rpms/selinux-policy/F-9 policy-20071130.patch, 1.174, 1.175 selinux-policy.spec, 1.683, 1.684
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Sun Jun 22 12:09:47 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16203
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Sun Jun 22 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-68
- Allow virt to getsched and setsched on qemu
- Allow networkmanager to getattr on fixed disk
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.174
retrieving revision 1.175
diff -u -r1.174 -r1.175
--- policy-20071130.patch 14 Jun 2008 11:09:15 -0000 1.174
+++ policy-20071130.patch 22 Jun 2008 12:09:00 -0000 1.175
@@ -1443,6 +1443,17 @@
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-3.3.1/policy/modules/admin/amanda.fc
+--- nsaserefpolicy/policy/modules/admin/amanda.fc 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/amanda.fc 2008-06-22 06:32:54.000000000 -0400
+@@ -3,6 +3,7 @@
+ /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+ /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
+ /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
++/etc/amanda/.*/index(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+
+ /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.3.1/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-06-12 23:38:02.000000000 -0400
@@ -7160,7 +7171,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in 2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in 2008-06-22 07:34:11.000000000 -0400
@@ -1441,10 +1441,11 @@
#
interface(`corenet_tcp_bind_all_unreserved_ports',`
@@ -8734,8 +8745,12 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.3.1/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2008-06-12 23:38:04.000000000 -0400
-@@ -25,6 +25,8 @@
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2008-06-22 07:46:16.000000000 -0400
+@@ -21,10 +21,11 @@
+
+ # Use xattrs for the following filesystem types.
+ # Requires that a security xattr handler exist for the filesystem.
+-fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
@@ -8744,7 +8759,19 @@
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
-@@ -135,6 +137,11 @@
+@@ -74,6 +75,11 @@
+ allow cpusetfs_t self:filesystem associate;
+ genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+
++type ecryptfs_t;
++fs_noxattr_type(ecryptfs_t)
++files_mountpoint(ecryptfs_t)
++genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
++
+ type eventpollfs_t;
+ fs_type(eventpollfs_t)
+ # change to task SID 20060628
+@@ -135,6 +141,11 @@
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
files_mountpoint(squash_t)
@@ -8756,7 +8783,7 @@
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
-@@ -199,6 +206,7 @@
+@@ -199,6 +210,7 @@
allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
@@ -8764,7 +8791,7 @@
#
# iso9660_t is the type for CD filesystems
-@@ -231,6 +239,9 @@
+@@ -231,6 +243,9 @@
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -9947,7 +9974,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-06-22 07:01:55.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10440,15 +10467,18 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -703,6 +851,7 @@
+@@ -703,6 +851,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
++ mysql_stream_connect(httpd_suexec_t)
++ mysql_rw_db_sockets(httpd_suexec_t)
++ mysql_read_config(httpd_suexec_t)
')
########################################
-@@ -724,3 +873,60 @@
+@@ -724,3 +876,60 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -11301,7 +11331,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.3.1/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/bind.te 2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/bind.te 2008-06-22 07:34:34.000000000 -0400
@@ -53,6 +53,9 @@
init_system_domain(ndc_t,ndc_exec_t)
role system_r types ndc_t;
@@ -11321,6 +11351,15 @@
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket create_stream_socket_perms;
allow named_t self:unix_dgram_socket create_socket_perms;
+@@ -113,7 +116,7 @@
+ corenet_tcp_bind_all_nodes(named_t)
+ corenet_udp_bind_all_nodes(named_t)
+ corenet_tcp_bind_dns_port(named_t)
+-corenet_udp_bind_dns_port(named_t)
++corenet_udp_bind_all_ports(named_t)
+ corenet_tcp_bind_rndc_port(named_t)
+ corenet_tcp_connect_all_ports(named_t)
+ corenet_sendrecv_dns_server_packets(named_t)
@@ -222,6 +225,7 @@
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
@@ -18535,7 +18574,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-06-16 07:11:37.000000000 -0400
@@ -13,6 +13,13 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -18555,7 +18594,7 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched signal_perms };
@@ -18589,9 +18628,12 @@
mls_file_read_all_levels(NetworkManager_t)
-@@ -84,8 +97,11 @@
+@@ -83,9 +96,14 @@
+ files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
++storage_getattr_fixed_disk_dev(NetworkManager_t)
++
