rpms/selinux-policy/F-9 policy-20071130.patch, 1.131, 1.132 selinux-policy.spec, 1.657, 1.658
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Apr 24 21:04:06 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17081
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Apr 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-41
- Don't run crontab from unconfined_t
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.131
retrieving revision 1.132
diff -u -r1.131 -r1.132
--- policy-20071130.patch 24 Apr 2008 20:35:58 -0000 1.131
+++ policy-20071130.patch 24 Apr 2008 21:03:28 -0000 1.132
@@ -31339,7 +31339,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-21 11:02:50.559558000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-24 16:57:46.339086000 -0400
@@ -6,35 +6,67 @@
# Declarations
#
@@ -31412,7 +31412,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,23 +74,36 @@
+@@ -42,37 +74,44 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -31439,38 +31439,35 @@
+ tunable_policy(`allow_unconfined_nsplugin_transition', `
+ nsplugin_use(unconfined, unconfined_t)
+ ')
-+')
-+
-+optional_policy(`
-+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
++ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -69,11 +114,11 @@
- bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
--optional_policy(`
+ optional_policy(`
+- bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
- cron_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(unconfined_crond_t)
--')
-+#optional_policy(`
-+# cron_per_role_template(unconfined, unconfined_t, unconfined_r)
-+# unconfined_domain(unconfined_crontab_t)
-+# role system_r types unconfined_crontab_t;
-+#')
++ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
optional_policy(`
- init_dbus_chat_script(unconfined_t)
-@@ -101,12 +146,24 @@
+@@ -101,12 +140,24 @@
')
optional_policy(`
@@ -31495,7 +31492,7 @@
')
optional_policy(`
-@@ -118,11 +175,7 @@
+@@ -118,11 +169,7 @@
')
optional_policy(`
@@ -31508,7 +31505,7 @@
')
optional_policy(`
-@@ -134,82 +187,92 @@
+@@ -134,82 +181,97 @@
')
optional_policy(`
@@ -31550,6 +31547,11 @@
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
+ cron_per_role_template(unconfined, unconfined_t, unconfined_r)
++ # this is disallowed usage:
++ unconfined_domain(unconfined_crond_t)
++ unconfined_domain(unconfined_crontab_t)
++ role system_r types unconfined_crontab_t;
++ rpm_transition_script(unconfined_crond_t)
')
-
@@ -31626,7 +31628,7 @@
')
########################################
-@@ -219,14 +282,35 @@
+@@ -219,14 +281,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.657
retrieving revision 1.658
diff -u -r1.657 -r1.658
--- selinux-policy.spec 24 Apr 2008 20:35:58 -0000 1.657
+++ selinux-policy.spec 24 Apr 2008 21:03:28 -0000 1.658
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 40%{?dist}
+Release: 41%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,7 +385,7 @@
%endif
%changelog
-* Thu Apr 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-40
+* Thu Apr 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-41
- Don't run crontab from unconfined_t
* Wed Apr 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-39
More information about the fedora-extras-commits
mailing list