rpms/selinux-policy/devel policy-20071130.patch, 1.92, 1.93 selinux-policy.spec, 1.627, 1.628
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Mar 10 20:16:55 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29592
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Mar 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-13
- Additional changes for MLS policy
policy-20071130.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.92 -r 1.93 policy-20071130.patch
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.92
retrieving revision 1.93
diff -u -r1.92 -r1.93
--- policy-20071130.patch 6 Mar 2008 22:25:06 -0000 1.92
+++ policy-20071130.patch 10 Mar 2008 20:16:22 -0000 1.93
@@ -2050,7 +2050,7 @@
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.3.1/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/rpm.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/rpm.if 2008-03-09 08:33:16.000000000 -0400
@@ -152,6 +152,24 @@
########################################
@@ -2076,10 +2076,31 @@
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -173,6 +191,27 @@
+@@ -173,6 +191,48 @@
########################################
## <summary>
++## dontaudit attempts to Send and receive messages from
++## rpm over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_dontaudit_dbus_chat',`
++ gen_require(`
++ type rpm_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 rpm_t:dbus send_msg;
++ dontaudit rpm_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+## Send and receive messages from
+## rpm_script over dbus.
+## </summary>
@@ -2104,7 +2125,7 @@
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
-@@ -210,6 +249,24 @@
+@@ -210,6 +270,24 @@
########################################
## <summary>
@@ -2129,7 +2150,7 @@
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
-@@ -225,7 +282,29 @@
+@@ -225,7 +303,29 @@
')
files_search_tmp($1)
@@ -2159,7 +2180,7 @@
')
########################################
-@@ -289,3 +368,157 @@
+@@ -289,3 +389,157 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -5055,7 +5076,7 @@
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-04 14:46:08.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-10 14:36:14.000000000 -0400
@@ -0,0 +1,344 @@
+
+## <summary>policy for nsplugin</summary>
@@ -5272,7 +5293,7 @@
+ nsplugin_use($1, $2)
+
+ optional_policy(`
-+ xserver_common_app_template($2, nsplugin_t)
++ xserver_common_app_to_user($2, nsplugin_t)
+ ')
+
+ role $3 types nsplugin_t;
@@ -5403,8 +5424,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-04 10:03:36.000000000 -0500
-@@ -0,0 +1,154 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-10 14:35:49.000000000 -0400
+@@ -0,0 +1,166 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5471,6 +5492,7 @@
+
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
++dev_write_sound(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
@@ -5495,6 +5517,7 @@
+miscfiles_manage_home_fonts(nsplugin_t)
+
+userdom_read_user_home_content_files(user, nsplugin_t)
++userdom_read_user_tmp_files(user, nsplugin_t)
+userdom_write_user_tmp_sockets(user, nsplugin_t)
+userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t)
+
@@ -5503,6 +5526,10 @@
+')
+
+optional_policy(`
++ gnome_exec_gconf(nsplugin_t)
++')
++
++optional_policy(`
+ mozilla_read_user_home_files(user, nsplugin_t)
+ mozilla_write_user_home_files(user, nsplugin_t)
+')
@@ -5511,6 +5538,7 @@
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
+ xserver_xdm_rw_shm(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
++ xserver_read_user_xauth(user, nsplugin_t)
+')
+
+########################################
@@ -5519,16 +5547,18 @@
+#
+
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
-+allow nsplugin_config_t self:process { setsched getsched execmem };
++allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
++allow nsplugin_t self:msgq create_msgq_perms;
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
+manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir })
++manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -5559,6 +5589,9 @@
+userdom_search_all_users_home_content(nsplugin_config_t)
+
+nsplugin_domtrans(nsplugin_config_t)
++
++allow nsplugin_t user_home_t:dir { write read };
++allow nsplugin_t user_home_t:file write;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.3.1/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/screen.fc 2008-02-26 08:29:22.000000000 -0500
@@ -10430,7 +10463,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-02-26 10:37:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-03-10 13:34:57.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -10470,7 +10503,7 @@
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
-@@ -47,16 +57,33 @@
+@@ -47,16 +57,37 @@
auth_use_nsswitch(consolekit_t)
@@ -10492,22 +10525,26 @@
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
++optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
++')
++
optional_policy(`
- dbus_system_bus_client_template(consolekit, consolekit_t)
[...2097 lines suppressed...]
