rpms/selinux-policy/F-10 policy-20080710.patch, 1.109, 1.110 selinux-policy.spec, 1.759, 1.760

Daniel J Walsh dwalsh at fedoraproject.org
Thu Dec 4 21:24:46 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18264

Modified Files:
	policy-20080710.patch selinux-policy.spec 
Log Message:
* Thu Dec 4 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-32
- Turn off nsplugin transition, by default
- Allow httpd_sys_script_t to communicate with postgresql


policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.109
retrieving revision 1.110
diff -u -r1.109 -r1.110
--- policy-20080710.patch	4 Dec 2008 14:28:42 -0000	1.109
+++ policy-20080710.patch	4 Dec 2008 21:24:45 -0000	1.110
@@ -626,6 +626,17 @@
  	samba_read_log(logwatch_t)
 +	samba_read_share_files(logwatch_t)
  ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.13/policy/modules/admin/mrtg.te
+--- nsaserefpolicy/policy/modules/admin/mrtg.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/admin/mrtg.te	2008-12-04 14:28:07.000000000 -0500
+@@ -116,6 +116,7 @@
+ selinux_dontaudit_getattr_dir(mrtg_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
++userdom_dontaudit_list_admin_dir(mrtg_t)
+ 
+ sysadm_use_terms(mrtg_t)
+ sysadm_dontaudit_read_home_content_files(mrtg_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.13/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2008-10-17 08:49:14.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/admin/netutils.te	2008-11-24 10:49:49.000000000 -0500
@@ -11148,7 +11159,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te	2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/apache.te	2008-12-04 14:56:57.000000000 -0500
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -11568,7 +11579,7 @@
  ########################################
  #
  # Apache PHP script local policy
-@@ -551,22 +695,27 @@
+@@ -551,22 +695,30 @@
  
  fs_search_auto_mountpoints(httpd_php_t)
  
@@ -11591,9 +11602,10 @@
 +	corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
  ')
  
--optional_policy(`
+ optional_policy(`
 -	nis_use_ypbind(httpd_php_t)
--')
++	postgresql_stream_connect(httpd_sys_script_t)
+ ')
  
  optional_policy(`
 -	postgresql_stream_connect(httpd_php_t)
@@ -11602,7 +11614,7 @@
  ')
  
  ########################################
-@@ -584,12 +733,14 @@
+@@ -584,12 +736,14 @@
  append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  
@@ -11618,7 +11630,7 @@
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +749,7 @@
+@@ -598,9 +752,7 @@
  
  fs_search_auto_mountpoints(httpd_suexec_t)
  
@@ -11629,7 +11641,7 @@
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +782,25 @@
+@@ -633,12 +785,25 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -11658,7 +11670,7 @@
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +809,12 @@
+@@ -647,6 +812,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -11671,7 +11683,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,20 +832,20 @@
+@@ -664,20 +835,20 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -11697,7 +11709,7 @@
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +859,22 @@
+@@ -691,12 +862,22 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -11722,7 +11734,7 @@
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +882,31 @@
+@@ -704,6 +885,31 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -11754,7 +11766,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +919,10 @@
+@@ -716,10 +922,10 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11769,7 +11781,7 @@
  ')
  
  ########################################
-@@ -727,6 +930,8 @@
+@@ -727,6 +933,8 @@
  # httpd_rotatelogs local policy
  #
  
@@ -11778,7 +11790,7 @@
  manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
  
  kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +946,66 @@
+@@ -741,3 +949,66 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -17388,7 +17400,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/munin.te	2008-12-02 15:11:02.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/munin.te	2008-12-04 16:13:54.000000000 -0500
 @@ -13,6 +13,9 @@
  type munin_etc_t alias lrrd_etc_t;
  files_config_file(munin_etc_t)
@@ -17441,7 +17453,7 @@
  
  corenet_all_recvfrom_unlabeled(munin_t)
  corenet_all_recvfrom_netlabel(munin_t)
-@@ -73,30 +82,39 @@
+@@ -73,30 +82,40 @@
  corenet_udp_sendrecv_all_nodes(munin_t)
  corenet_tcp_sendrecv_all_ports(munin_t)
  corenet_udp_sendrecv_all_ports(munin_t)
@@ -17463,9 +17475,10 @@
  
  fs_getattr_all_fs(munin_t)
  fs_search_auto_mountpoints(munin_t)
- 
-+auth_use_nsswitch(munin_t)
++fs_list_inotifyfs(munin_t)
 +
++auth_use_nsswitch(munin_t)
+ 
  libs_use_ld_so(munin_t)
  libs_use_shared_libs(munin_t)
  
@@ -17483,7 +17496,7 @@
  sysadm_dontaudit_search_home_dirs(munin_t)
  
  optional_policy(`
-@@ -109,7 +127,30 @@
+@@ -109,7 +128,30 @@
  ')
  
  optional_policy(`
@@ -17515,7 +17528,7 @@
  ')
  
  optional_policy(`
-@@ -119,3 +160,9 @@
+@@ -119,3 +161,9 @@
  optional_policy(`
  	udev_read_db(munin_t)
  ')
@@ -31783,7 +31796,7 @@
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if	2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if	2008-12-04 15:04:44.000000000 -0500
 @@ -198,7 +198,25 @@
  		type dhcpc_state_t;
  	')
@@ -35939,7 +35952,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/xen.te	2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/xen.te	2008-12-04 13:40:54.000000000 -0500
 @@ -6,6 +6,13 @@
  # Declarations
  #
@@ -36139,7 +36152,7 @@
  init_rw_script_stream_sockets(xm_t)
  init_use_fds(xm_t)
  
-@@ -358,8 +395,25 @@
+@@ -358,8 +395,30 @@
  
  miscfiles_read_localization(xm_t)
  
@@ -36152,6 +36165,11 @@
  xen_stream_connect(xm_t)
  xen_stream_connect_xenstore(xm_t)
 +
++optional_policy(`
++	virt_manage_images(xm_t)
++	virt_stream_connect(xm_t)
++')
++
 +#Should have a boolean wrapping these
 +fs_list_auto_mountpoints(xend_t)
 +files_search_mnt(xend_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.759
retrieving revision 1.760
diff -u -r1.759 -r1.760
--- selinux-policy.spec	4 Dec 2008 14:28:43 -0000	1.759
+++ selinux-policy.spec	4 Dec 2008 21:24:46 -0000	1.760
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 31%{?dist}
+Release: 32%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -459,6 +459,10 @@
 %endif
 
 %changelog
+* Thu Dec 4 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-32
+- Turn off nsplugin transition, by default
+- Allow httpd_sys_script_t to communicate with postgresql
+
 * Wed Dec 2 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-30
 - Allow nsplugin to list gconf_home_t directory

More information about the fedora-extras-commits mailing list