rpms/selinux-policy/F-9 policy-20071130.patch, 1.158, 1.159 selinux-policy.spec, 1.674, 1.675
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu May 29 15:03:50 UTC 2008
- Previous message (by thread): rpms/numpy/devel .cvsignore, 1.11, 1.12 numpy.spec, 1.22, 1.23 sources, 1.11, 1.12
- Next message (by thread): rpms/bibletime/F-8 .cvsignore, 1.7, 1.8 bibletime.spec, 1.7, 1.8 sources, 1.7, 1.8
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27679
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu May 29 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-58
- Allow policykit_resolve to getattr hal
- Allow pyzor_t manage files user_pyzor_home_t
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.158
retrieving revision 1.159
diff -u -r1.158 -r1.159
--- policy-20071130.patch 29 May 2008 13:09:29 -0000 1.158
+++ policy-20071130.patch 29 May 2008 15:03:00 -0000 1.159
@@ -4597,6 +4597,98 @@
+ xserver_xdm_rw_shm(java_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.3.1/policy/modules/apps/livecd.fc
+--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/livecd.fc 2008-05-29 10:26:55.239724000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.3.1/policy/modules/apps/livecd.if
+--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/livecd.if 2008-05-29 10:43:58.253707000 -0400
+@@ -0,0 +1,56 @@
++
++## <summary>policy for livecd</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run livecd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`livecd_domtrans',`
++ gen_require(`
++ type livecd_t;
++ type livecd_exec_t;
++ ')
++
++ domtrans_pattern($1,livecd_exec_t,livecd_t)
++')
++
++
++########################################
++## <summary>
++## Execute livecd in the livecd domain, and
++## allow the specified role the livecd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the livecd domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the role's terminal.
++## </summary>
++## </param>
++#
++interface(`livecd_run',`
++ gen_require(`
++ type livecd_t;
++ ')
++
++ livecd_domtrans($1)
++ role $2 types livecd_t;
++ allow livecd_t $3:chr_file rw_term_perms;
++
++ seutil_run_setfiles_mac(livecd_t, $2, $3)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.3.1/policy/modules/apps/livecd.te
+--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/livecd.te 2008-05-29 10:44:05.853373000 -0400
+@@ -0,0 +1,22 @@
++policy_module(livecd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type livecd_t;
++type livecd_exec_t;
++application_domain(livecd_t, livecd_exec_t)
++role system_r types livecd_t;
++
++########################################
++#
++# livecd local policy
++#
++unconfined_domain_noaudit(livecd_t)
++domain_ptrace_all_domains(livecd_t)
++
++optional_policy(`
++ hal_dbus_chat(livecd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.3.1/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-02-26 08:23:12.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/apps/loadkeys.te 2008-05-28 09:06:13.000000000 -0400
@@ -19641,8 +19733,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-05-29 09:05:13.738516000 -0400
-@@ -0,0 +1,201 @@
++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-05-29 09:55:32.281989000 -0400
+@@ -0,0 +1,206 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
@@ -19844,6 +19936,11 @@
+ dbus_system_bus_client_template(polkit_resolve, polkit_resolve_t)
+')
+
++optional_policy(`
++ hal_getattr(polkit_resolve_t)
++ hal_read_state(polkit_resolve_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.3.1/policy/modules/services/portslave.te
--- nsaserefpolicy/policy/modules/services/portslave.te 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/portslave.te 2008-05-28 09:06:14.000000000 -0400
@@ -21231,8 +21328,8 @@