init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
@@ -18601,34 +18643,32 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -113,6 +129,7 @@
+@@ -113,6 +131,9 @@
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
# Read gnome-keyring
userdom_read_unpriv_users_home_content_files(NetworkManager_t)
+userdom_unpriv_users_stream_connect(NetworkManager_t)
++
++cron_read_system_job_lib_files(NetworkManager_t)
optional_policy(`
bind_domtrans(NetworkManager_t)
-@@ -129,21 +146,25 @@
+@@ -129,21 +150,21 @@
')
optional_policy(`
- dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
-+ cron_read_system_job_lib_files(NetworkManager_t)
++ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
')
optional_policy(`
- howl_signal(NetworkManager_t)
-+ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
++ hal_write_log(NetworkManager_t)
')
optional_policy(`
- nis_use_ypbind(NetworkManager_t)
-+ hal_write_log(NetworkManager_t)
-+')
-+
-+optional_policy(`
+ howl_signal(NetworkManager_t)
')
@@ -21040,14 +21080,14 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.3.1/policy/modules/services/prelude.fc
--- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,13 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-06-22 07:10:13.000000000 -0400
+@@ -0,0 +1,19 @@
+
+/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0)
+
+/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
+
-+/etc/rc.d/init.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0)
++/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0)
+
+/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
+
@@ -21055,6 +21095,12 @@
+/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
+/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
++/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t
++,s0)
++/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lm
++l_var_run_t,s0)
++/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lm
++l_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-06-12 23:38:04.000000000 -0400
@@ -21189,8 +21235,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,162 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-22 07:53:37.000000000 -0400
+@@ -0,0 +1,246 @@
+policy_module(prelude,1.0.0)
+
+########################################
@@ -21223,6 +21269,19 @@
+type audisp_prelude_var_run_t;
+files_pid_file(audisp_prelude_var_run_t)
+
++type prelude_lml_t;
++type prelude_lml_exec_t;
++init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
++
++type prelude_lml_script_exec_t;
++init_script_type(prelude_lml_script_exec_t)
++
++type prelude_lml_var_run_t;
++files_pid_file(prelude_lml_var_run_t)
++
++type prelude_lml_tmp_t;
++files_tmp_file(prelude_lml_tmp_t)
++
+########################################
+#
+# prelude local policy
@@ -21336,6 +21395,74 @@
+
+########################################
+#
++# prelude_lml local declarations
++#
++
++# Init script handling
++# Test me
++domain_use_interactive_fds(prelude_lml_t)
++
++allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
++allow prelude_lml_t self:unix_dgram_socket { write create connect };
++allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
++allow prelude_lml_t self:unix_stream_socket connectto;
++
++files_list_tmp(prelude_lml_t)
++manage_dirs_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t)
++manage_files_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t)
++files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
++
++files_search_spool(prelude_lml_t)
++manage_dirs_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t)
++manage_files_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t)
++
++files_search_var_lib(prelude_lml_t)
++manage_dirs_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t)
++manage_files_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t)
++
++manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
++files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
++
++corecmd_search_bin(prelude_lml_t)
++
++corenet_tcp_sendrecv_generic_if(prelude_lml_t)
++corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
++corenet_tcp_recvfrom_netlabel(prelude_lml_t)
++corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
++corenet_sendrecv_unlabeled_packets(prelude_lml_t)
++corenet_tcp_connect_prelude_port(prelude_lml_t)
++
++dev_read_rand(prelude_lml_t)
++dev_read_urand(prelude_lml_t)
++
++files_list_etc(prelude_lml_t)
++files_read_etc_files(prelude_lml_t)
++files_read_etc_runtime_files(prelude_lml_t)
++
++files_search_spool(prelude_lml_t)
++files_search_usr(prelude_lml_t)
++files_search_var_lib(prelude_lml_t)
++
++fs_list_inotifyfs(prelude_lml_t)
++
++auth_use_nsswitch(prelude_lml_t)
++
++libs_use_ld_so(prelude_lml_t)
++libs_use_shared_libs(prelude_lml_t)
++libs_exec_lib_files(prelude_lml_t)
++libs_read_lib_files(prelude_lml_t)
++
++logging_send_syslog_msg(prelude_lml_t)
++logging_read_generic_logs(prelude_lml_t)
++
++miscfiles_read_localization(prelude_lml_t)
