rpms/selinux-policy/devel policy-20071130.patch, 1.130, 1.131 selinux-policy.spec, 1.656, 1.657

[Daniel J Walsh (dwalsh)]

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17407

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Thu Apr 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-41
- Don't run crontab from unconfined_t


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.130
retrieving revision 1.131
diff -u -r1.130 -r1.131
--- policy-20071130.patch	24 Apr 2008 19:41:22 -0000	1.130
+++ policy-20071130.patch	24 Apr 2008 21:08:32 -0000	1.131
@@ -31339,7 +31339,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-21 11:02:50.559558000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-24 16:57:46.339086000 -0400
 @@ -6,35 +6,67 @@
  # Declarations
  #
@@ -31412,7 +31412,7 @@
  
  libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,23 +74,36 @@
+@@ -42,37 +74,44 @@
  logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -31439,38 +31439,35 @@
 +	tunable_policy(`allow_unconfined_nsplugin_transition', `
 +		nsplugin_use(unconfined, unconfined_t)
 +	')
-+')
-+
-+optional_policy(`
-+	ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
- 	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 -	apache_per_role_template(unconfined, unconfined_t, unconfined_r)
 -	# this is disallowed usage:
 -	unconfined_domain(httpd_unconfined_script_t)
++	ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
-@@ -69,11 +114,11 @@
- 	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-	bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  ')
  
--optional_policy(`
+ optional_policy(`
+-	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++	bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
+ 
+ optional_policy(`
 -	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
 -	# this is disallowed usage:
 -	unconfined_domain(unconfined_crond_t)
--')
-+#optional_policy(`
-+#	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
-+#	unconfined_domain(unconfined_crontab_t)
-+#	role system_r types unconfined_crontab_t;
-+#')
++	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
  
  optional_policy(`
- 	init_dbus_chat_script(unconfined_t)
-@@ -101,12 +146,24 @@
+@@ -101,12 +140,24 @@
  	')
  
  	optional_policy(`
@@ -31495,7 +31492,7 @@
  ')
  
  optional_policy(`
-@@ -118,11 +175,7 @@
+@@ -118,11 +169,7 @@
  ')
  
  optional_policy(`
@@ -31508,7 +31505,7 @@
  ')
  
  optional_policy(`
-@@ -134,82 +187,92 @@
+@@ -134,82 +181,97 @@
  ')
  
  optional_policy(`
@@ -31550,6 +31547,11 @@
 -	# cjp: this should probably be removed:
 -	postfix_domtrans_master(unconfined_t)
 +	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
++	# this is disallowed usage:
++	unconfined_domain(unconfined_crond_t)
++	unconfined_domain(unconfined_crontab_t)
++	role system_r types unconfined_crontab_t;
++	rpm_transition_script(unconfined_crond_t)
  ')
  
 -
@@ -31626,7 +31628,7 @@
  ')
  
  ########################################
-@@ -219,14 +282,35 @@
+@@ -219,14 +281,35 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.656
retrieving revision 1.657
diff -u -r1.656 -r1.657
--- selinux-policy.spec	24 Apr 2008 19:41:22 -0000	1.656
+++ selinux-policy.spec	24 Apr 2008 21:08:32 -0000	1.657
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 40%{?dist}
+Release: 41%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -385,7 +385,7 @@
 %endif
 
 %changelog
-* Thu Apr 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-40 
+* Thu Apr 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-41
 - Don't run crontab from unconfined_t
 
 * Wed Apr 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-39