rpms/selinux-policy/devel policy-20081111.patch, 1.17, 1.18 selinux-policy.spec, 1.759, 1.760
Daniel J Walsh
dwalsh at fedoraproject.org
Sat Dec 27 13:05:33 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv440
Modified Files:
policy-20081111.patch selinux-policy.spec
Log Message:
* Sat Dec 27 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-14
- Change userdom_read_all_users_state to include reading symbolic links in /proc
policy-20081111.patch:
Index: policy-20081111.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20081111.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- policy-20081111.patch 22 Dec 2008 22:51:28 -0000 1.17
+++ policy-20081111.patch 27 Dec 2008 13:05:32 -0000 1.18
@@ -3442,7 +3442,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.1/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-12-04 16:29:05.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-12-23 11:34:57.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -3452,12 +3452,19 @@
## <desc>
## <p>
## Allow qemu to connect fully to the network
-@@ -13,16 +15,98 @@
+@@ -13,16 +15,105 @@
## </desc>
gen_tunable(qemu_full_network, false)
+## <desc>
+## <p>
++## Allow qemu to use usb devices
++## </p>
++## </desc>
++gen_tunable(qemu_use_usb, true)
++
++## <desc>
++## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
@@ -3551,16 +3558,24 @@
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-@@ -35,6 +119,30 @@
+@@ -35,6 +126,38 @@
corenet_tcp_connect_all_ports(qemu_t)
')
+tunable_policy(`qemu_use_nfs',`
++ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
++ fs_manage_cifs_files(qemu_t)
++')
++
++tunable_policy(`qemu_use_usb',`
++ dev_rw_usbfs(qemu_t)
++ fs_manage_dos_dirs(qemu_t)
++ fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
@@ -20626,7 +20641,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-18 10:03:59.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-27 07:07:28.000000000 -0500
@@ -75,7 +75,7 @@
ubac_constrained(ssh_tmpfs_t)
@@ -20678,7 +20693,16 @@
')
optional_policy(`
-@@ -318,6 +323,10 @@
+@@ -310,6 +315,8 @@
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
+
++fs_list_inotifyfs(sshd_t)
++
+ term_use_all_user_ptys(sshd_t)
+ term_setattr_all_user_ptys(sshd_t)
+ term_relabelto_all_user_ptys(sshd_t)
+@@ -318,6 +325,10 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -20689,7 +20713,7 @@
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -331,6 +340,14 @@
+@@ -331,6 +342,14 @@
')
optional_policy(`
@@ -20704,7 +20728,7 @@
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -349,7 +366,11 @@
+@@ -349,7 +368,11 @@
')
optional_policy(`
@@ -20717,7 +20741,7 @@
unconfined_shell_domtrans(sshd_t)
')
-@@ -408,6 +429,8 @@
+@@ -408,6 +431,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -26411,7 +26435,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-18 10:02:36.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-27 06:28:18.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -27739,7 +27763,15 @@
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
-@@ -2965,6 +3150,24 @@
+@@ -2851,6 +3036,7 @@
+ ')
+
+ read_files_pattern($1,userdomain,userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
+ kernel_search_proc($1)
+ ')
+
+@@ -2965,6 +3151,24 @@
########################################
## <summary>
@@ -27764,7 +27796,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3184,264 @@
+@@ -2981,3 +3185,264 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.759
retrieving revision 1.760
diff -u -r1.759 -r1.760
--- selinux-policy.spec 22 Dec 2008 22:51:28 -0000 1.759
+++ selinux-policy.spec 27 Dec 2008 13:05:32 -0000 1.760
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.1
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
%endif
%changelog
+* Sat Dec 27 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-14
+- Change userdom_read_all_users_state to include reading symbolic links in /proc
+
* Mon Dec 22 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-13
- Fix dbus reading /proc information
More information about the fedora-extras-commits
mailing list