rpms/selinux-policy/F-9 policy-20071130.patch, 1.187, 1.188 selinux-policy.spec, 1.693, 1.694
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Jul 3 20:16:18 UTC 2008
- Previous message (by thread): rpms/selinux-policy/devel policy-20080509.patch, 1.29, 1.30 selinux-policy.spec, 1.679, 1.680
- Next message (by thread): rpms/policycoreutils/F-9 policycoreutils-gui.patch, 1.67, 1.68 policycoreutils-rhat.patch, 1.369, 1.370 policycoreutils.spec, 1.528, 1.529
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30251
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Jul 3 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-76
- Allow ypbind apps to net_bind_service
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.187
retrieving revision 1.188
diff -u -r1.187 -r1.188
--- policy-20071130.patch 2 Jul 2008 21:06:26 -0000 1.187
+++ policy-20071130.patch 3 Jul 2008 20:15:27 -0000 1.188
@@ -17138,8 +17138,24 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.3.1/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-07-02 08:47:10.000000000 -0400
-@@ -54,6 +54,12 @@
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-07-03 14:50:17.000000000 -0400
+@@ -16,6 +16,7 @@
+ type kadmind_t;
+ type kadmind_exec_t;
+ init_daemon_domain(kadmind_t,kadmind_exec_t)
++domain_obj_id_change_exemption(kadmind_t)
+
+ type kadmind_log_t;
+ logging_log_file(kadmind_log_t)
+@@ -44,6 +45,7 @@
+ type krb5kdc_t;
+ type krb5kdc_exec_t;
+ init_daemon_domain(krb5kdc_t,krb5kdc_exec_t)
++domain_obj_id_change_exemption(krb5kdc_t)
+
+ type krb5kdc_log_t;
+ logging_log_file(krb5kdc_log_t)
+@@ -54,6 +56,12 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
@@ -17152,7 +17168,7 @@
########################################
#
# kadmind local policy
-@@ -62,7 +68,7 @@
+@@ -62,7 +70,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
@@ -17161,7 +17177,7 @@
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-@@ -91,6 +97,7 @@
+@@ -91,6 +99,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
@@ -17169,7 +17185,7 @@
corenet_all_recvfrom_unlabeled(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +125,12 @@
+@@ -118,6 +127,12 @@
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
@@ -17182,7 +17198,7 @@
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
-@@ -127,6 +140,7 @@
+@@ -127,6 +142,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -17190,7 +17206,7 @@
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -137,6 +151,7 @@
+@@ -137,6 +153,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
@@ -17198,7 +17214,7 @@
')
optional_policy(`
-@@ -151,7 +166,7 @@
+@@ -151,7 +168,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -17207,7 +17223,7 @@
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
-@@ -215,6 +230,9 @@
+@@ -215,6 +232,9 @@
files_read_usr_symlinks(krb5kdc_t)
files_read_var_files(krb5kdc_t)
@@ -17217,7 +17233,7 @@
libs_use_ld_so(krb5kdc_t)
libs_use_shared_libs(krb5kdc_t)
-@@ -223,6 +241,7 @@
+@@ -223,6 +243,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -17225,7 +17241,7 @@
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,8 +252,10 @@
+@@ -233,8 +254,10 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
@@ -17925,7 +17941,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-07-02 09:53:40.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-07-03 14:44:32.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -18026,7 +18042,7 @@
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,11 +175,38 @@
+@@ -136,11 +175,40 @@
')
optional_policy(`
@@ -18047,6 +18063,8 @@
')
-# should break this up among sections:
++read_files_pattern(mailserver_delivery, system_mail_tmp_t, , system_mail_tmp_t)
+
+init_stream_connect_script(mailserver_delivery)
+init_rw_script_stream_sockets(mailserver_delivery)
+
@@ -18055,7 +18073,7 @@
+ fs_manage_cifs_files(mailserver_delivery)
+ fs_manage_cifs_symlinks(mailserver_delivery)
+')
-
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mailserver_delivery)
+ fs_manage_nfs_files(mailserver_delivery)
@@ -18066,7 +18084,7 @@
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +220,4 @@
