rpms/selinux-policy/F-11 policy-20090105.patch, 1.101, 1.102 selinux-policy.spec, 1.836, 1.837

Daniel J Walsh dwalsh at fedoraproject.org
Fri Apr 24 04:09:16 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14992

Modified Files:
	policy-20090105.patch selinux-policy.spec 
Log Message:
* Thu Apr 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-15
- Additional perms for readahead


policy-20090105.patch:

Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -r1.101 -r1.102
--- policy-20090105.patch	24 Apr 2009 03:14:57 -0000	1.101
+++ policy-20090105.patch	24 Apr 2009 04:09:16 -0000	1.102
@@ -850,8 +850,20 @@
  ifdef(`distro_suse', `
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if	2009-04-23 09:44:57.000000000 -0400
-@@ -146,6 +146,24 @@
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.if	2009-04-23 23:59:46.000000000 -0400
+@@ -66,6 +66,11 @@
+ 	rpm_domtrans($1)
+ 	role $2 types rpm_t;
+ 	role $2 types rpm_script_t;
++
++	domain_system_change_exemption($1)
++	role_transition $2 rpm_exec_t system_r;
++	allow $2 system_r;
++
+ 	seutil_run_loadpolicy(rpm_script_t, $2)
+ 	seutil_run_semanage(rpm_script_t, $2)
+ 	seutil_run_setfiles(rpm_script_t, $2)
+@@ -146,6 +151,24 @@
  
  ########################################
  ## <summary>
@@ -876,7 +888,7 @@
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -167,6 +185,48 @@
+@@ -167,6 +190,48 @@
  
  ########################################
  ## <summary>
@@ -925,7 +937,7 @@
  ##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
-@@ -186,6 +246,24 @@
+@@ -186,6 +251,24 @@
  
  ########################################
  ## <summary>
@@ -950,7 +962,7 @@
  ##	Inherit and use file descriptors from RPM scripts.
  ## </summary>
  ## <param name="domain">
-@@ -204,6 +282,24 @@
+@@ -204,6 +287,24 @@
  
  ########################################
  ## <summary>
@@ -975,7 +987,7 @@
  ##	Create, read, write, and delete RPM
  ##	script temporary files.
  ## </summary>
-@@ -219,7 +315,29 @@
+@@ -219,7 +320,29 @@
  	')
  
  	files_search_tmp($1)
@@ -1005,7 +1017,7 @@
  ')
  
  ########################################
-@@ -245,6 +363,24 @@
+@@ -245,6 +368,24 @@
  
  ########################################
  ## <summary>
@@ -1030,7 +1042,7 @@
  ##	Create, read, write, and delete the RPM package database.
  ## </summary>
  ## <param name="domain">
-@@ -283,3 +419,175 @@
+@@ -283,3 +424,148 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -1144,33 +1156,6 @@
 +
 +########################################
 +## <summary>
-+##	Transition to system_r when execute an rpm script
-+## </summary>
-+## <desc>
-+##      <p>
-+##	Execute rpm script in a specified role
-+##      </p>
-+##      <p>
-+##      No interprocess communication (signals, pipes,
-+##      etc.) is provided by this interface since
-+##      the domains are not owned by this module.
-+##      </p>
-+## </desc>
-+## <param name="source_role">
-+##	<summary>
-+##	Role to transition from.
-+##	</summary>
-+## </param>
-+interface(`rpm_role_transition',`
-+	gen_require(`
-+		type rpm_exec_t;
-+	')
-+
-+	role_transition $1 rpm_exec_t system_r;
-+')
-+
-+########################################
-+## <summary>
 +##	Do not audit attempts to write, and delete the 
 +##	RPM var run files
 +## </summary>
@@ -6393,7 +6378,7 @@
  ##	requiring the caller to use setexeccon().
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-24 00:02:59.000000000 -0400
 @@ -15,7 +15,7 @@
  
  role sysadm_r;
@@ -6557,7 +6542,7 @@
  	quota_run(sysadm_t, sysadm_r)
  ')
  
