rpms/selinux-policy/F-10 booleans-targeted.conf, 1.45, 1.46 policy-20080710.patch, 1.108, 1.109 selinux-policy.spec, 1.758, 1.759
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Dec 4 14:29:14 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24271
Modified Files:
booleans-targeted.conf policy-20080710.patch
selinux-policy.spec
Log Message:
* Wed Dec 2 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-30
- Allow nsplugin to list gconf_home_t directory
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/booleans-targeted.conf,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- booleans-targeted.conf 5 Nov 2008 18:26:36 -0000 1.45
+++ booleans-targeted.conf 4 Dec 2008 14:28:42 -0000 1.46
@@ -237,7 +237,7 @@
# Allow unconfined domain to transition to confined domain
#
-allow_unconfined_nsplugin_transition=true
+allow_unconfined_nsplugin_transition=false
# Allow unconfined domains mmap low kernel memory
#
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.108
retrieving revision 1.109
diff -u -r1.108 -r1.109
--- policy-20080710.patch 3 Dec 2008 22:02:46 -0000 1.108
+++ policy-20080710.patch 4 Dec 2008 14:28:42 -0000 1.109
@@ -6454,17 +6454,18 @@
+wm_domain_template(user,xdm)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-11-24 10:49:49.000000000 -0500
-@@ -129,6 +129,8 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-12-04 09:14:24.000000000 -0500
+@@ -129,6 +129,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/Adobe(/.*)?/sidecars(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
#
# /usr
#
-@@ -184,10 +186,8 @@
+@@ -184,10 +187,8 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -6477,7 +6478,7 @@
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -292,3 +292,14 @@
+@@ -292,3 +293,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -25653,7 +25654,7 @@
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-12-04 09:20:21.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -25937,7 +25938,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-12-04 09:20:48.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -25947,7 +25948,7 @@
# ssh client executable.
type ssh_exec_t;
-@@ -55,6 +55,12 @@
+@@ -55,6 +55,16 @@
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
')
@@ -25957,10 +25958,14 @@
+type ssh_tmp_t;
+files_tmp_file(ssh_tmp_t)
+
++typealias ssh_home_t alias unconfined_ssh_home_t;
++typealias ssh_home_t alias unconfined_home_ssh_t;
++typealias ssh_tmp_t alias unconfined_ssh_tmp_t;
++
#################################
#
# sshd local policy
-@@ -78,6 +84,9 @@
+@@ -78,6 +88,9 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -25970,7 +25975,7 @@
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -99,6 +108,14 @@
+@@ -99,6 +112,14 @@
')
optional_policy(`
@@ -25985,7 +25990,7 @@
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -117,7 +134,11 @@
+@@ -117,7 +138,11 @@
')
optional_policy(`
@@ -25998,7 +26003,7 @@
unconfined_shell_domtrans(sshd_t)
')
-@@ -176,6 +197,8 @@
+@@ -176,6 +201,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -29884,7 +29889,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-01 16:41:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-04 08:07:48.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -29986,16 +29991,17 @@
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +284,8 @@
+@@ -267,6 +284,9 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +310,8 @@
+@@ -291,6 +311,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30004,7 +30010,7 @@
') dnl end distro_redhat
#
-@@ -310,3 +331,21 @@
+@@ -310,3 +332,21 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -30220,7 +30226,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.13/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/logging.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/logging.te 2008-12-04 08:26:19.000000000 -0500
@@ -129,7 +129,7 @@
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
@@ -30230,7 +30236,16 @@
allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -221,9 +221,9 @@
+@@ -182,6 +182,8 @@
+ logging_domtrans_dispatcher(auditd_t)
+ logging_signal_dispatcher(auditd_t)
+
++auth_use_nsswitch(auditd_t)
++
+ libs_use_ld_so(auditd_t)
+ libs_use_shared_libs(auditd_t)
+
+@@ -221,9 +223,9 @@
# audit dispatcher local policy
#
@@ -30242,7 +30257,7 @@
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
-@@ -237,9 +237,12 @@
+@@ -237,9 +239,12 @@
domain_use_interactive_fds(audisp_t)
files_read_etc_files(audisp_t)
@@ -30255,7 +30270,22 @@
libs_use_ld_so(audisp_t)
libs_use_shared_libs(audisp_t)
-@@ -352,7 +355,7 @@
+@@ -262,9 +267,14 @@
+ corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
+ corenet_tcp_connect_audit_port(audisp_remote_t)
+ corenet_sendrecv_audit_client_packets(audisp_remote_t)
++corenet_tcp_bind_audit_port(audisp_remote_t)
++corenet_tcp_sendrecv_all_ports(audisp_remote_t)
++corenet_tcp_bind_all_nodes(audisp_remote_t)
+
+ files_read_etc_files(audisp_remote_t)
+
++auth_use_nsswitch(audisp_remote_t)
++
+ libs_use_ld_so(audisp_remote_t)
+ libs_use_shared_libs(audisp_remote_t)
+
+@@ -352,7 +362,7 @@
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.758
retrieving revision 1.759
diff -u -r1.758 -r1.759
--- selinux-policy.spec 3 Dec 2008 22:02:47 -0000 1.758
+++ selinux-policy.spec 4 Dec 2008 14:28:43 -0000 1.759
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 30%{?dist}
+Release: 31%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -336,6 +336,8 @@
fi
exit 0
+%triggerpostun targeted -- selinux-policy-targeted < 3.5.13-31.fc10
+setsebool -P allow_unconfined_nsplugin_transition=0
%triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9
. /etc/selinux/config
More information about the fedora-extras-commits
mailing list