+/etc/rc.d/init.d/pyzord -- gen_context(system_u:object_r:pyzord_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.3.1/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/pyzor.if 2008-05-28 09:06:14.000000000 -0400
-@@ -25,16 +25,18 @@
++++ serefpolicy-3.3.1/policy/modules/services/pyzor.if 2008-05-29 10:07:23.557143000 -0400
+@@ -25,16 +25,15 @@
#
template(`pyzor_per_role_template',`
gen_require(`
@@ -21251,14 +21348,11 @@
- manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
-+ manage_dirs_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
-+ manage_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
-+ manage_lnk_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+ userdom_user_home_dir_filetrans($1,pyzor_t,user_pyzor_home_t,{ dir file lnk_file })
')
########################################
-@@ -94,3 +96,78 @@
+@@ -94,3 +93,78 @@
corecmd_search_bin($1)
can_exec($1,pyzor_exec_t)
')
@@ -21339,7 +21433,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.3.1/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/pyzor.te 2008-05-28 09:06:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/pyzor.te 2008-05-29 10:07:55.351410000 -0400
@@ -17,7 +17,7 @@
init_daemon_domain(pyzord_t,pyzord_exec_t)
@@ -21362,7 +21456,18 @@
########################################
#
# Pyzor local policy
-@@ -68,6 +74,8 @@
+@@ -43,6 +49,10 @@
+ manage_dirs_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
+ files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
+
++manage_dirs_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
++manage_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
++manage_lnk_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
++
+ kernel_read_kernel_sysctls(pyzor_t)
+ kernel_read_system_state(pyzor_t)
+
+@@ -68,6 +78,8 @@
miscfiles_read_localization(pyzor_t)
@@ -21371,7 +21476,7 @@
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
optional_policy(`
-@@ -76,8 +84,13 @@
+@@ -76,8 +88,13 @@
')
optional_policy(`
@@ -31242,7 +31347,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.3.1/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-05-28 09:06:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-05-29 10:57:28.514590000 -0400
@@ -215,8 +215,6 @@
seutil_domtrans_newrole($1)
role $2 types newrole_t;
@@ -31252,7 +31357,67 @@
')
########################################
-@@ -587,7 +585,7 @@
+@@ -553,6 +551,59 @@
+
+ ########################################
+ ## <summary>
++## Execute setfiles in the setfiles domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_domtrans_setfiles_mac',`
++ gen_require(`
++ type setfiles_mac_t, setfiles_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ domtrans_pattern($1,setfiles_exec_t,setfiles_mac_t)
++')
++
++########################################
++## <summary>
++## Execute setfiles in the setfiles_mac domain, and
++## allow the specified role the setfiles_mac domain,
++## and use the caller's terminal.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the setfiles_mac domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the setfiles_mac domain to use.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`seutil_run_setfiles_mac',`
++ gen_require(`
++ type setfiles_mac_t;
++ ')
++
++ seutil_domtrans_setfiles_mac($1)
++ role $2 types setfiles_mac_t;
++ allow setfiles_mac_t $3:chr_file rw_term_perms;
++')
++
++########################################
++## <summary>
+ ## Execute setfiles in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -587,7 +638,7 @@
type selinux_config_t;
')
@@ -31261,7 +31426,7 @@
')
########################################
-@@ -606,7 +604,7 @@
+@@ -606,7 +657,7 @@
type selinux_config_t;
')
@@ -31270,7 +31435,7 @@
dontaudit $1 selinux_config_t:file { getattr read };
')
-@@ -698,6 +696,7 @@
+@@ -698,6 +749,7 @@
')
files_search_etc($1)
@@ -31278,7 +31443,7 @@
manage_files_pattern($1,selinux_config_t,selinux_config_t)
read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')