-@@ -320,19 +258,12 @@
+@@ -320,10 +258,6 @@
  ')
  
  optional_policy(`
@@ -6568,17 +6553,18 @@
  	rpc_domtrans_nfsd(sysadm_t)
  ')
  
+@@ -332,10 +266,6 @@
+ ')
+ 
  optional_policy(`
- 	rpm_run(sysadm_t, sysadm_r)
+-	rssh_role(sysadm_r, sysadm_t)
 -')
 -
 -optional_policy(`
--	rssh_role(sysadm_r, sysadm_t)
-+	rpm_role_transition(sysadm_r)
+ 	rsync_exec(sysadm_t)
  ')
  
- optional_policy(`
-@@ -345,10 +276,6 @@
+@@ -345,10 +275,6 @@
  ')
  
  optional_policy(`
@@ -6589,7 +6575,7 @@
  	secadm_role_change(sysadm_r)
  ')
  
-@@ -358,35 +285,15 @@
+@@ -358,35 +284,15 @@
  ')
  
  optional_policy(`
@@ -6625,7 +6611,7 @@
  	tripwire_run_siggen(sysadm_t, sysadm_r)
  	tripwire_run_tripwire(sysadm_t, sysadm_r)
  	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +301,10 @@
+@@ -394,18 +300,10 @@
  ')
  
  optional_policy(`
@@ -6644,7 +6630,7 @@
  	unconfined_domtrans(sysadm_t)
  ')
  
-@@ -418,20 +317,12 @@
+@@ -418,20 +316,12 @@
  ')
  
  optional_policy(`
@@ -6665,7 +6651,7 @@
  	vpn_run(sysadm_t, sysadm_r)
  ')
  
-@@ -440,13 +331,10 @@
+@@ -440,13 +330,7 @@
  ')
  
  optional_policy(`
@@ -6680,10 +6666,7 @@
  	yam_run(sysadm_t, sysadm_r)
  ')
 +
-+domain_user_exemption_target(sysadm_t)
-+allow sysadm_r system_r;
 +init_script_role_transition(sysadm_r)
-+role system_r types sysadm_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc	2009-04-23 09:44:57.000000000 -0400
@@ -7364,8 +7347,8 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-23 09:44:57.000000000 -0400
-@@ -0,0 +1,403 @@
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-24 00:00:31.000000000 -0400
+@@ -0,0 +1,400 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -7638,7 +7621,6 @@
 +	rpm_run(unconfined_t, unconfined_r)
 +	# Allow SELinux aware applications to request rpm_script execution
 +	rpm_transition_script(unconfined_t)
-+	rpm_role_transition(unconfined_r)
 +')
 +
 +optional_policy(`
@@ -7767,8 +7749,6 @@
 +')
 +
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+
-+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-11-11 16:13:47.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te	2009-04-23 09:44:57.000000000 -0400
@@ -27924,7 +27904,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.12/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te	2009-04-23 23:08:07.000000000 -0400
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -29523,7 +29503,7 @@
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-23 23:55:27.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.836
retrieving revision 1.837
diff -u -r1.836 -r1.837
--- selinux-policy.spec	24 Apr 2009 03:14:57 -0000	1.836
+++ selinux-policy.spec	24 Apr 2009 04:09:16 -0000	1.837
@@ -213,8 +213,8 @@
 %if %{BUILD_TARGETED}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds targeted mcs y y allow
-%installCmds targeted mcs y y allow
+%setupCmds targeted mcs n y allow
+%installCmds targeted mcs n y allow
 %endif
 
 %if %{BUILD_MINIMUM}
@@ -237,7 +237,7 @@
 %installCmds olpc mcs n y allow
 %endif
 
-make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/

More information about the fedora-extras-commits mailing list