rpms/selinux-policy/F-10 policy-20080710.patch, 1.171, 1.172 selinux-policy.spec, 1.799, 1.800
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jun 24 08:43:57 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6728
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
- Dontaudit dhcpc to access sys_ptrace
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.171
retrieving revision 1.172
diff -u -p -r1.171 -r1.172
--- policy-20080710.patch 11 Jun 2009 11:11:46 -0000 1.171
+++ policy-20080710.patch 24 Jun 2009 08:43:53 -0000 1.172
@@ -20047,7 +20047,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.13/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2009-03-23 10:41:48.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2009-06-24 09:54:02.000000000 +0200
@@ -10,6 +10,10 @@
type mysqld_exec_t;
init_daemon_domain(mysqld_t, mysqld_exec_t)
@@ -20093,7 +20093,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_use_interactive_fds(mysqld_t)
-@@ -120,3 +129,42 @@
+@@ -120,3 +129,45 @@
optional_policy(`
udev_read_db(mysqld_t)
')
@@ -20107,11 +20107,14 @@ diff --exclude-from=exclude -N -u -r nsa
+
+allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
++
++allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
+
+allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+
+mysql_append_db_files(mysqld_safe_t)
++mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
@@ -36006,7 +36009,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2009-03-12 15:06:51.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2009-06-24 09:52:07.000000000 +0200
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -36022,8 +36025,9 @@ diff --exclude-from=exclude -N -u -r nsa
# DHCP client local policy
#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+-dontaudit dhcpc_t self:capability sys_tty_config;
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
- dontaudit dhcpc_t self:capability sys_tty_config;
++dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process signal_perms;
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.799
retrieving revision 1.800
diff -u -p -r1.799 -r1.800
--- selinux-policy.spec 11 Jun 2009 11:20:23 -0000 1.799
+++ selinux-policy.spec 24 Jun 2009 08:43:56 -0000 1.800
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 64%{?dist}
+Release: 65%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@ exit 0
%endif
%changelog
+* Wed Jun 24 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-65
+- Dontaudit dhcpc to access sys_ptrace
+
* Thu Jun 11 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-64
- Allow rpcd to send signals to automount
More information about the fedora-extras-commits
mailing list