rpms/selinux-policy/F-11 policy-20090105.patch, 1.101, 1.102 selinux-policy.spec, 1.836, 1.837
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Apr 24 04:09:16 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14992
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Thu Apr 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-15
- Additional perms for readahead
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -r1.101 -r1.102
--- policy-20090105.patch 24 Apr 2009 03:14:57 -0000 1.101
+++ policy-20090105.patch 24 Apr 2009 04:09:16 -0000 1.102
@@ -850,8 +850,20 @@
ifdef(`distro_suse', `
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-23 09:44:57.000000000 -0400
-@@ -146,6 +146,24 @@
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-23 23:59:46.000000000 -0400
+@@ -66,6 +66,11 @@
+ rpm_domtrans($1)
+ role $2 types rpm_t;
+ role $2 types rpm_script_t;
++
++ domain_system_change_exemption($1)
++ role_transition $2 rpm_exec_t system_r;
++ allow $2 system_r;
++
+ seutil_run_loadpolicy(rpm_script_t, $2)
+ seutil_run_semanage(rpm_script_t, $2)
+ seutil_run_setfiles(rpm_script_t, $2)
+@@ -146,6 +151,24 @@
########################################
## <summary>
@@ -876,7 +888,7 @@
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -167,6 +185,48 @@
+@@ -167,6 +190,48 @@
########################################
## <summary>
@@ -925,7 +937,7 @@
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
-@@ -186,6 +246,24 @@
+@@ -186,6 +251,24 @@
########################################
## <summary>
@@ -950,7 +962,7 @@
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
-@@ -204,6 +282,24 @@
+@@ -204,6 +287,24 @@
########################################
## <summary>
@@ -975,7 +987,7 @@
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
-@@ -219,7 +315,29 @@
+@@ -219,7 +320,29 @@
')
files_search_tmp($1)
@@ -1005,7 +1017,7 @@
')
########################################
-@@ -245,6 +363,24 @@
+@@ -245,6 +368,24 @@
########################################
## <summary>
@@ -1030,7 +1042,7 @@
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
-@@ -283,3 +419,175 @@
+@@ -283,3 +424,148 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1144,33 +1156,6 @@
+
+########################################
+## <summary>
-+## Transition to system_r when execute an rpm script
-+## </summary>
-+## <desc>
-+## <p>
-+## Execute rpm script in a specified role
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
-+## </desc>
-+## <param name="source_role">
-+## <summary>
-+## Role to transition from.
-+## </summary>
-+## </param>
-+interface(`rpm_role_transition',`
-+ gen_require(`
-+ type rpm_exec_t;
-+ ')
-+
-+ role_transition $1 rpm_exec_t system_r;
-+')
-+
-+########################################
-+## <summary>
+## Do not audit attempts to write, and delete the
+## RPM var run files
+## </summary>
@@ -6393,7 +6378,7 @@
## requiring the caller to use setexeccon().
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-24 00:02:59.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -6557,7 +6542,7 @@
quota_run(sysadm_t, sysadm_r)
')
-@@ -320,19 +258,12 @@
+@@ -320,10 +258,6 @@
')
optional_policy(`
@@ -6568,17 +6553,18 @@
rpc_domtrans_nfsd(sysadm_t)
')
+@@ -332,10 +266,6 @@
+ ')
+
optional_policy(`
- rpm_run(sysadm_t, sysadm_r)
+- rssh_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
-- rssh_role(sysadm_r, sysadm_t)
-+ rpm_role_transition(sysadm_r)
+ rsync_exec(sysadm_t)
')
- optional_policy(`
-@@ -345,10 +276,6 @@
+@@ -345,10 +275,6 @@
')
optional_policy(`
@@ -6589,7 +6575,7 @@
secadm_role_change(sysadm_r)
')
-@@ -358,35 +285,15 @@
+@@ -358,35 +284,15 @@
')
optional_policy(`
@@ -6625,7 +6611,7 @@
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +301,10 @@
+@@ -394,18 +300,10 @@
')
optional_policy(`
@@ -6644,7 +6630,7 @@
unconfined_domtrans(sysadm_t)
')
-@@ -418,20 +317,12 @@
+@@ -418,20 +316,12 @@
')
optional_policy(`
@@ -6665,7 +6651,7 @@
vpn_run(sysadm_t, sysadm_r)
')
-@@ -440,13 +331,10 @@
+@@ -440,13 +330,7 @@
')
optional_policy(`
@@ -6680,10 +6666,7 @@
yam_run(sysadm_t, sysadm_r)
')
+
-+domain_user_exemption_target(sysadm_t)
-+allow sysadm_r system_r;
+init_script_role_transition(sysadm_r)
-+role system_r types sysadm_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-23 09:44:57.000000000 -0400
@@ -7364,8 +7347,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-23 09:44:57.000000000 -0400
-@@ -0,0 +1,403 @@
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-24 00:00:31.000000000 -0400
+@@ -0,0 +1,400 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -7638,7 +7621,6 @@
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
-+ rpm_role_transition(unconfined_r)
+')
+
+optional_policy(`
@@ -7767,8 +7749,6 @@
+')
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-04-23 09:44:57.000000000 -0400
@@ -27924,7 +27904,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.12/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te 2009-04-23 23:08:07.000000000 -0400
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -29523,7 +29503,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-23 23:55:27.000000000 -0400
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.836
retrieving revision 1.837
diff -u -r1.836 -r1.837
--- selinux-policy.spec 24 Apr 2009 03:14:57 -0000 1.836
+++ selinux-policy.spec 24 Apr 2009 04:09:16 -0000 1.837
@@ -213,8 +213,8 @@
%if %{BUILD_TARGETED}
# Build targeted policy
# Commented out because only targeted ref policy currently builds
-%setupCmds targeted mcs y y allow
-%installCmds targeted mcs y y allow
+%setupCmds targeted mcs n y allow
+%installCmds targeted mcs n y allow
%endif
%if %{BUILD_MINIMUM}
@@ -237,7 +237,7 @@
%installCmds olpc mcs n y allow
%endif
-make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
More information about the fedora-extras-commits
mailing list