rpms/selinux-policy/F-11 policy-20090105.patch, 1.110, 1.111 selinux-policy.spec, 1.847, 1.848
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Apr 30 11:51:06 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7145
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Wed Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-25
- Additional rules for fprintd and sssd
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.110
retrieving revision 1.111
diff -u -p -r1.110 -r1.111
--- policy-20090105.patch 28 Apr 2009 20:09:25 -0000 1.110
+++ policy-20090105.patch 30 Apr 2009 11:51:03 -0000 1.111
@@ -1833,9 +1833,10 @@ diff -b -B --ignore-all-space --exclude-
+permissive cpufreqselector_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.12/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/gnome.fc 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/gnome.fc 2009-04-30 07:42:25.000000000 -0400
@@ -1,8 +1,16 @@
- HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
++HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
@@ -5234,7 +5235,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-27 11:30:40.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-29 10:47:24.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5305,7 +5306,7 @@ diff -b -B --ignore-all-space --exclude-
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -153,3 +172,46 @@
+@@ -153,3 +172,50 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5338,6 +5339,10 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
++ ssh_rw_pipes(domain)
++')
++
++optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
@@ -8336,7 +8341,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.12/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/apache.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/apache.if 2009-04-29 14:18:52.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -8558,7 +8563,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -227,10 +170,6 @@
+@@ -227,15 +170,13 @@
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -8569,7 +8574,14 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -504,6 +443,47 @@
+ nscd_socket_use(httpd_$1_script_t)
+ ')
++
++ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+ ')
+
+ ########################################
+@@ -504,6 +445,47 @@
########################################
## <summary>
## Allow the specified domain to read
@@ -8617,7 +8629,7 @@ diff -b -B --ignore-all-space --exclude-
## apache configuration files.
## </summary>
## <param name="domain">
-@@ -579,7 +559,7 @@
+@@ -579,7 +561,7 @@
## </param>
## <param name="role">
## <summary>
@@ -8626,7 +8638,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## </param>
## <rolecap/>
-@@ -715,6 +695,7 @@
+@@ -715,6 +697,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -8634,7 +8646,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -782,6 +763,32 @@
+@@ -782,6 +765,32 @@
########################################
## <summary>
@@ -8667,7 +8679,7 @@ diff -b -B --ignore-all-space --exclude-
## Execute all web scripts in the system
## script domain.
## </summary>
-@@ -791,16 +798,18 @@
+@@ -791,16 +800,18 @@
## </summary>
## </param>
#
@@ -8690,7 +8702,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -859,6 +868,8 @@
+@@ -859,6 +870,8 @@
## </summary>
## </param>
#
@@ -8699,7 +8711,7 @@ diff -b -B --ignore-all-space --exclude-
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
-@@ -884,7 +895,7 @@
+@@ -884,7 +897,7 @@
type httpd_squirrelmail_t;
')
@@ -8708,7 +8720,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1040,3 +1051,160 @@
+@@ -1040,3 +1053,160 @@
allow httpd_t $1:process signal;
')
@@ -10360,7 +10372,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-29 13:51:27.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -10400,7 +10412,7 @@ diff -b -B --ignore-all-space --exclude-
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
-@@ -47,13 +57,35 @@
+@@ -47,13 +57,36 @@
auth_use_nsswitch(consolekit_t)
@@ -10409,6 +10421,7 @@ diff -b -B --ignore-all-space --exclude-
+init_chat(consolekit_t)
+
+logging_send_syslog_msg(consolekit_t)
++logging_send_audit_msgs(consolekit_t)
+
miscfiles_read_localization(consolekit_t)
@@ -10438,7 +10451,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
unconfined_dbus_chat(consolekit_t)
-@@ -61,6 +93,32 @@
+@@ -61,6 +94,32 @@
')
optional_policy(`
@@ -11834,7 +11847,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.12/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/cvs.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cvs.te 2009-04-29 12:56:25.000000000 -0400
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -13431,8 +13444,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-28 16:07:25.000000000 -0400
-@@ -0,0 +1,36 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-29 10:10:42.000000000 -0400
+@@ -0,0 +1,41 @@
+policy_module(fprintd,1.0.0)
+
+########################################
@@ -13463,8 +13476,13 @@ diff -b -B --ignore-all-space --exclude-
+userdom_read_all_users_state(fprintd_t)
+
+optional_policy(`
++ consolekit_dbus_chat(fprintd_t)
++')
++
++optional_policy(`
+ polkit_read_reload(fprintd_t)
+ polkit_read_lib(fprintd_t)
++ polkit_domtrans_auth(fprintd_t)
+')
+
+permissive fprintd_t;
@@ -14533,6 +14551,19 @@ diff -b -B --ignore-all-space --exclude-
+permissive ifplugd_t;
+
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.6.12/policy/modules/services/inetd.if
+--- nsaserefpolicy/policy/modules/services/inetd.if 2008-09-03 07:59:15.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/inetd.if 2009-04-29 14:44:12.000000000 -0400
+@@ -36,8 +36,7 @@
+ role system_r types $1;
+
+ domtrans_pattern(inetd_t, $2, $1)
+-
+- allow inetd_t $1:process sigkill;
++ allow inetd_t $1:process { siginh sigkill };
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if
--- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if 2009-04-23 09:44:57.000000000 -0400
@@ -14959,8 +14990,8 @@ diff -b -B --ignore-all-space --exclude-
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 11:46:55.000000000 -0400
-@@ -1,6 +1,9 @@
++++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-29 10:14:21.000000000 -0400
+@@ -1,6 +1,10 @@
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
@@ -14969,6 +15000,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/milter.* -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
@@ -20441,6 +20473,36 @@ diff -b -B --ignore-all-space --exclude-
auth_login_pgm_domain(rshd_t)
auth_write_login_records(rshd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
+--- nsaserefpolicy/policy/modules/services/rsync.te 2009-03-23 13:47:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-04-29 13:19:21.000000000 -0400
+@@ -8,6 +8,13 @@
+
+ ## <desc>
+ ## <p>
++## Allow rsync to run as a client
++## </p>
++## </desc>
++gen_tunable(rsync_client, false)
++
++## <desc>
++## <p>
+ ## Allow rsync to export any files/directories read only.