-@@ -807,6 +806,28 @@
+@@ -807,6 +859,28 @@
########################################
## <summary>
@@ -31307,7 +31472,7 @@
## Read and write the file_contexts files.
## </summary>
## <param name="domain">
-@@ -997,6 +1018,26 @@
+@@ -997,6 +1071,26 @@
########################################
## <summary>
@@ -31334,7 +31499,7 @@
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1008,7 +1049,7 @@
+@@ -1008,7 +1102,7 @@
## </param>
## <param name="role">
## <summary>
@@ -31343,7 +31508,7 @@
## </summary>
## </param>
## <param name="terminal">
-@@ -1030,6 +1071,39 @@
+@@ -1030,6 +1124,39 @@
########################################
## <summary>
@@ -31383,7 +31548,7 @@
## Full management of the semanage
## module store.
## </summary>
-@@ -1141,3 +1215,141 @@
+@@ -1141,3 +1268,259 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -31525,9 +31690,127 @@
+ rpm_dontaudit_rw_pipes($1)
+ ')
+')
++
++
++#######################################
++## <summary>
++## All rules necessary to run setfiles command
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_setfiles',`
++
++allow $1 self:capability { dac_override dac_read_search fowner };
++dontaudit $1 self:capability sys_tty_config;
++allow $1 self:fifo_file rw_file_perms;
++dontaudit $1 self:dir relabelfrom;
++dontaudit $1 self:file relabelfrom;
++dontaudit $1 self:lnk_file relabelfrom;
++
++
++allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
++allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
++allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
++
++logging_send_audit_msgs($1)
++
++kernel_read_system_state($1)
++kernel_relabelfrom_unlabeled_dirs($1)
++kernel_relabelfrom_unlabeled_files($1)
++kernel_relabelfrom_unlabeled_symlinks($1)
++kernel_relabelfrom_unlabeled_pipes($1)
++kernel_relabelfrom_unlabeled_sockets($1)
++kernel_use_fds($1)
++kernel_rw_pipes($1)
++kernel_rw_unix_dgram_sockets($1)
++kernel_dontaudit_list_all_proc($1)
++kernel_read_all_sysctls($1)
++kernel_read_network_state_symlinks($1)
++
++dev_relabel_all_dev_nodes($1)
++
++domain_use_interactive_fds($1)
++domain_read_all_domains_state($1)
++
++files_read_etc_runtime_files($1)
++files_read_etc_files($1)
++files_list_all($1)
++files_relabel_all_files($1)
++files_list_isid_type_dirs($1)
++files_read_isid_type_files($1)
++files_dontaudit_read_all_symlinks($1)
++
++fs_getattr_xattr_fs($1)
++fs_list_all($1)
++fs_getattr_all_files($1)
++fs_search_auto_mountpoints($1)
++fs_relabelfrom_noxattr_fs($1)
++
++mls_file_read_all_levels($1)
++mls_file_write_all_levels($1)
++mls_file_upgrade($1)
++mls_file_downgrade($1)
++
++selinux_validate_context($1)
++selinux_compute_access_vector($1)
++selinux_compute_create_context($1)
++selinux_compute_relabel_context($1)
++selinux_compute_user_contexts($1)
++
++term_use_all_terms($1)
++
++# this is to satisfy the assertion:
++auth_relabelto_shadow($1)
++
++init_use_fds($1)
++init_use_script_fds($1)
++init_use_script_ptys($1)
++init_exec_script_files($1)
++
++libs_use_ld_so($1)
++libs_use_shared_libs($1)
++
++logging_send_syslog_msg($1)
++
++miscfiles_read_localization($1)
++
++seutil_libselinux_linked($1)
++
++userdom_use_all_users_fds($1)
++# for config files in a home directory
++userdom_read_all_users_home_content_files($1)
++
++ifdef(`distro_debian',`
++ # udev tmpfs is populated with static device nodes
++ # and then relabeled afterwards; thus
++ # /dev/console has the tmpfs type
++ fs_rw_tmpfs_chr_files($1)
++')
++
++ifdef(`distro_redhat', `
++ fs_rw_tmpfs_chr_files($1)
++ fs_rw_tmpfs_blk_files($1)
++ fs_relabel_tmpfs_blk_file($1)
++ fs_relabel_tmpfs_chr_file($1)
++')
++
++ifdef(`distro_ubuntu',`
++ optional_policy(`
++ unconfined_domain($1)
++ ')
++')
++
++optional_policy(`
++ hotplug_use_fds($1)
++')