++
++optional_policy(`
++ apache_read_log(prelude_lml_t)
++')
++
++########################################
++#
+# prewikka_cgi Declarations
+#
+
@@ -21343,6 +21470,10 @@
+ apache_content_template(prewikka)
+ files_read_etc_files(httpd_prewikka_script_t)
+
++ auth_use_nsswitch(httpd_prewikka_script_t)
++
++ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
++
+ optional_policy(`
+ mysql_search_db(httpd_prewikka_script_t)
+ mysql_stream_connect(httpd_prewikka_script_t)
@@ -21352,7 +21483,6 @@
+ postgresql_stream_connect(httpd_prewikka_script_t)
+ ')
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.3.1/policy/modules/services/privoxy.fc
--- nsaserefpolicy/policy/modules/services/privoxy.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-06-12 23:38:03.000000000 -0400
@@ -27837,7 +27967,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-06-14 07:17:28.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -28141,7 +28271,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,22 +385,29 @@
+@@ -256,22 +385,30 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -28156,6 +28286,7 @@
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
++userdom_dontaudit_read_sysadm_home_sym_links(xdm_t)
userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_unpriv_users_home_content_files(xdm_t)
@@ -28174,7 +28305,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -297,14 +433,20 @@
+@@ -297,14 +434,20 @@
# xserver_rw_session_template(xdm,unpriv_userdomain)
# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
@@ -28196,7 +28327,7 @@
')
optional_policy(`
-@@ -312,6 +454,23 @@
+@@ -312,6 +455,23 @@
')
optional_policy(`
@@ -28220,7 +28351,7 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +481,10 @@
+@@ -322,6 +482,10 @@
')
optional_policy(`
@@ -28231,7 +28362,7 @@
loadkeys_exec(xdm_t)
')
-@@ -335,6 +498,11 @@
+@@ -335,6 +499,11 @@
')
optional_policy(`
@@ -28243,7 +28374,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +511,8 @@
+@@ -343,8 +512,8 @@
')
optional_policy(`
@@ -28253,7 +28384,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +548,7 @@
+@@ -380,7 +549,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -28262,7 +28393,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +560,15 @@
+@@ -392,6 +561,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -28278,7 +28409,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +581,18 @@
+@@ -404,9 +582,18 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -28297,7 +28428,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +606,22 @@
+@@ -420,6 +607,22 @@
')
optional_policy(`
@@ -28320,7 +28451,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +631,138 @@
+@@ -429,47 +632,138 @@
')
optional_policy(`
@@ -28670,7 +28801,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.3.1/policy/modules/services/zebra.te
--- nsaserefpolicy/policy/modules/services/zebra.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/zebra.te 2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/zebra.te 2008-06-16 07:15:14.000000000 -0400
@@ -30,6 +30,9 @@
type zebra_var_run_t;
files_pid_file(zebra_var_run_t)
@@ -28690,6 +28821,14 @@
allow zebra_t self:file { ioctl read write getattr lock append };
allow zebra_t self:unix_dgram_socket create_socket_perms;
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+@@ -64,6 +67,7 @@
+ files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
+
+ kernel_read_system_state(zebra_t)
++kernel_read_network_state(zebra_t)
+ kernel_read_kernel_sysctls(zebra_t)
+ kernel_rw_net_sysctls(zebra_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.3.1/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.fc 2008-06-12 23:38:02.000000000 -0400
@@ -31286,8 +31425,8 @@
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-06-12 23:38:02.000000000 -0400
-@@ -0,0 +1,313 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-06-22 08:07:19.000000000 -0400
+@@ -0,0 +1,335 @@
+
+## <summary>policy for qemu</summary>
+
@@ -31348,6 +31487,24 @@
+
+########################################
+## <summary>
++## Set the schedule on qemu.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qemu_setsched',`
++ gen_require(`
++ type qemu_t;
++ ')
++
++ allow $1 qemu_t:process setsched;
++')
++
++########################################
++## <summary>
+## Send a sigill to qemu
+## </summary>
+## <param name="domain">
@@ -31594,6 +31751,10 @@
+ ')
+
+ optional_policy(`
++ xen_rw_image_files($1_t)
++ ')
++
++ optional_policy(`
+ xserver_stream_connect_xdm_xserver($1_t)
+ xserver_read_xdm_tmp_files($1_t)
+ xserver_read_xdm_pid($1_t)
@@ -33638,7 +33799,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-12 23:38:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-14 07:17:14.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -35816,7 +35977,7 @@
')
########################################
-@@ -4644,12 +4858,11 @@