+@@ -154,3 +222,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -18907,7 +18925,16 @@
+/etc/rc.d/init.d/ypxfrd -- gen_context(system_u:object_r:nis_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.3.1/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/nis.if 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/nis.if 2008-07-03 12:18:46.000000000 -0400
+@@ -28,7 +28,7 @@
+ type var_yp_t;
+ ')
+
+- dontaudit $1 self:capability net_bind_service;
++ allow $1 self:capability net_bind_service;
+
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
@@ -23066,12 +23093,14 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.3.1/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rsync.fc 2008-07-02 08:47:10.000000000 -0400
-@@ -1,2 +1,4 @@
++++ serefpolicy-3.3.1/policy/modules/services/rsync.fc 2008-07-03 14:07:54.000000000 -0400
+@@ -1,2 +1,6 @@
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
-+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
++/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
++
++/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.3.1/policy/modules/services/rsync.if
--- nsaserefpolicy/policy/modules/services/rsync.if 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/rsync.if 2008-07-02 08:47:10.000000000 -0400
@@ -31787,7 +31816,7 @@
samba_run_smbmount($1, $2, $3)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-07-03 15:35:42.000000000 -0400
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -31840,26 +31869,29 @@
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,6 +66,7 @@
+@@ -62,16 +66,19 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+storage_rw_fuse(mount_t)
- fs_getattr_xattr_fs(mount_t)
- fs_getattr_cifs(mount_t)
-@@ -71,7 +76,10 @@
+-fs_getattr_xattr_fs(mount_t)
+-fs_getattr_cifs(mount_t)
++fs_list_all(mount_t)
++fs_getattr_all_fs(mount_t)
+ fs_mount_all_fs(mount_t)
+ fs_unmount_all_fs(mount_t)
+ fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
fs_list_auto_mountpoints(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
-+fs_search_fusefs_dirs(mount_t)
+fs_manage_nfs_dirs(mount_t)
term_use_all_terms(mount_t)
-@@ -100,6 +108,8 @@
+@@ -100,6 +107,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -31868,7 +31900,7 @@
auth_use_nsswitch(mount_t)
-@@ -119,6 +129,8 @@
+@@ -119,6 +128,8 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -31877,7 +31909,7 @@
ifdef(`distro_redhat',`
optional_policy(`
-@@ -167,6 +179,8 @@
+@@ -167,6 +178,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -31886,7 +31918,7 @@
')
optional_policy(`
-@@ -181,6 +195,11 @@
+@@ -181,6 +194,11 @@
')
')
@@ -31898,7 +31930,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -188,6 +207,7 @@
+@@ -188,6 +206,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -31906,7 +31938,7 @@
')
########################################
-@@ -198,4 +218,26 @@
+@@ -198,4 +217,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.693
retrieving revision 1.694
diff -u -r1.693 -r1.694
--- selinux-policy.spec 2 Jul 2008 20:45:03 -0000 1.693
+++ selinux-policy.spec 3 Jul 2008 20:15:27 -0000 1.694
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 75%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,12 +385,14 @@
%endif
%changelog
+* Thu Jul 3 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-76
+- Allow ypbind apps to net_bind_service
+
* Tue Jul 2 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-75
- Fix transition from unconfined_t to dhcpc_t
- Allow all system domains and application domains to append to any log file
- allow sendmail to use courier_spool fifo files
-
* Tue Jul 1 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-74
- Make virtd an unconfined domain
- Previous message (by thread): rpms/selinux-policy/devel policy-20080509.patch, 1.29, 1.30 selinux-policy.spec, 1.679, 1.680
- Next message (by thread): rpms/policycoreutils/F-9 policycoreutils-gui.patch, 1.67, 1.68 policycoreutils-rhat.patch, 1.369, 1.370 policycoreutils.spec, 1.528, 1.529
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list