rpms/selinux-policy/devel policy-20080710.patch, 1.44, 1.45 selinux-policy.spec, 1.711, 1.712

Daniel J Walsh dwalsh at fedoraproject.org
Tue Sep 23 20:15:18 UTC 2008


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13294

Modified Files:
	policy-20080710.patch selinux-policy.spec 
Log Message:
* Tue Sep 23 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-7
- Allow confined users to login with dbus


policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- policy-20080710.patch	23 Sep 2008 14:23:23 -0000	1.44
+++ policy-20080710.patch	23 Sep 2008 20:14:47 -0000	1.45
@@ -14730,7 +14730,7 @@
  /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.8/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/dbus.if	2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/dbus.if	2008-09-23 15:34:03.000000000 -0400
 @@ -53,6 +53,7 @@
  	gen_require(`
  		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -14748,7 +14748,7 @@
  	type $1_dbusd_tmp_t;
  	files_tmp_file($1_dbusd_tmp_t)
  
-@@ -84,14 +83,18 @@
+@@ -84,14 +83,19 @@
  	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
  	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
  
@@ -14760,6 +14760,7 @@
 -	type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
 +	allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
 +	allow $2 $1_dbusd_t:unix_dgram_socket getattr;
++	allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
  
  	# SE-DBus specific permissions
 -	allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@@ -14771,7 +14772,7 @@
  
  	allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
  	read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-@@ -102,10 +105,9 @@
+@@ -102,10 +106,9 @@
  	files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
  
  	domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
@@ -14784,7 +14785,7 @@
  	allow $1_dbusd_t $2:process sigkill;
  	allow $2 $1_dbusd_t:fd use;
  	allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -115,8 +117,8 @@
+@@ -115,8 +118,8 @@
  	kernel_read_kernel_sysctls($1_dbusd_t)
  
  	corecmd_list_bin($1_dbusd_t)
@@ -14794,7 +14795,7 @@
  	corecmd_read_bin_pipes($1_dbusd_t)
  	corecmd_read_bin_sockets($1_dbusd_t)
  
-@@ -139,6 +141,7 @@
+@@ -139,6 +142,7 @@
  
  	fs_getattr_romfs($1_dbusd_t)
  	fs_getattr_xattr_fs($1_dbusd_t)
@@ -14802,7 +14803,7 @@
  
  	selinux_get_fs_mount($1_dbusd_t)
  	selinux_validate_context($1_dbusd_t)
-@@ -161,12 +164,24 @@
+@@ -161,12 +165,24 @@
  	seutil_read_config($1_dbusd_t)
  	seutil_read_default_contexts($1_dbusd_t)
  
@@ -14828,7 +14829,7 @@
  	tunable_policy(`read_default_t',`
  		files_list_default($1_dbusd_t)
  		files_read_default_files($1_dbusd_t)
-@@ -180,8 +195,15 @@
+@@ -180,9 +196,17 @@
  	')
  
  	optional_policy(`
@@ -14842,9 +14843,11 @@
 +		xserver_dontaudit_xdm_lib_search($1_dbusd_t)
 +		xserver_rw_xdm_home_files($1_dbusd_t)
  	')
++
  ')
  
-@@ -207,14 +229,12 @@
+ #######################################
+@@ -207,14 +231,12 @@
  		type system_dbusd_t, system_dbusd_t;
  		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
  		class dbus send_msg;
@@ -14862,7 +14865,7 @@
  
  	read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($2)
-@@ -223,6 +243,10 @@
+@@ -223,6 +245,10 @@
  	files_search_pids($2)
  	stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
  	dbus_read_config($2)
@@ -14873,7 +14876,7 @@
  ')
  
  #######################################
-@@ -251,18 +275,16 @@
+@@ -251,18 +277,16 @@
  template(`dbus_user_bus_client_template',`
  	gen_require(`
  		type $1_dbusd_t;
@@ -14894,7 +14897,7 @@
  ')
  
  ########################################
-@@ -292,6 +314,55 @@
+@@ -292,6 +316,55 @@
  
  ########################################
  ## <summary>
@@ -14950,7 +14953,7 @@
  ##	Read dbus configuration.
  ## </summary>
  ## <param name="domain">
-@@ -366,3 +437,75 @@
+@@ -366,3 +439,75 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -15028,7 +15031,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.8/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/dbus.te	2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/dbus.te	2008-09-23 15:32:31.000000000 -0400
 @@ -9,9 +9,10 @@
  #
  # Delcarations
@@ -15115,6 +15118,10 @@
  ')
  
  optional_policy(`
++	consolekit_dbus_chat(system_dbusd_t)
++')
++
++optional_policy(`
 +	gnome_exec_gconf(system_dbusd_t)
 +')
 +
@@ -15136,10 +15143,6 @@
  ')
 +
 +optional_policy(`
-+	consolekit_dbus_chat(system_dbusd_t)
-+')
-+
-+optional_policy(`
 +	gen_require(`
 +		type unconfined_dbusd_t;
 +	')
@@ -19515,7 +19518,7 @@
 +/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.8/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.if	2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/networkmanager.if	2008-09-23 11:18:34.000000000 -0400
 @@ -118,6 +118,24 @@
  
  ########################################
@@ -19543,13 +19546,13 @@
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.8/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te	2008-09-22 09:09:30.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te	2008-09-23 16:02:33.000000000 -0400
 @@ -29,9 +29,9 @@
  
