rpms/selinux-policy/F-10 policy-20080710.patch, 1.112, 1.113 selinux-policy.spec, 1.761, 1.762
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Dec 9 21:04:53 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19846
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Tue Dec 9 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-34
- Allow semanage to send signals to itself
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.112
retrieving revision 1.113
diff -u -r1.112 -r1.113
--- policy-20080710.patch 8 Dec 2008 22:00:09 -0000 1.112
+++ policy-20080710.patch 9 Dec 2008 21:04:50 -0000 1.113
@@ -4964,8 +4964,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.13/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te 2008-11-24 10:49:49.000000000 -0500
-@@ -11,24 +11,55 @@
++++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te 2008-12-09 14:43:48.000000000 -0500
+@@ -11,24 +11,61 @@
application_domain(podsleuth_t, podsleuth_exec_t)
role system_r types podsleuth_t;
@@ -5004,6 +5004,12 @@
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
+
++fs_mount_nfs_fs(podsleuth_t)
++fs_unmount_nfs_fs(podsleuth_t)
++fs_getattr_nfs_fs(podsleuth_t)
++fs_read_nfs_files(podsleuth_t)
++fs_search_nfs(podsleuth_t)
++
+allow podsleuth_t podsleuth_tmp_t:dir mounton;
+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
@@ -15579,7 +15585,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-12-09 13:32:10.000000000 -0500
@@ -10,6 +10,9 @@
type dnsmasq_exec_t;
init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
@@ -15618,7 +15624,12 @@
corenet_sendrecv_dns_server_packets(dnsmasq_t)
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
-@@ -71,6 +73,8 @@
+@@ -67,10 +69,13 @@
+
+ # allow access to dnsmasq.conf
+ files_read_etc_files(dnsmasq_t)
++files_read_etc_runtime_files(dnsmasq_t)
+
fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)
@@ -15627,7 +15638,7 @@
libs_use_ld_so(dnsmasq_t)
libs_use_shared_libs(dnsmasq_t)
-@@ -78,14 +82,12 @@
+@@ -78,14 +83,12 @@
miscfiles_read_localization(dnsmasq_t)
@@ -15643,7 +15654,7 @@
')
optional_policy(`
-@@ -95,3 +97,7 @@
+@@ -95,3 +98,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
')
@@ -20756,7 +20767,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.13/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/portreserve.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/portreserve.te 2008-12-09 13:51:00.000000000 -0500
@@ -0,0 +1,55 @@
+policy_module(portreserve,1.0.0)
+
@@ -20795,7 +20806,7 @@
+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file })
+
-+corenet_sendrecv_unlabeled_packets(portreserve_t)
++corenet_all_recvfrom_unlabeled(portreserve_t)
+corenet_all_recvfrom_netlabel(portreserve_t)
+corenet_tcp_bind_all_ports(portreserve_t)
+corenet_tcp_bind_all_ports(portreserve_t)
@@ -24852,7 +24863,7 @@
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.13/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.if 2008-12-09 13:35:43.000000000 -0500
@@ -37,7 +37,8 @@
gen_require(`
@@ -25383,7 +25394,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2008-12-03 09:33:51.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2008-12-09 14:59:03.000000000 -0500
@@ -21,16 +21,24 @@
gen_tunable(spamd_enable_home_dirs, true)
@@ -25442,12 +25453,13 @@
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -69,10 +89,13 @@
+@@ -69,10 +89,14 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
-allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
++
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
+logging_log_filetrans(spamd_t, spamd_log_t, file)
@@ -25457,7 +25469,7 @@
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -81,10 +104,11 @@
+@@ -81,12 +105,21 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -25469,8 +25481,18 @@
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
++spamassassin_domtrans_spamc(spamd_t)
++manage_dirs_pattern(spamd_t, spamc_home_t, spamc_home_t)
++manage_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++manage_lnk_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++manage_fifo_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++manage_sock_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++userdom_user_home_dir_filetrans(user, spamd_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
++
kernel_read_all_sysctls(spamd_t)
-@@ -134,6 +158,8 @@
+ kernel_read_system_state(spamd_t)
+