+@@ -4644,12 +4858,29 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -35829,10 +35990,28 @@
- dontaudit $1 sysadm_home_t:file read_file_perms;
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
++')
++########################################
++## <summary>
++## Do not audit attempts to read sysadm
++## users home directory sym links.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_read_sysadm_home_sym_links',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
')
########################################
-@@ -4676,10 +4889,10 @@
+@@ -4676,10 +4907,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -35845,7 +36024,7 @@
')
########################################
-@@ -4694,10 +4907,10 @@
+@@ -4694,10 +4925,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -35858,7 +36037,7 @@
')
########################################
-@@ -4712,13 +4925,13 @@
+@@ -4712,13 +4943,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -35876,7 +36055,7 @@
')
########################################
-@@ -4754,11 +4967,49 @@
+@@ -4754,11 +4985,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -35927,7 +36106,7 @@
')
########################################
-@@ -4778,6 +5029,14 @@
+@@ -4778,6 +5047,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -35942,7 +36121,7 @@
')
########################################
-@@ -4839,6 +5098,26 @@
+@@ -4839,6 +5116,26 @@
########################################
## <summary>
@@ -35969,7 +36148,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5138,25 @@
+@@ -4859,6 +5156,25 @@
########################################
## <summary>
@@ -35995,7 +36174,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5177,26 @@
+@@ -4879,6 +5195,26 @@
########################################
## <summary>
@@ -36022,7 +36201,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5433,7 @@
+@@ -5115,7 +5451,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -36031,25 +36210,29 @@
')
files_search_home($1)
-@@ -5304,6 +5622,63 @@
+@@ -5304,8 +5640,8 @@
########################################
## <summary>
+-## Create, read, write, and delete directories in
+-## unprivileged users home directories.
+## append all unprivileged users home directory
+## files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5313,19 +5649,26 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_manage_unpriv_users_home_content_dirs',`
+interface(`userdom_append_unpriv_users_home_content_files',`
-+ gen_require(`
-+ attribute user_home_dir_type, user_home_type;
-+ ')
-+
-+ files_search_home($1)
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_search_home($1)
+- manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ allow $1 user_home_type:dir list_dir_perms;
+ append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ tunable_policy(`use_nfs_home_dirs',`
@@ -36058,25 +36241,29 @@
+ tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files($1)
+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files in
+-## unprivileged users home directories.
+## dontaudit Read all unprivileged users home directory
+## files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5333,18 +5676,29 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_manage_unpriv_users_home_content_files',`
+interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
-+ gen_require(`
-+ attribute user_home_dir_type, user_home_type;
-+ ')
-+
-+ files_search_home($1)
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_search_home($1)
+- manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
+ dontaudit $1 user_home_type:file read_lnk_file_perms;
@@ -36088,62 +36275,79 @@
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_read_cifs_files($1)
+ ')
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete directories in
- ## unprivileged users home directories.
- ## </summary>
-@@ -5509,7 +5884,7 @@
+ ')
########################################
## <summary>
--## Read and write unprivileged user ttys.
-+## Write all unprivileged users files in /tmp
+-## Set the attributes of user ptys.
++## Create, read, write, and delete directories in
++## unprivileged users home directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -5517,18 +5892,17 @@
+@@ -5352,17 +5706,19 @@
## </summary>
## </param>
#
--interface(`userdom_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_files',`
+-interface(`userdom_setattr_unpriv_users_ptys',`
++interface(`userdom_manage_unpriv_users_home_content_dirs',`
gen_require(`
-- attribute user_ttynode;
-+ type user_tmp_t;
+- attribute user_ptynode;
++ attribute user_home_dir_type, user_home_type;
')
-- allow $1 user_ttynode:chr_file rw_term_perms;
-+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
+- allow $1 user_ptynode:chr_file setattr;
++ files_search_home($1)
++ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
########################################
## <summary>
--## Do not audit attempts to use unprivileged
--## user ttys.