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-05-28 09:06:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-05-29 10:57:43.806793000 -0400
@@ -75,7 +75,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -31547,7 +31830,19 @@
type semanage_store_t;
files_type(semanage_store_t)
-@@ -168,6 +171,7 @@
+@@ -109,6 +112,11 @@
+ init_system_domain(setfiles_t,setfiles_exec_t)
+ domain_obj_id_change_exemption(setfiles_t)
+
++type setfiles_mac_t;
++domain_type(setfiles_mac_t)
++domain_entry_file(setfiles_mac_t,setfiles_exec_t)
++domain_obj_id_change_exemption(setfiles_mac_t)
++
+ ########################################
+ #
+ # Checkpolicy local policy
+@@ -168,6 +176,7 @@
files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
@@ -31555,7 +31850,7 @@
mls_file_read_all_levels(load_policy_t)
-@@ -195,15 +199,6 @@
+@@ -195,15 +204,6 @@
')
')
@@ -31571,7 +31866,7 @@
########################################
#
# Newrole local policy
-@@ -221,7 +216,7 @@
+@@ -221,7 +221,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -31580,7 +31875,7 @@
read_files_pattern(newrole_t,default_context_t,default_context_t)
read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
-@@ -277,6 +272,7 @@
+@@ -277,6 +277,7 @@
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@@ -31588,7 +31883,7 @@
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
-@@ -347,6 +343,8 @@
+@@ -347,6 +348,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -31597,7 +31892,7 @@
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -365,7 +363,7 @@
+@@ -365,7 +368,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -31606,7 +31901,7 @@
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -396,7 +394,6 @@
+@@ -396,7 +399,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -31614,7 +31909,7 @@
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -435,67 +432,22 @@
+@@ -435,67 +437,22 @@
# semodule local policy
#
@@ -31658,14 +31953,14 @@
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
-
+-
-libs_use_ld_so(semanage_t)
-libs_use_shared_libs(semanage_t)
-
-locallogin_use_fds(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
@@ -31689,7 +31984,7 @@
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
-@@ -507,6 +459,11 @@
+@@ -507,6 +464,11 @@
')
')
@@ -31701,7 +31996,7 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -514,26 +471,44 @@
+@@ -514,121 +476,35 @@
# Handle pp files created in homedir and /tmp
userdom_read_sysadm_home_content_files(semanage_t)
userdom_read_sysadm_tmp_files(semanage_t)
@@ -31716,100 +32011,133 @@
########################################
#
+-# Setfiles local policy
+# setsebool local policy
-+#
+ #
+seutil_semanage_policy(setsebool_t)
+selinux_set_boolean(setsebool_t)
-+
-+init_dontaudit_use_fds(setsebool_t)
-+
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-+
-+########################################
-+#
- # Setfiles local policy
- #
- allow setfiles_t self:capability { dac_override dac_read_search fowner };
- dontaudit setfiles_t self:capability sys_tty_config;
- allow setfiles_t self:fifo_file rw_file_perms;
-+dontaudit setfiles_t self:dir relabelfrom;
-+dontaudit setfiles_t self:file relabelfrom;
-+dontaudit setfiles_t self:lnk_file relabelfrom;
-+
-
- allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
- allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
- allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
-
-+logging_send_audit_msgs(setfiles_t)
-+
- kernel_read_system_state(setfiles_t)
- kernel_relabelfrom_unlabeled_dirs(setfiles_t)
- kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -544,20 +519,25 @@
- kernel_rw_pipes(setfiles_t)
- kernel_rw_unix_dgram_sockets(setfiles_t)
- kernel_dontaudit_list_all_proc(setfiles_t)
+-allow setfiles_t self:capability { dac_override dac_read_search fowner };
