rpms/selinux-policy/devel policy-20081111.patch, 1.17, 1.18 selinux-policy.spec, 1.759, 1.760

Daniel J Walsh dwalsh at fedoraproject.org
Sat Dec 27 13:05:33 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv440

Modified Files:
	policy-20081111.patch selinux-policy.spec 
Log Message:
* Sat Dec 27 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-14
- Change userdom_read_all_users_state to include reading symbolic links in /proc


policy-20081111.patch:

Index: policy-20081111.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20081111.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- policy-20081111.patch	22 Dec 2008 22:51:28 -0000	1.17
+++ policy-20081111.patch	27 Dec 2008 13:05:32 -0000	1.18
@@ -3442,7 +3442,7 @@
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.1/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/qemu.te	2008-12-04 16:29:05.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/apps/qemu.te	2008-12-23 11:34:57.000000000 -0500
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -3452,12 +3452,19 @@
  ## <desc>
  ## <p>
  ## Allow qemu to connect fully to the network
-@@ -13,16 +15,98 @@
+@@ -13,16 +15,105 @@
  ## </desc>
  gen_tunable(qemu_full_network, false)
  
 +## <desc>
 +## <p>
++## Allow qemu to use usb devices
++## </p>
++## </desc>
++gen_tunable(qemu_use_usb, true)
++
++## <desc>
++## <p>
 +## Allow qemu to use nfs file systems
 +## </p>
 +## </desc>
@@ -3551,16 +3558,24 @@
  tunable_policy(`qemu_full_network',`
  	allow qemu_t self:udp_socket create_socket_perms;
  
-@@ -35,6 +119,30 @@
+@@ -35,6 +126,38 @@
  	corenet_tcp_connect_all_ports(qemu_t)
  ')
  
 +tunable_policy(`qemu_use_nfs',`
++	fs_manage_nfs_dirs(qemu_t)
 +	fs_manage_nfs_files(qemu_t)
 +')
 +
 +tunable_policy(`qemu_use_cifs',`
 +	fs_manage_cifs_dirs(qemu_t)
++	fs_manage_cifs_files(qemu_t)
++')
++
++tunable_policy(`qemu_use_usb',`
++	dev_rw_usbfs(qemu_t)
++	fs_manage_dos_dirs(qemu_t)
++	fs_manage_dos_files(qemu_t)
 +')
 +
 +optional_policy(`
@@ -20626,7 +20641,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/ssh.te	2008-12-18 10:03:59.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/ssh.te	2008-12-27 07:07:28.000000000 -0500
 @@ -75,7 +75,7 @@
  ubac_constrained(ssh_tmpfs_t)
  
@@ -20678,7 +20693,16 @@
  ')
  
  optional_policy(`
-@@ -318,6 +323,10 @@
+@@ -310,6 +315,8 @@
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
+ 
++fs_list_inotifyfs(sshd_t)
++
+ term_use_all_user_ptys(sshd_t)
+ term_setattr_all_user_ptys(sshd_t)
+ term_relabelto_all_user_ptys(sshd_t)
+@@ -318,6 +325,10 @@
  corenet_tcp_bind_xserver_port(sshd_t)
  corenet_sendrecv_xserver_server_packets(sshd_t)
  
@@ -20689,7 +20713,7 @@
  tunable_policy(`ssh_sysadm_login',`
  	# Relabel and access ptys created by sshd
  	# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -331,6 +340,14 @@
+@@ -331,6 +342,14 @@
  ')
  
  optional_policy(`
@@ -20704,7 +20728,7 @@
  	daemontools_service_domain(sshd_t, sshd_exec_t)
  ')
  
-@@ -349,7 +366,11 @@
+@@ -349,7 +368,11 @@
  ')
  
  optional_policy(`
@@ -20717,7 +20741,7 @@
  	unconfined_shell_domtrans(sshd_t)
  ')
  
-@@ -408,6 +429,8 @@
+@@ -408,6 +431,8 @@
  init_use_fds(ssh_keygen_t)
  init_use_script_ptys(ssh_keygen_t)
  
@@ -26411,7 +26435,7 @@
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-18 10:02:36.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-27 06:28:18.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  
@@ -27739,7 +27763,15 @@
  ##	Do not audit attempts to use user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -2965,6 +3150,24 @@
+@@ -2851,6 +3036,7 @@
+ 	')
+ 
+ 	read_files_pattern($1,userdomain,userdomain)
++	read_lnk_files_pattern($1,userdomain,userdomain)
+ 	kernel_search_proc($1)
+ ')
+ 
+@@ -2965,6 +3151,24 @@
  
  ########################################
  ## <summary>
@@ -27764,7 +27796,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -2981,3 +3184,264 @@
+@@ -2981,3 +3185,264 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.759
retrieving revision 1.760
diff -u -r1.759 -r1.760
--- selinux-policy.spec	22 Dec 2008 22:51:28 -0000	1.759
+++ selinux-policy.spec	27 Dec 2008 13:05:32 -0000	1.760
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.1
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
 %endif
 
 %changelog
+* Sat Dec 27 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-14
+- Change userdom_read_all_users_state to include reading symbolic links in /proc
+
 * Mon Dec 22 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-13
 - Fix dbus reading /proc information

More information about the fedora-extras-commits mailing list