rpms/selinux-policy/devel policy-20071130.patch, 1.88, 1.89 selinux-policy.spec, 1.625, 1.626
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Mar 5 23:11:59 UTC 2008
- Previous message (by thread): rpms/zvbi/devel .cvsignore, 1.5, 1.6 sources, 1.5, 1.6 zvbi.spec, 1.7, 1.8
- Next message (by thread): rpms/xorg-x11-util-macros/devel .cvsignore, 1.11, 1.12 sources, 1.11, 1.12 xorg-x11-util-macros.spec, 1.23, 1.24
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1425
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Mar 3 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-11
- Fixes for libvirt
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- policy-20071130.patch 4 Mar 2008 21:38:18 -0000 1.88
+++ policy-20071130.patch 5 Mar 2008 23:11:52 -0000 1.89
@@ -6227,7 +6227,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-03-04 15:06:28.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-03-04 16:33:16.000000000 -0500
@@ -82,6 +82,7 @@
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@@ -6274,7 +6274,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -148,7 +155,7 @@
+@@ -148,11 +155,11 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -6283,6 +6283,11 @@
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
+-network_port(smbd, tcp,139,s0, tcp,445,s0)
++network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+ network_port(spamd, tcp,783,s0)
@@ -170,7 +177,12 @@
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
@@ -6878,7 +6883,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-03-04 16:23:38.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-03-04 17:23:42.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
@@ -7550,7 +7555,7 @@
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.3.1/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/storage.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/storage.if 2008-03-04 17:41:15.000000000 -0500
@@ -81,6 +81,26 @@
########################################
@@ -7783,7 +7788,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-02-29 14:20:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-03-05 15:44:05.000000000 -0500
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -12788,8 +12793,8 @@
+/etc/rc.d/init.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.3.1/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.if 2008-02-26 08:29:22.000000000 -0500
-@@ -1 +1,106 @@
++++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.if 2008-03-05 14:40:55.000000000 -0500
+@@ -1 +1,125 @@
## <summary>dnsmasq DNS forwarder and DHCP server</summary>
+
+########################################
@@ -12853,6 +12858,25 @@
+
+########################################
+## <summary>
++## Send dnsmasq a sigkill
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`dnsmasq_sigkill',`
++ gen_require(`
++ type dnsmasq_t;
++ ')
++
++ allow $1 dnsmasq_t:process sigkill;
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an dnsmasq environment
+## </summary>
@@ -23011,7 +23035,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-04 14:49:58.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-05 14:36:29.000000000 -0500
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -23745,7 +23769,7 @@
+ # X Protocol Extensions
+ allow $3 std_xext_t:x_extension { use };
+ allow $3 shmem_xext_t:x_extension { use };
-+ dontaudit $3 xextension_type:x_extension query;
++ allow $3 xextension_type:x_extension query;
+
+ # X Properties
+ # can read and write client properties
@@ -24303,7 +24327,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-28 16:46:06.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-05 18:07:11.000000000 -0500
@@ -8,6 +8,14 @@
## <desc>
@@ -24543,7 +24567,15 @@
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
-@@ -245,6 +357,7 @@
+@@ -237,6 +349,7 @@
+ storage_dontaudit_raw_write_removable_device(xdm_t)
+ storage_dontaudit_setattr_removable_dev(xdm_t)
+ storage_dontaudit_rw_scsi_generic(xdm_t)
++storage_rw_fuse(xdm_t)
+
+ term_setattr_console(xdm_t)
+ term_use_unallocated_ttys(xdm_t)
+@@ -245,6 +358,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -24551,7 +24583,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,12 +369,11 @@
+@@ -256,12 +370,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -24565,7 +24597,7 @@
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +382,13 @@
+@@ -270,8 +383,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24579,7 +24611,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -304,7 +421,11 @@
+@@ -304,7 +422,11 @@
')
optional_policy(`
@@ -24592,7 +24624,7 @@
')
optional_policy(`
-@@ -312,6 +433,23 @@
+@@ -312,6 +434,23 @@
')
optional_policy(`
@@ -24616,7 +24648,7 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +460,10 @@
+@@ -322,6 +461,10 @@
')
optional_policy(`
@@ -24627,7 +24659,7 @@
loadkeys_exec(xdm_t)
')
-@@ -335,6 +477,11 @@