  # networkmanager will ptrace itself if gdb is installed
  # and it receives a unexpected signal (rh bug #204161) 
 -allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
  dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 -allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 +allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
@@ -21909,7 +21912,7 @@
  /etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.8/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/ppp.if	2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/ppp.if	2008-09-23 15:53:43.000000000 -0400
 @@ -310,6 +310,24 @@
  
  ########################################
@@ -26773,7 +26776,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.8/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/squid.te	2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/squid.te	2008-09-23 15:23:35.000000000 -0400
 @@ -31,12 +31,15 @@
  type squid_var_run_t;
  files_pid_file(squid_var_run_t)
@@ -26829,7 +26832,11 @@
  
  libs_use_ld_so(squid_t)
  libs_use_shared_libs(squid_t)
-@@ -149,11 +158,7 @@
+@@ -146,14 +155,11 @@
+ 
+ tunable_policy(`squid_connect_any',`
+ 	corenet_tcp_connect_all_ports(squid_t)
++	corenet_tcp_bind_all_ports(squid_t)
  ')
  
  optional_policy(`
@@ -26842,7 +26849,7 @@
  ')
  
  optional_policy(`
-@@ -168,7 +173,12 @@
+@@ -168,7 +174,12 @@
  	udev_read_db(squid_t)
  ')
  
@@ -30107,7 +30114,7 @@
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.8/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2008-09-12 10:48:05.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/init.if	2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/init.if	2008-09-23 11:15:16.000000000 -0400
 @@ -278,6 +278,27 @@
  			kernel_dontaudit_use_fds($1)
  		')
@@ -30320,7 +30327,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-09-12 10:48:05.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/init.te	2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/init.te	2008-09-23 15:44:50.000000000 -0400
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart,false)
@@ -30393,7 +30400,7 @@
  	nscd_socket_use(init_t)
  ')
  
-@@ -204,7 +230,7 @@
+@@ -204,9 +230,10 @@
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30401,8 +30408,11 @@
 +allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
++allow initrc_t self:key { search };
  
-@@ -219,7 +245,8 @@
+ # Allow IPC with self
+ allow initrc_t self:unix_dgram_socket create_socket_perms;
+@@ -219,7 +246,8 @@
  term_create_pty(initrc_t,initrc_devpts_t)
  
  # Going to single user mode
@@ -30412,7 +30422,7 @@
  
  can_exec(initrc_t, init_script_file_type)
  
-@@ -232,6 +259,7 @@
+@@ -232,6 +260,7 @@
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t,initrc_var_run_t,file)
@@ -30420,7 +30430,7 @@
  
  can_exec(initrc_t,initrc_tmp_t)
  allow initrc_t initrc_tmp_t:file manage_file_perms;
-@@ -276,7 +304,7 @@
+@@ -276,7 +305,7 @@
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
  dev_setattr_all_chr_files(initrc_t)
@@ -30429,7 +30439,15 @@
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -521,6 +549,31 @@
+@@ -371,6 +400,7 @@
+ libs_use_shared_libs(initrc_t)
+ libs_exec_lib_files(initrc_t)
+ 
++logging_send_audit_msgs(initrc_t)
+ logging_send_syslog_msg(initrc_t)
+ logging_manage_generic_logs(initrc_t)
+ logging_read_all_logs(initrc_t)
+@@ -521,6 +551,31 @@
  	')
  ')
  
@@ -30461,7 +30479,7 @@
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +632,10 @@
+@@ -579,6 +634,10 @@
  	dbus_read_config(initrc_t)
  
  	optional_policy(`
@@ -30472,7 +30490,7 @@
  		networkmanager_dbus_chat(initrc_t)
  	')
  ')
-@@ -664,12 +721,6 @@
+@@ -664,12 +723,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -30485,7 +30503,7 @@
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -730,6 +781,9 @@
+@@ -730,6 +783,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -30495,7 +30513,7 @@
  ')
  
  optional_policy(`
-@@ -742,10 +796,12 @@
+@@ -742,10 +798,12 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -30508,7 +30526,7 @@
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -763,6 +819,11 @@
+@@ -763,6 +821,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -30520,7 +30538,7 @@
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -777,6 +838,10 @@
+@@ -777,6 +840,10 @@
  ')
  
  optional_policy(`
@@ -30531,7 +30549,7 @@
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
-@@ -799,3 +864,11 @@
+@@ -799,3 +866,11 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -32469,8 +32487,16 @@
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc
 --- nsaserefpolicy/policy/modules/system/sysnetwork.fc	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc	2008-09-17 08:49:09.000000000 -0400
-@@ -57,3 +57,5 @@
++++ serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc	2008-09-23 14:00:14.000000000 -0400
+@@ -11,6 +11,7 @@
+ /etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/hosts		--	gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+ 
+@@ -57,3 +58,5 @@
  ifdef(`distro_gentoo',`
  /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.711
retrieving revision 1.712
diff -u -r1.711 -r1.712
--- selinux-policy.spec	23 Sep 2008 15:14:53 -0000	1.711
+++ selinux-policy.spec	23 Sep 2008 20:14:47 -0000	1.712
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.8
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
 %endif
 
 %changelog
+* Tue Sep 23 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-7
+- Allow confined users to login with dbus
+
 * Mon Sep 22 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-6
 - Fix transition to nsplugin
 




More information about the fedora-extras-commits mailing list