+@@ -134,6 +167,8 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -25479,7 +25501,7 @@
libs_use_ld_so(spamd_t)
libs_use_shared_libs(spamd_t)
-@@ -141,20 +167,40 @@
+@@ -141,20 +176,33 @@
miscfiles_read_localization(spamd_t)
@@ -25492,13 +25514,6 @@
-
sysadm_dontaudit_search_home_dirs(spamd_t)
-+manage_dirs_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+manage_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+manage_lnk_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+manage_fifo_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+manage_sock_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+userdom_user_home_dir_filetrans(user, spamd_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
-+
+optional_policy(`
+ # Write pid file and socket in ~/.evolution/cache/tmp
+ evolution_home_filetrans(user, spamd_t, spamd_tmp_t, { file sock_file })
@@ -25525,7 +25540,7 @@
fs_manage_cifs_files(spamd_t)
')
-@@ -172,6 +218,7 @@
+@@ -172,6 +220,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -25533,7 +25548,7 @@
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -181,10 +228,6 @@
+@@ -181,10 +230,6 @@
')
optional_policy(`
@@ -25544,7 +25559,7 @@
postfix_read_config(spamd_t)
')
-@@ -199,6 +242,10 @@
+@@ -199,6 +244,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -25555,7 +25570,7 @@
')
optional_policy(`
-@@ -213,3 +260,125 @@
+@@ -213,3 +262,127 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -25637,16 +25652,18 @@
+# terminal specific to the role
+userdom_use_unpriv_users_ptys(spamc_t)
+
++allow spamc_t self:tcp_socket create_stream_socket_perms;
++allow spamc_t self:udp_socket create_socket_perms;
++
++corenet_all_recvfrom_unlabeled(spamc_t)
++corenet_all_recvfrom_netlabel(spamc_t)
++corenet_tcp_sendrecv_generic_if(spamc_t)
++corenet_tcp_sendrecv_all_nodes(spamc_t)
++corenet_tcp_connect_spamd_port(spamc_t)
++
+# set tunable if you have spamc do DNS lookups
+tunable_policy(`spamassassin_can_network',`
-+ allow spamc_t self:tcp_socket create_stream_socket_perms;
-+ allow spamc_t self:udp_socket create_socket_perms;
-+
-+ corenet_all_recvfrom_unlabeled(spamc_t)
-+ corenet_all_recvfrom_netlabel(spamc_t)
-+ corenet_tcp_sendrecv_generic_if(spamc_t)
+ corenet_udp_sendrecv_generic_if(spamc_t)
-+ corenet_tcp_sendrecv_all_nodes(spamc_t)
+ corenet_udp_sendrecv_all_nodes(spamc_t)
+ corenet_tcp_sendrecv_all_ports(spamc_t)
+ corenet_udp_sendrecv_all_ports(spamc_t)
@@ -29995,7 +30012,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-04 08:07:48.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-09 10:22:43.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -30012,7 +30029,7 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
-@@ -75,16 +78,18 @@
+@@ -75,18 +78,20 @@
/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30035,8 +30052,11 @@
+/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+ /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -115,9 +120,17 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -31046,7 +31066,7 @@
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.13/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.if 2008-12-09 09:02:26.000000000 -0500
@@ -555,6 +555,59 @@
########################################
@@ -31217,7 +31237,7 @@
## Full management of the semanage
## module store.
## </summary>
-@@ -1165,3 +1270,260 @@
+@@ -1165,3 +1270,261 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -31296,6 +31316,7 @@
+ ')
+ allow $1 self:capability { dac_override audit_write sys_resource };
+ dontaudit $1 self:capability sys_tty_config;
++ allow $1 self:process signal;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ logging_send_audit_msgs($1)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.761
retrieving revision 1.762
diff -u -r1.761 -r1.762
--- selinux-policy.spec 8 Dec 2008 22:00:11 -0000 1.761
+++ selinux-policy.spec 9 Dec 2008 21:04:52 -0000 1.762
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 33%{?dist}
+Release: 34%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -459,6 +459,9 @@
%endif
%changelog
+* Tue Dec 9 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-34
+- Allow semanage to send signals to itself
+
* Fri Dec 5 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-33
- Allow nsplugin to manage sock files and fifo_files in nsplugin_home_t
More information about the fedora-extras-commits
mailing list