rpms/selinux-policy/devel policy-20071130.patch,1.126,1.127
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Apr 15 20:27:16 UTC 2008
- Previous message (by thread): rpms/selinux-policy/F-8 policy-20070703.patch, 1.200, 1.201 selinux-policy.spec, 1.626, 1.627
- Next message (by thread): rpms/kernel/devel linux-2.6-rt2x00-configure_filter.patch, NONE, 1.1 kernel.spec, 1.617, 1.618 linux-2.6-wireless.patch, 1.33, 1.34
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9690
Modified Files:
policy-20071130.patch
Log Message:
* Mon Apr 14 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-36
- dontaudit mrtg reading /proc
- Allow iscsi to signal itself
- Allow gnomeclock sys_ptrace
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.126
retrieving revision 1.127
diff -u -r1.126 -r1.127
--- policy-20071130.patch 15 Apr 2008 20:26:17 -0000 1.126
+++ policy-20071130.patch 15 Apr 2008 20:27:09 -0000 1.127
@@ -12096,7 +12096,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-08 11:43:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-15 15:47:56.000000000 -0400
@@ -43,14 +43,13 @@
type cupsd_var_run_t;
@@ -12438,7 +12438,7 @@
+
+lpd_manage_spool(cups_pdf_t)
+
-+rw_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
++manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if
--- nsaserefpolicy/policy/modules/services/cvs.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-04-04 12:06:55.000000000 -0400
@@ -15048,7 +15048,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-07 22:47:29.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-15 15:52:42.000000000 -0400
@@ -0,0 +1,53 @@
+policy_module(gnomeclock,1.0.0)
+########################################
@@ -15064,7 +15064,7 @@
+#
+# gnomeclock local policy
+#
-+allow gnomeclock_t self:capability { sys_nice sys_time };
++allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+allow gnomeclock_t self:process getsched;
+
+# internal communication is often done using fifo and unix sockets.
@@ -15826,7 +15826,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.3.1/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-04-15 15:36:38.000000000 -0400
@@ -54,6 +54,12 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
@@ -15857,17 +15857,20 @@
corenet_all_recvfrom_unlabeled(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +125,9 @@
+@@ -118,6 +125,12 @@
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
+files_read_usr_files(kadmind_t)
+files_read_var_files(kadmind_t)
++
++selinux_validate_context(kadmind_t)
++seutil_read_file_contexts(kadmind_t)
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
-@@ -127,6 +137,7 @@
+@@ -127,6 +140,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -15875,7 +15878,7 @@
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -137,6 +148,7 @@
+@@ -137,6 +151,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
@@ -15883,7 +15886,7 @@
')
optional_policy(`
-@@ -151,7 +163,7 @@
+@@ -151,7 +166,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -15892,7 +15895,17 @@
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
-@@ -223,6 +235,7 @@
+@@ -215,6 +230,9 @@
+ files_read_usr_symlinks(krb5kdc_t)
+ files_read_var_files(krb5kdc_t)
+
++selinux_validate_context(krb5kdc_t)
++seutil_read_file_contexts(krb5kdc_t)
++
+ libs_use_ld_so(krb5kdc_t)
+ libs_use_shared_libs(krb5kdc_t)
+
+@@ -223,6 +241,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -15900,7 +15913,7 @@
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,8 +246,10 @@
+@@ -233,8 +252,10 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
@@ -16296,7 +16309,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-04-15 14:13:13.000000000 -0400
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -16310,7 +16323,7 @@
')
########################################
-@@ -65,8 +64,14 @@
+@@ -65,8 +64,15 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@@ -16319,6 +16332,7 @@
+allow mailman_mail_t self:capability { setuid setgid };
+
+files_search_spool(mailman_mail_t)
++fs_rw_anon_inodefs_files(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
@@ -19078,8 +19092,16 @@
# Local Policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-04 12:06:55.000000000 -0400
-@@ -38,3 +38,5 @@
++++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-15 16:03:04.000000000 -0400
+@@ -31,6 +31,7 @@
+ /var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ /var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+ /var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ ifdef(`distro_redhat', `
+@@ -38,3 +39,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
- Previous message (by thread): rpms/selinux-policy/F-8 policy-20070703.patch, 1.200, 1.201 selinux-policy.spec, 1.626, 1.627
- Next message (by thread): rpms/kernel/devel linux-2.6-rt2x00-configure_filter.patch, NONE, 1.1 kernel.spec, 1.617, 1.618 linux-2.6-wireless.patch, 1.33, 1.34
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list