+ ## </p>
+ ## </desc>
+@@ -124,4 +131,12 @@
+ auth_read_all_symlinks_except_shadow(rsync_t)
+ auth_tunable_read_shadow(rsync_t)
+ ')
++
++tunable_policy(`rsync_client',`
++ corenet_tcp_connect_rsync_port(rsync_t)
++ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
++ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++')
++
+ auth_can_read_shadow_passwords(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.12/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/samba.fc 2009-04-23 09:44:57.000000000 -0400
@@ -21363,7 +21425,16 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-29 13:03:31.000000000 -0400
+@@ -89,7 +89,7 @@
+ type sendmail_t;
+ ')
+
+- allow $1 sendmail_t:unix_stream_socket { read write };
++ allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+ ')
+
+ ########################################
@@ -149,3 +149,92 @@
logging_log_filetrans($1, sendmail_log_t, file)
@@ -22406,7 +22477,7 @@ diff -b -B --ignore-all-space --exclude-
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-29 10:46:37.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -22607,7 +22678,31 @@ diff -b -B --ignore-all-space --exclude-
## Read a ssh server unnamed pipe.
## </summary>
## <param name="domain">
-@@ -611,3 +630,42 @@
+@@ -469,6 +488,23 @@
+
+ allow $1 sshd_t:fifo_file { getattr read };
+ ')
++########################################
++## <summary>
++## Read/write a ssh server unnamed pipe.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_rw_pipes',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow $1 sshd_t:fifo_file { write read getattr ioctl };
++')
+
+ ########################################
+ ## <summary>
+@@ -611,3 +647,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -23085,8 +23180,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-04-28 15:43:36.000000000 -0400
-@@ -0,0 +1,72 @@
++++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-04-29 10:01:55.000000000 -0400
+@@ -0,0 +1,74 @@
+policy_module(sssd,1.0.0)
+
+########################################
@@ -23150,6 +23245,8 @@ diff -b -B --ignore-all-space --exclude-
+auth_domtrans_chk_passwd(sssd_t)
+auth_domtrans_upd_passwd(sssd_t)
+
++init_read_utmp(sssd_t)
++
+logging_send_syslog_msg(sssd_t)
+logging_send_audit_msgs(sssd_t)
+
@@ -25930,8 +26027,24 @@ diff -b -B --ignore-all-space --exclude-
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-23 09:44:57.000000000 -0400
-@@ -280,6 +280,36 @@
++++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-29 14:42:44.000000000 -0400
+@@ -174,6 +174,7 @@
+ role system_r types $1;
+
+ domtrans_pattern(initrc_t,$2,$1)
++ allow initrc_t $1:process siginh;
+
+ # daemons started from init will
+ # inherit fds from init for the console
+@@ -272,6 +273,7 @@
+ role system_r types $1;
+
+ domtrans_pattern(initrc_t,$2,$1)
++ allow initrc_t $1:process siginh;
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+@@ -280,6 +282,36 @@
kernel_dontaudit_use_fds($1)
')
')
@@ -25968,7 +26081,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -546,7 +576,7 @@
+@@ -546,7 +578,7 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
@@ -25977,7 +26090,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -619,18 +649,19 @@
+@@ -619,18 +651,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -26001,7 +26114,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -646,23 +677,43 @@
+@@ -646,19 +679,39 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -26022,11 +26135,11 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -26039,17 +26152,13 @@ diff -b -B --ignore-all-space --exclude-
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -1291,6 +1342,25 @@
+ ')
+
+ ########################################
+@@ -1291,6 +1344,25 @@
########################################
## <summary>
@@ -26075,7 +26184,7 @@ diff -b -B --ignore-all-space --exclude-
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1521,3 +1591,51 @@
+@@ -1521,3 +1593,51 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.847
retrieving revision 1.848
diff -u -p -r1.847 -r1.848
--- selinux-policy.spec 28 Apr 2009 20:09:26 -0000 1.847
+++ selinux-policy.spec 30 Apr 2009 11:51:04 -0000 1.848
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 24%{?dist}
+Release: 25%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -480,6 +480,9 @@ exit 0
%endif
%changelog
+* Wed Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-25
+- Additional rules for fprintd and sssd
+
* Tue Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-24
- Allow nsplugin to unix_read unix_write sem for unconfined_java
More information about the fedora-extras-commits
mailing list