+-dontaudit setfiles_t self:capability sys_tty_config;
+-allow setfiles_t self:fifo_file rw_file_perms;
+-
+-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+-
+-kernel_read_system_state(setfiles_t)
+-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
+-kernel_relabelfrom_unlabeled_files(setfiles_t)
+-kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
+-kernel_relabelfrom_unlabeled_pipes(setfiles_t)
+-kernel_relabelfrom_unlabeled_sockets(setfiles_t)
+-kernel_use_fds(setfiles_t)
+-kernel_rw_pipes(setfiles_t)
+-kernel_rw_unix_dgram_sockets(setfiles_t)
+-kernel_dontaudit_list_all_proc(setfiles_t)
-kernel_dontaudit_list_all_sysctls(setfiles_t)
-+kernel_read_all_sysctls(setfiles_t)
-+kernel_read_network_state_symlinks(setfiles_t)
-
- dev_relabel_all_dev_nodes(setfiles_t)
-
- domain_use_interactive_fds(setfiles_t)
+-
+-dev_relabel_all_dev_nodes(setfiles_t)
+-
+-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
-
-+domain_read_all_domains_state(setfiles_t)
-+
- files_read_etc_runtime_files(setfiles_t)
- files_read_etc_files(setfiles_t)
- files_list_all(setfiles_t)
- files_relabel_all_files(setfiles_t)
-+files_list_isid_type_dirs(setfiles_t)
-+files_read_isid_type_files(setfiles_t)
-+files_dontaudit_read_all_symlinks(setfiles_t)
-
- fs_getattr_xattr_fs(setfiles_t)
- fs_list_all(setfiles_t)
-+fs_getattr_all_files(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
-
-@@ -572,9 +552,7 @@
- selinux_compute_relabel_context(setfiles_t)
- selinux_compute_user_contexts(setfiles_t)
-
+-files_read_etc_runtime_files(setfiles_t)
+-files_read_etc_files(setfiles_t)
+-files_list_all(setfiles_t)
+-files_relabel_all_files(setfiles_t)
+-
+-fs_getattr_xattr_fs(setfiles_t)
+-fs_list_all(setfiles_t)
+-fs_search_auto_mountpoints(setfiles_t)
+-fs_relabelfrom_noxattr_fs(setfiles_t)
+-
+-mls_file_read_all_levels(setfiles_t)
+-mls_file_write_all_levels(setfiles_t)
+-mls_file_upgrade(setfiles_t)
+-mls_file_downgrade(setfiles_t)
+-
+-selinux_validate_context(setfiles_t)
+-selinux_compute_access_vector(setfiles_t)
+-selinux_compute_create_context(setfiles_t)
+-selinux_compute_relabel_context(setfiles_t)
+-selinux_compute_user_contexts(setfiles_t)
+-
-term_use_all_user_ttys(setfiles_t)
-term_use_all_user_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
-+term_use_all_terms(setfiles_t)
+-
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
+-
+-init_use_fds(setfiles_t)
+-init_use_script_fds(setfiles_t)
+-init_use_script_ptys(setfiles_t)
+-init_exec_script_files(setfiles_t)
+-
+-libs_use_ld_so(setfiles_t)
+-libs_use_shared_libs(setfiles_t)
+-
+-logging_send_syslog_msg(setfiles_t)
+-
+-miscfiles_read_localization(setfiles_t)
+-
+-seutil_libselinux_linked(setfiles_t)
+-
+-userdom_use_all_users_fds(setfiles_t)
+-# for config files in a home directory
+-userdom_read_all_users_home_content_files(setfiles_t)
++init_dontaudit_use_fds(setsebool_t)
- # this is to satisfy the assertion:
- auth_relabelto_shadow(setfiles_t)
-@@ -617,16 +595,8 @@
- ')
- ')
+-ifdef(`distro_debian',`
+- # udev tmpfs is populated with static device nodes
+- # and then relabeled afterwards; thus
+- # /dev/console has the tmpfs type
+- fs_rw_tmpfs_chr_files(setfiles_t)
+-')
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+-ifdef(`distro_redhat', `
+- fs_rw_tmpfs_chr_files(setfiles_t)
+- fs_rw_tmpfs_blk_files(setfiles_t)
+- fs_relabel_tmpfs_blk_file(setfiles_t)
+- fs_relabel_tmpfs_chr_file(setfiles_t)
+-')
+-
+-ifdef(`distro_ubuntu',`
+- optional_policy(`
+- unconfined_domain(setfiles_t)
+- ')
+-')
+-
-ifdef(`hide_broken_symptoms',`
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(setfiles_t)
- ')
--
++########################################
++#
++# Setfiles local policy
++#
+
- # cjp: cover up stray file descriptors.
