rpms/selinux-policy/devel policy-20081111.patch,1.1,1.2

Daniel J Walsh dwalsh at fedoraproject.org
Tue Dec 2 19:42:30 UTC 2008


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1000

Modified Files:
	policy-20081111.patch 
Log Message:
* Fri Nov 5 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-19
- Fix labeling on /var/spool/rsyslog


policy-20081111.patch:

Index: policy-20081111.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20081111.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20081111.patch	2 Dec 2008 19:34:21 -0000	1.1
+++ policy-20081111.patch	2 Dec 2008 19:41:59 -0000	1.2
@@ -24786,8 +24786,8 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te	2008-11-25 09:45:43.000000000 -0500
-@@ -6,35 +6,75 @@
++++ serefpolicy-3.6.1/policy/modules/system/unconfined.te	2008-12-02 14:32:40.000000000 -0500
+@@ -6,35 +6,76 @@
  # Declarations
  #
  
@@ -24822,6 +24822,7 @@
 +userdom_restricted_user_template(unconfined)
 +#userdom_common_user_template(unconfined)
 +#userdom_xwindows_client_template(unconfined)
++userdom_execmod_user_home_files(unconfined_t)
  
  type unconfined_exec_t;
  init_system_domain(unconfined_t, unconfined_exec_t)
@@ -24870,7 +24871,7 @@
  
  libs_run_ldconfig(unconfined_t, unconfined_r)
  
-@@ -42,26 +82,39 @@
+@@ -42,26 +83,39 @@
  logging_run_auditctl(unconfined_t, unconfined_r)
  
  mount_run_unconfined(unconfined_t, unconfined_r)
@@ -24912,7 +24913,7 @@
  ')
  
  optional_policy(`
-@@ -102,12 +155,24 @@
+@@ -102,12 +156,24 @@
  	')
  
  	optional_policy(`
@@ -24937,7 +24938,7 @@
  ')
  
  optional_policy(`
-@@ -119,7 +184,7 @@
+@@ -119,7 +185,7 @@
  ')
  
  optional_policy(`
@@ -24946,7 +24947,7 @@
  ')
  
  optional_policy(`
-@@ -127,23 +192,25 @@
+@@ -127,23 +193,25 @@
  ')
  
  optional_policy(`
@@ -24977,7 +24978,7 @@
  ')
  
  optional_policy(`
-@@ -155,36 +222,38 @@
+@@ -155,36 +223,38 @@
  ')
  
  optional_policy(`
@@ -25028,7 +25029,7 @@
  ')
  
  optional_policy(`
-@@ -192,7 +261,7 @@
+@@ -192,7 +262,7 @@
  ')
  
  optional_policy(`
@@ -25037,7 +25038,7 @@
  ')
  
  optional_policy(`
-@@ -204,11 +273,12 @@
+@@ -204,11 +274,12 @@
  ')
  
  optional_policy(`
@@ -25052,7 +25053,7 @@
  ')
  
  ########################################
-@@ -218,14 +288,58 @@
+@@ -218,14 +289,58 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
@@ -25125,7 +25126,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-02 11:36:42.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-02 14:39:39.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  
@@ -25377,10 +25378,12 @@
 -	gen_require(`
 -		type $1_t;
 -	')
--
++interface(`userdom_basic_networking',`
+ 
 -	allow $1_t self:tcp_socket create_stream_socket_perms;
 -	allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
++	allow $1 self:tcp_socket create_stream_socket_perms;
++	allow $1 self:udp_socket create_socket_perms;
  
 -	corenet_all_recvfrom_unlabeled($1_t)
 -	corenet_all_recvfrom_netlabel($1_t)
@@ -25392,9 +25395,7 @@
 -	corenet_udp_sendrecv_all_ports($1_t)
 -	corenet_tcp_connect_all_ports($1_t)
 -	corenet_sendrecv_all_client_packets($1_t)
-+	allow $1 self:tcp_socket create_stream_socket_perms;
-+	allow $1 self:udp_socket create_socket_perms;
- 
+-
 -	corenet_all_recvfrom_labeled($1_t, $1_t)
 +	corenet_all_recvfrom_unlabeled($1)
 +	corenet_all_recvfrom_netlabel($1)
@@ -25511,26 +25512,26 @@
 +	kernel_get_sysvipc_info($1_usertype)
  	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
--
--	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
  
--	corenet_udp_bind_all_nodes($1_t)
--	corenet_udp_bind_generic_port($1_t)
+-	corecmd_exec_bin($1_t)
 +	corenet_udp_bind_all_nodes($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
  
--	dev_read_rand($1_t)
--	dev_write_sound($1_t)
--	dev_read_sound($1_t)
--	dev_read_sound_mixer($1_t)
--	dev_write_sound_mixer($1_t)
+-	corenet_udp_bind_all_nodes($1_t)
+-	corenet_udp_bind_generic_port($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
  
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
+-
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@@ -25967,29 +25968,29 @@
  
  	optional_policy(`
 -		alsa_read_rw_config($1_t)
--	')
--
--	optional_policy(`
++		alsa_read_rw_config($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
 -		dbus_role_template($1, $1_r, $1_t)
 -		dbus_system_bus_client($1_t)
 -
 -		optional_policy(`
 -			consolekit_dbus_chat($1_t)
-+		alsa_read_rw_config($1_usertype)
++		apache_role($1_r, $1_usertype)
  		')
  
  		optional_policy(`
 -			cups_dbus_chat($1_t)
 -		')
-+		apache_role($1_r, $1_usertype)
- 	')
- 
- 	optional_policy(`
--		java_role($1_r, $1_t)
 +		openoffice_role_template($1, $1_r, $1_usertype)
  	')
  
  	optional_policy(`
+-		java_role($1_r, $1_t)
+-	')
+-
+-	optional_policy(`
 -		setroubleshoot_dontaudit_stream_connect($1_t)
 +		polkit_role($1_r, $1_usertype)
  	')
@@ -26413,7 +26414,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -2981,3 +3165,226 @@
+@@ -2981,3 +3165,247 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -26638,7 +26639,28 @@
 +		attribute 
 +	')
 +
-+	allow $1 unpriv_userdomain;:unix_dgram_socket sendto;
++	allow $1 unpriv_userdomain:unix_dgram_socket sendto;
++')
++
++
++
++#######################################
++## <summary>
++##	Allow execmod on files in homedirectory 
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolebase/>
++#
++interface(`userdom_execmod_user_home_files',`
++	gen_require(`
++		type user_home_t;
++	')
++
++	allow $1 user_home_t:file execmod;
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.1/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2008-11-13 18:40:02.000000000 -0500




More information about the fedora-extras-commits mailing list