rpms/selinux-policy/F-10 policy-20080710.patch,1.95,1.96
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Nov 13 23:48:07 UTC 2008
- Previous message (by thread): rpms/selinux-policy/F-9 policy-20071130.patch, 1.237, 1.238 selinux-policy.spec, 1.725, 1.726
- Next message (by thread): rpms/kdebase-runtime/F-8 .cvsignore, 1.12, 1.13 kdebase-runtime.spec, 1.20, 1.21 sources, 1.12, 1.13 kdebase-runtime-4.1.2-kioexec.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12272
Modified Files:
policy-20080710.patch
Log Message:
* Mon Nov 10 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-20
- Change default boolean settings for xguest
- Allow mount to r/w image files
- Fix labes for several libraries that need textrel_shlib_t
- portreserve needs to be able to sendrecv unlabeled_t
- Fix Kerberos labeling
- Fix cups printing on hp printers
- Allow relabeling on blk devices on the homedir
- Allow nslpugin to r/w inodefs
policy-20080710.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.95 -r 1.96 policy-20080710.patch
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.95
retrieving revision 1.96
diff -u -r1.95 -r1.96
--- policy-20080710.patch 13 Nov 2008 19:15:40 -0000 1.95
+++ policy-20080710.patch 13 Nov 2008 23:48:05 -0000 1.96
@@ -124,6 +124,16 @@
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts 2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,6 @@
++system_r:local_login_t:s0 guest_r:guest_t:s0
++system_r:remote_login_t:s0 guest_r:guest_t:s0
++system_r:sshd_t:s0 guest_r:guest_t:s0
++system_r:crond_t:s0 guest_r:guest_t:s0
++system_r:initrc_su_t:s0 guest_r:guest_t:s0
++guest_r:guest_t:s0 guest_r:guest_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-10-17 08:49:10.000000000 -0400
+++ serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts 2008-11-11 16:22:02.000000000 -0500
@@ -198,6 +208,17 @@
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts 2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,7 @@
++system_r:local_login_t xguest_r:xguest_t:s0
++system_r:remote_login_t xguest_r:xguest_t:s0
++system_r:sshd_t xguest_r:xguest_t:s0
++system_r:crond_t xguest_r:xguest_t:s0
++system_r:xdm_t xguest_r:xguest_t:s0
++system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
++xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.13/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-10-17 08:49:10.000000000 -0400
+++ serefpolicy-3.5.13/config/appconfig-mls/default_contexts 2008-11-11 16:22:02.000000000 -0500
@@ -222,6 +243,14 @@
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts 2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,4 @@
++system_r:local_login_t:s0 guest_r:guest_t:s0
++system_r:remote_login_t:s0 guest_r:guest_t:s0
++system_r:sshd_t:s0 guest_r:guest_t:s0
++system_r:crond_t:s0 guest_r:guest_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-10-17 08:49:10.000000000 -0400
+++ serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts 2008-11-11 16:22:02.000000000 -0500
@@ -267,6 +296,25 @@
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts 2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,7 @@
++system_r:local_login_t xguest_r:xguest_t:s0
++system_r:remote_login_t xguest_r:xguest_t:s0
++system_r:sshd_t xguest_r:xguest_t:s0
++system_r:crond_t xguest_r:xguest_t:s0
++system_r:xdm_t xguest_r:xguest_t:s0
++system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
++xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts 2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,4 @@
++system_r:local_login_t guest_r:guest_t
++system_r:remote_login_t guest_r:guest_t
++system_r:sshd_t guest_r:guest_t
++system_r:crond_t guest_r:guest_crond_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts
--- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2008-10-17 08:49:10.000000000 -0400
+++ serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts 2008-11-11 16:22:02.000000000 -0500
@@ -307,6 +355,15 @@
system_r:xdm_t user_r:user_t
user_r:user_su_t user_r:user_t
user_r:user_sudo_t user_r:user_t
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts 2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,5 @@
++system_r:local_login_t xguest_r:xguest_t
++system_r:remote_login_t xguest_r:xguest_t
++system_r:sshd_t xguest_r:xguest_t
++system_r:crond_t xguest_r:xguest_crond_t
++system_r:xdm_t xguest_r:xguest_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.5.13/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 2008-10-17 08:49:10.000000000 -0400
+++ serefpolicy-3.5.13/man/man8/samba_selinux.8 2008-11-13 08:44:53.000000000 -0500
@@ -419,12 +476,13 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.13/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/certwatch.te 2008-11-11 16:22:02.000000000 -0500
-@@ -27,6 +27,8 @@
++++ serefpolicy-3.5.13/policy/modules/admin/certwatch.te 2008-11-13 18:30:48.000000000 -0500
+@@ -27,6 +27,9 @@
fs_list_inotifyfs(certwatch_t)
-+auth_rw_cache(certwatch_t)
++auth_manage_cache(certwatch_t)
++auth_filetrans_cache(certwatch_t)
+
libs_use_ld_so(certwatch_t)
libs_use_shared_libs(certwatch_t)
@@ -3116,6 +3174,102 @@
+ xserver_rw_xdm_xserver_shm(java_t)
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.13/policy/modules/apps/livecd.fc
+--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/livecd.fc 2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,2 @@
++
++/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.13/policy/modules/apps/livecd.if
+--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/livecd.if 2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,56 @@
++
++## <summary>policy for livecd</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run livecd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`livecd_domtrans',`
++ gen_require(`
++ type livecd_t;
++ type livecd_exec_t;
++ ')
++
++ domtrans_pattern($1, livecd_exec_t, livecd_t)
++')
++
++
++########################################
++## <summary>
++## Execute livecd in the livecd domain, and
++## allow the specified role the livecd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the livecd domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the role's terminal.