- optional_policy(`
- unconfined_dontaudit_read_pipes(setfiles_t)
- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
- ')
-+optional_policy(`
-+ cron_system_entry(setfiles_t, setfiles_exec_t)
- ')
+-')
++seutil_setfiles(setfiles_t)
optional_policy(`
+- hotplug_use_fds(setfiles_t)
++ cron_system_entry(setfiles_t, setfiles_exec_t)
+ ')
++
++seutil_setfiles(setfiles_mac_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.3.1/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te 2008-02-26 08:23:09.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/setrans.te 2008-05-28 09:06:14.000000000 -0400
@@ -32238,8 +32566,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-28 09:06:14.000000000 -0400
-@@ -1,16 +1,17 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-29 10:58:17.849128000 -0400
+@@ -1,16 +1,18 @@
# Add programs here which should not be confined by SELinux
# e.g.:
-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -32259,6 +32587,7 @@
')
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -32610,7 +32939,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-05-28 09:06:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-05-29 10:25:46.295817000 -0400
@@ -6,35 +6,71 @@
# Declarations
#
@@ -32783,33 +33112,26 @@
')
optional_policy(`
-@@ -134,14 +185,6 @@
+@@ -134,82 +185,95 @@
')
optional_policy(`
- mono_domtrans(unconfined_t)
--')
--
--optional_policy(`
++ oddjob_domtrans_mkhomedir(unconfined_t)
+ ')
+
+ optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
--')
--
--optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
++ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
-@@ -154,38 +197,45 @@
+ optional_policy(`
+- oddjob_domtrans_mkhomedir(unconfined_t)
++ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-- # cjp: this should probably be removed:
-- postfix_domtrans_master(unconfined_t)
--')
--
--
--optional_policy(`
-- pyzor_per_role_template(unconfined)
+- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ tunable_policy(`allow_unconfined_qemu_transition', `
+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ', `
@@ -32820,15 +33142,16 @@
')
optional_policy(`
-- # cjp: this should probably be removed:
-- rpc_domtrans_nfsd(unconfined_t)
+- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_role_transition(unconfined_r)
')
optional_policy(`
-- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- # cjp: this should probably be removed:
+- postfix_domtrans_master(unconfined_t)
+ cron_per_role_template(unconfined, unconfined_t, unconfined_r)
+ # this is disallowed usage:
+ unconfined_domain(unconfined_crond_t)
@@ -32837,66 +33160,80 @@
+ rpm_transition_script(unconfined_crond_t)
')
+-
optional_policy(`
- samba_per_role_template(unconfined)
-- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- pyzor_per_role_template(unconfined)
++ samba_per_role_template(unconfined)
+ samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
+- # cjp: this should probably be removed:
+- rpc_domtrans_nfsd(unconfined_t)
+ sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- sysnet_dbus_chat_dhcpc(unconfined_t)
+- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
')
optional_policy(`
-@@ -193,23 +243,33 @@
+- samba_per_role_template(unconfined)
+- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
+ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- sysnet_dbus_chat_dhcpc(unconfined_t)
+ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- wine_domtrans(unconfined_t)
+- usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- xserver_domtrans_xdm_xserver(unconfined_t)
+- vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ mono_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mono_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- wine_domtrans(unconfined_t)
++ livecd_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+ ')
+
+ optional_policy(`
+- xserver_domtrans_xdm_xserver(unconfined_t)
+ xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t)
')
########################################
-@@ -219,14 +279,35 @@
+@@ -219,14 +283,36 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -32937,6 +33274,7 @@
+# Allow SELinux aware applications to request rpm_script execution
+rpm_transition_script(unconfined_notrans_t)
+domain_ptrace_all_domains(unconfined_notrans_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.3.1/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-02-26 08:23:09.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.fc 2008-05-28 09:06:14.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.674
retrieving revision 1.675
diff -u -r1.674 -r1.675
--- selinux-policy.spec 29 May 2008 13:09:29 -0000 1.674
+++ selinux-policy.spec 29 May 2008 15:03:00 -0000 1.675
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 57%{?dist}
+Release: 58%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,7 +385,11 @@
%endif
%changelog
-* Wed May 21 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-57
+* Thu May 29 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-58
+- Allow policykit_resolve to getattr hal
+- Allow pyzor_t manage files user_pyzor_home_t
+
+* Wed May 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-57
- Allow dhcpc sys_nice
- Allow handling of /var/run/video.rom
- Allow policykit_resolve to use dbus
- Previous message (by thread): rpms/numpy/devel .cvsignore, 1.11, 1.12 numpy.spec, 1.22, 1.23 sources, 1.11, 1.12
- Next message (by thread): rpms/bibletime/F-8 .cvsignore, 1.7, 1.8 bibletime.spec, 1.7, 1.8 sources, 1.7, 1.8
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list