
  # Use capabilities. Surplus capabilities may be allowed.
  allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
  dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -15892,7 +15895,17 @@
  allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
  allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
  allow krb5kdc_t self:udp_socket create_socket_perms;
-@@ -223,6 +235,7 @@
+@@ -215,6 +230,9 @@
+ files_read_usr_symlinks(krb5kdc_t)
+ files_read_var_files(krb5kdc_t)
+ 
++selinux_validate_context(krb5kdc_t)
++seutil_read_file_contexts(krb5kdc_t)
++
+ libs_use_ld_so(krb5kdc_t)
+ libs_use_shared_libs(krb5kdc_t)
+ 
+@@ -223,6 +241,7 @@
  miscfiles_read_localization(krb5kdc_t)
  
  sysnet_read_config(krb5kdc_t)
@@ -15900,7 +15913,7 @@
  
  userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
  userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,8 +246,10 @@
+@@ -233,8 +252,10 @@
  
  optional_policy(`
  	seutil_sigchld_newrole(krb5kdc_t)
@@ -16296,7 +16309,7 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mailman.te	2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mailman.te	2008-04-15 14:13:13.000000000 -0400
 @@ -53,10 +53,9 @@
  	apache_use_fds(mailman_cgi_t)
  	apache_dontaudit_append_log(mailman_cgi_t)
@@ -16310,7 +16323,7 @@
  ')
  
  ########################################
-@@ -65,8 +64,14 @@
+@@ -65,8 +64,15 @@
  #
  
  allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@@ -16319,6 +16332,7 @@
 +allow mailman_mail_t self:capability { setuid setgid };
 +
 +files_search_spool(mailman_mail_t)
++fs_rw_anon_inodefs_files(mailman_mail_t)
  
  mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
 +mta_dontaudit_rw_queue(mailman_mail_t)
@@ -19078,8 +19092,16 @@
  # Local Policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
 --- nsaserefpolicy/policy/modules/services/postgresql.fc	2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc	2008-04-04 12:06:55.000000000 -0400
-@@ -38,3 +38,5 @@
++++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc	2008-04-15 16:03:04.000000000 -0400
+@@ -31,6 +31,7 @@
+ /var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
+ 
+ /var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/logfile(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+ /var/log/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+ 
+ ifdef(`distro_redhat', `
+@@ -38,3 +39,5 @@
  ')
  
  /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)




More information about the fedora-extras-commits mailing list