++## </summary>
++## </param>
++#
++interface(`livecd_run',`
++ gen_require(`
++ type livecd_t;
++ ')
++
++ livecd_domtrans($1)
++ role $2 types livecd_t;
++ allow livecd_t $3:chr_file rw_term_perms;
++
++ seutil_run_setfiles_mac(livecd_t, $2, $3)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.13/policy/modules/apps/livecd.te
+--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/livecd.te 2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,26 @@
++policy_module(livecd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type livecd_t;
++type livecd_exec_t;
[...4522 lines suppressed...]
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_filetrans_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ files_var_filetrans($1,auth_cache_t,file)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.5.13/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-10-17 08:49:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/authlogin.te 2008-11-11 16:22:03.000000000 -0500
@@ -25835,7 +29269,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-13 08:39:45.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-13 18:36:50.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -25940,7 +29374,7 @@
') dnl end distro_redhat
#
-@@ -310,3 +330,20 @@
+@@ -310,3 +330,19 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -25959,7 +29393,6 @@
+
+/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sse2/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-17 08:49:13.000000000 -0400
@@ -26619,7 +30052,7 @@
samba_run_smbmount($1, $2, $3)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-11-13 18:00:51.000000000 -0500
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -26728,15 +30161,16 @@
ifdef(`distro_redhat',`
optional_policy(`
-@@ -138,6 +153,7 @@
+@@ -136,7 +151,7 @@
+
+ tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
- auth_read_all_files_except_shadow(mount_t)
+- auth_read_all_files_except_shadow(mount_t)
++ auth_rw_all_files_except_shadow(mount_t)
files_mounton_non_security(mount_t)
-+ files_rw_all_files(mount_t)
')
- optional_policy(`
-@@ -167,6 +183,8 @@
+@@ -167,6 +182,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -26745,7 +30179,7 @@
')
optional_policy(`
-@@ -181,6 +199,11 @@
+@@ -181,6 +198,11 @@
')
')
@@ -26757,7 +30191,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -188,6 +211,7 @@
+@@ -188,6 +210,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -26765,7 +30199,7 @@
')
########################################
-@@ -198,4 +222,26 @@
+@@ -198,4 +221,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -27672,7 +31106,7 @@
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2008-11-13 17:40:46.000000000 -0500
@@ -553,6 +553,7 @@
type net_conf_t;
')
@@ -27681,7 +31115,7 @@
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
-@@ -569,6 +570,10 @@
+@@ -569,6 +570,14 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -27689,10 +31123,14 @@
+ optional_policy(`
+ avahi_stream_connect($1)
+ ')
++
++ optional_policy(`
++ nscd_socket_use($1)
++ ')
')
########################################
-@@ -598,6 +603,8 @@
+@@ -598,6 +607,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -27701,7 +31139,7 @@
')
########################################
-@@ -632,3 +639,49 @@
+@@ -632,3 +643,49 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
')
@@ -27753,7 +31191,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-11-13 17:41:30.000000000 -0500
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -27917,7 +31355,16 @@
domain_use_interactive_fds(ifconfig_t)
-@@ -335,6 +355,14 @@
+@@ -300,6 +320,8 @@
+
+ seutil_use_runinit_fds(ifconfig_t)
+
++sysnet_dns_name_resolve(ifconfig_t)
++
+ userdom_use_all_users_fds(ifconfig_t)
+
+ ifdef(`distro_ubuntu',`
+@@ -335,6 +357,14 @@
')
optional_policy(`
@@ -31725,7 +35172,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-11-13 14:38:02.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -31925,12 +35372,15 @@
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
-@@ -360,6 +397,23 @@
+@@ -358,8 +395,25 @@
- sysnet_read_config(xm_t)
+ miscfiles_read_localization(xm_t)
-+sysadm_dontaudit_search_home_dirs(xm_t)
+-sysnet_read_config(xm_t)
++sysnet_dns_name_resolve(xm_t)
+
++sysadm_dontaudit_search_home_dirs(xm_t)
+
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
- Previous message (by thread): rpms/selinux-policy/F-9 policy-20071130.patch, 1.237, 1.238 selinux-policy.spec, 1.725, 1.726
- Next message (by thread): rpms/kdebase-runtime/F-8 .cvsignore, 1.12, 1.13 kdebase-runtime.spec, 1.20, 1.21 sources, 1.12, 1.13 kdebase-runtime-4.1.2-kioexec.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list