+@@ -335,6 +478,11 @@
')
optional_policy(`
@@ -24639,7 +24671,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +490,8 @@
+@@ -343,8 +491,8 @@
')
optional_policy(`
@@ -24649,7 +24681,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +527,7 @@
+@@ -380,7 +528,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -24658,7 +24690,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +539,15 @@
+@@ -392,6 +540,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -24674,7 +24706,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +560,17 @@
+@@ -404,9 +561,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -24692,7 +24724,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +584,22 @@
+@@ -420,6 +585,22 @@
')
optional_policy(`
@@ -24715,7 +24747,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +609,138 @@
+@@ -429,47 +610,138 @@
')
optional_policy(`
@@ -25285,7 +25317,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-05 15:46:36.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -25319,7 +25351,19 @@
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
-@@ -297,8 +309,10 @@
+@@ -282,6 +294,11 @@
+ ')
+ ')
+
++optional_policy(`
++ # apache leaks file descriptors
++ apache_dontaudit_rw_tcp_sockets(system_chkpwd_t)
++')
++
+ ########################################
+ #
+ # updpwd local policy
+@@ -297,8 +314,10 @@
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
@@ -25331,7 +25375,7 @@
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
-@@ -359,11 +373,6 @@
+@@ -359,11 +378,6 @@
')
optional_policy(`
@@ -28372,7 +28416,7 @@
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-03-04 17:26:54.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -28407,7 +28451,15 @@
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -70,6 +70,7 @@
+@@ -40,6 +40,7 @@
+ domain_unconfined($1)
+ domain_dontaudit_read_all_domains_state($1)
+ domain_dontaudit_ptrace_all_domains($1)
++ domain_mmap_low($1)
+ files_unconfined($1)
+ fs_unconfined($1)
+ selinux_unconfined($1)
+@@ -70,6 +71,7 @@
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -28415,7 +28467,7 @@
')
optional_policy(`
-@@ -95,6 +96,10 @@
+@@ -95,6 +97,10 @@
optional_policy(`
storage_unconfined($1)
')
@@ -28426,7 +28478,7 @@
')
########################################
-@@ -581,7 +586,6 @@
+@@ -581,7 +587,6 @@
interface(`unconfined_dbus_connect',`
gen_require(`
type unconfined_t;
@@ -28434,7 +28486,7 @@
')
allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,7 +593,139 @@
+@@ -589,7 +594,139 @@
########################################
## <summary>
@@ -28575,7 +28627,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -597,41 +733,43 @@
+@@ -597,41 +734,43 @@
## </summary>
## </param>
#
@@ -28633,7 +28685,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -639,10 +777,10 @@
+@@ -639,10 +778,10 @@
## </summary>
## </param>
#
@@ -28974,7 +29026,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-03 16:30:45.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-05 18:06:38.000000000 -0500
@@ -29,9 +29,14 @@
')
@@ -32328,8 +32380,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,159 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-03-05 18:05:21.000000000 -0500
+@@ -0,0 +1,162 @@
+
+policy_module(virt,1.0.0)
+
@@ -32385,8 +32437,8 @@
+#
+# virtd local policy
+#
-+allow virtd_t self:capability { dac_override kill net_admin setgid };
-+allow virtd_t self:process sigkill;
++allow virtd_t self:capability { sys_module dac_override kill net_admin setgid };
++allow virtd_t self:process { sigkill signal };
+allow virtd_t self:fifo_file rw_file_perms;
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
+allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -32412,6 +32464,8 @@
+manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
++corecmd_exec_bin(virtd_t)
++
+corenet_all_recvfrom_unlabeled(virtd_t)
+corenet_all_recvfrom_netlabel(virtd_t)
+corenet_tcp_sendrecv_all_if(virtd_t)
@@ -32467,6 +32521,7 @@
+optional_policy(`
+ dnsmasq_domtrans(virtd_t)
+ dnsmasq_signal(virtd_t)
++ dnsmasq_sigkill(virtd_t)
+')
+
+optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.625
retrieving revision 1.626
diff -u -r1.625 -r1.626
--- selinux-policy.spec 4 Mar 2008 21:38:18 -0000 1.625
+++ selinux-policy.spec 5 Mar 2008 23:11:52 -0000 1.626
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,9 @@
%endif
%changelog
+* Mon Mar 3 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-11
+- Fixes for libvirt
+
* Mon Mar 3 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-10
- Allow bitlebee to read locale_t
- Previous message (by thread): rpms/zvbi/devel .cvsignore, 1.5, 1.6 sources, 1.5, 1.6 zvbi.spec, 1.7, 1.8
- Next message (by thread): rpms/xorg-x11-util-macros/devel .cvsignore, 1.11, 1.12 sources, 1.11, 1.12 xorg-x11-util-macros.spec, 1.23, 1.24
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list