rpms/selinux-policy/F-10 policy-20080710.patch, 1.171, 1.172 selinux-policy.spec, 1.799, 1.800

Wed Jun 24 08:43:57 UTC 2009

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6728

Modified Files:
	policy-20080710.patch selinux-policy.spec 
Log Message:
- Dontaudit dhcpc to access sys_ptrace



policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.171
retrieving revision 1.172
diff -u -p -r1.171 -r1.172

--- policy-20080710.patch	11 Jun 2009 11:11:46 -0000	1.171
+++ policy-20080710.patch	24 Jun 2009 08:43:53 -0000	1.172
@@ -20047,7 +20047,7 @@ diff --exclude-from=exclude -N -u -r nsa
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.13/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mysql.te	2009-03-23 10:41:48.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mysql.te	2009-06-24 09:54:02.000000000 +0200
 @@ -10,6 +10,10 @@
  type mysqld_exec_t;
  init_daemon_domain(mysqld_t, mysqld_exec_t)
@@ -20093,7 +20093,7 @@ diff --exclude-from=exclude -N -u -r nsa
  
  domain_use_interactive_fds(mysqld_t)
  
-@@ -120,3 +129,42 @@
+@@ -120,3 +129,45 @@
  optional_policy(`
  	udev_read_db(mysqld_t)
  ')
@@ -20107,11 +20107,14 @@ diff --exclude-from=exclude -N -u -r nsa
 +
 +allow mysqld_safe_t self:capability { dac_override fowner chown };
 +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
++
++allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
 + 
 +allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
 +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 +
 +mysql_append_db_files(mysqld_safe_t)        
++mysql_manage_db_files(mysqld_safe_t) 
 +mysql_read_config(mysqld_safe_t)
 +mysql_search_pid_files(mysqld_safe_t)
 +mysql_write_log(mysqld_safe_t)
@@ -36006,7 +36009,7 @@ diff --exclude-from=exclude -N -u -r nsa
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te	2009-03-12 15:06:51.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te	2009-06-24 09:52:07.000000000 +0200
 @@ -20,6 +20,9 @@
  init_daemon_domain(dhcpc_t,dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -36022,8 +36025,9 @@ diff --exclude-from=exclude -N -u -r nsa
  # DHCP client local policy
  #
 -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+-dontaudit dhcpc_t self:capability sys_tty_config;
 +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
- dontaudit dhcpc_t self:capability sys_tty_config;
++dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
  # for access("/etc/bashrc", X_OK) on Red Hat
  dontaudit dhcpc_t self:capability { dac_read_search sys_module };
 -allow dhcpc_t self:process signal_perms;


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.799
retrieving revision 1.800
diff -u -p -r1.799 -r1.800
--- selinux-policy.spec	11 Jun 2009 11:20:23 -0000	1.799
+++ selinux-policy.spec	24 Jun 2009 08:43:56 -0000	1.800
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 64%{?dist}
+Release: 65%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Jun 24 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-65
+- Dontaudit dhcpc to access sys_ptrace
+
 * Thu Jun 11 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-64
 - Allow rpcd to send signals to automount
 