-+## Write all unprivileged users lnk_files in /tmp
+-## Read and write unprivileged user ptys.
++## Create, read, write, and delete files in
++## unprivileged users home directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -5536,9 +5910,46 @@
+@@ -5370,14 +5726,51 @@
## </summary>
## </param>
#
--interface(`userdom_dontaudit_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
+-interface(`userdom_use_unpriv_users_ptys',`
++interface(`userdom_manage_unpriv_users_home_content_files',`
gen_require(`
-- attribute user_ttynode;
-+ type user_tmp_t;
+- attribute user_ptynode;
++ attribute user_home_dir_type, user_home_type;
+ ')
+
+- term_search_ptys($1)
+- allow $1 user_ptynode:chr_file rw_file_perms;
+-')
++ files_search_home($1)
++ manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
++')
++
++########################################
++## <summary>
++## Set the attributes of user ptys.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_setattr_unpriv_users_ptys',`
++ gen_require(`
++ attribute user_ptynode;
+ ')
+
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ allow $1 user_ptynode:chr_file setattr;
+')
+
+########################################
+## <summary>
-+## Read and write unprivileged user ttys.
++## Read and write unprivileged user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -36151,18 +36355,40 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_use_unpriv_users_ttys',`
++interface(`userdom_use_unpriv_users_ptys',`
+ gen_require(`
-+ attribute user_ttynode;
++ attribute user_ptynode;
+ ')
+
-+ allow $1 user_ttynode:chr_file rw_term_perms;
++ term_search_ptys($1)
++ allow $1 user_ptynode:chr_file rw_file_perms;
++')
+
+ ########################################
+ ## <summary>
+@@ -5509,6 +5902,42 @@
+
+ ########################################
+ ## <summary>
++## Write all unprivileged users files in /tmp
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_unpriv_users_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to use unprivileged
-+## user ttys.
++## Write all unprivileged users lnk_files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
@@ -36170,13 +36396,20 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
++interface(`userdom_manage_unpriv_users_tmp_symlinks',`
+ gen_require(`
-+ attribute user_ttynode;
- ')
-
- dontaudit $1 user_ttynode:chr_file rw_file_perms;
-@@ -5559,7 +5970,7 @@
++ type user_tmp_t;
++ ')
++
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++## <summary>
+ ## Read and write unprivileged user ttys.
+ ## </summary>
+ ## <param name="domain">
+@@ -5559,7 +5988,7 @@
attribute userdomain;
')
@@ -36185,7 +36418,7 @@
kernel_search_proc($1)
')
-@@ -5674,6 +6085,42 @@
+@@ -5674,6 +6103,42 @@
########################################
## <summary>
@@ -36228,7 +36461,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6151,408 @@
+@@ -5704,3 +6169,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -37306,8 +37539,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-06-14 07:00:58.000000000 -0400
-@@ -0,0 +1,198 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-06-22 06:50:55.000000000 -0400
+@@ -0,0 +1,199 @@
+
+policy_module(virt,1.0.0)
+
@@ -37484,6 +37717,7 @@
+ qemu_read_state(virtd_t)
+ qemu_signal(virtd_t)
+ qemu_sigkill(virtd_t)
++ qemu_setsched(virtd_t)
+')
+
+optional_policy(`
@@ -37508,7 +37742,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/xen.if 2008-06-12 23:38:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/xen.if 2008-06-22 08:04:22.000000000 -0400
@@ -167,11 +167,14 @@
#
interface(`xen_stream_connect',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.683
retrieving revision 1.684
diff -u -r1.683 -r1.684
--- selinux-policy.spec 10 Jun 2008 20:44:51 -0000 1.683
+++ selinux-policy.spec 22 Jun 2008 12:09:00 -0000 1.684
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 67%{?dist}
+Release: 68%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,10 @@
%endif
%changelog
+* Sun Jun 22 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-68
+- Allow virt to getsched and setsched on qemu
+- Allow networkmanager to getattr on fixed disk
+
* Wed Jun 4 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-66
- Add slattach policy for eparis testing
More information about the fedora-extras-commits
mailing list