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -31198,7 +31449,7 @@
')
########################################
-@@ -4551,10 +4700,10 @@
+@@ -4551,10 +4701,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -31211,7 +31462,7 @@
')
########################################
-@@ -4569,10 +4718,10 @@
+@@ -4569,10 +4719,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -31224,7 +31475,7 @@
')
########################################
-@@ -4588,10 +4737,10 @@
+@@ -4588,10 +4738,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -31237,7 +31488,7 @@
')
########################################
-@@ -4606,10 +4755,10 @@
+@@ -4606,10 +4756,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -31250,7 +31501,7 @@
')
########################################
-@@ -4625,10 +4774,10 @@
+@@ -4625,10 +4775,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -31263,7 +31514,7 @@
')
########################################
-@@ -4644,12 +4793,11 @@
+@@ -4644,12 +4794,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -31279,7 +31530,7 @@
')
########################################
-@@ -4676,10 +4824,10 @@
+@@ -4676,10 +4825,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -31292,7 +31543,7 @@
')
########################################
-@@ -4694,10 +4842,10 @@
+@@ -4694,10 +4843,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -31305,7 +31556,7 @@
')
########################################
-@@ -4712,13 +4860,13 @@
+@@ -4712,13 +4861,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -31323,7 +31574,7 @@
')
########################################
-@@ -4754,11 +4902,49 @@
+@@ -4754,11 +4903,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -31374,7 +31625,7 @@
')
########################################
-@@ -4778,6 +4964,14 @@
+@@ -4778,6 +4965,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -31389,7 +31640,7 @@
')
########################################
-@@ -4839,6 +5033,26 @@
+@@ -4839,6 +5034,26 @@
########################################
## <summary>
@@ -31416,7 +31667,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5073,25 @@
+@@ -4859,6 +5074,25 @@
########################################
## <summary>
@@ -31442,7 +31693,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5112,26 @@
+@@ -4879,6 +5113,26 @@
########################################
## <summary>
@@ -31469,7 +31720,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5368,7 @@
+@@ -5115,7 +5369,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -31478,7 +31729,7 @@
')
files_search_home($1)
-@@ -5304,6 +5557,50 @@
+@@ -5304,6 +5558,50 @@
########################################
## <summary>
@@ -31529,7 +31780,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +5806,42 @@
+@@ -5509,6 +5807,42 @@
########################################
## <summary>
@@ -31572,7 +31823,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5674,6 +6007,42 @@
+@@ -5674,6 +6008,42 @@
########################################
## <summary>
@@ -31615,7 +31866,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6073,368 @@
+@@ -5704,3 +6074,368 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -33213,11 +33464,24 @@
+## <summary>Policy for user user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.3.1/policy/modules/users/user.te
--- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/user.te 2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.3.1/policy/modules/users/user.te 2008-03-10 11:57:48.000000000 -0400
+@@ -0,0 +1,17 @@
+policy_module(user,1.0.1)
+userdom_unpriv_user_template(user)
+
++optional_policy(`
++ kerneloops_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++ rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++ setroubleshoot_dontaudit_stream_connect(user_t)
++')
++
++
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.3.1/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.627
retrieving revision 1.628
diff -u -r1.627 -r1.628
--- selinux-policy.spec 6 Mar 2008 21:50:52 -0000 1.627
+++ selinux-policy.spec 10 Mar 2008 20:16:22 -0000 1.628
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 12%{?dist}
+Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,9 @@
%endif
%changelog
+* Mon Mar 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-13
+- Additional changes for MLS policy
+
* Thu Mar 6 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-12
- Fix initrc_context generation for MLS
More information about the fedora-extras-commits
mailing list