rpms/selinux-policy/F-11 policy-20090105.patch, 1.113, 1.114 selinux-policy.spec, 1.851, 1.852
Daniel J Walsh
dwalsh at fedoraproject.org
Tue May 5 20:48:33 UTC 2009
- Previous message (by thread): rpms/slv2/F-11 .cvsignore, 1.2, 1.3 slv2.spec, 1.2, 1.3 sources, 1.2, 1.3 slv2_plugininstance.h_r1948.diff, 1.1, NONE
- Next message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.108, 1.109 selinux-policy.spec, 1.846, 1.847
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2458
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Tue May 5 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-29
- Allow svirt to manage pci and other sysfs device data
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.113
retrieving revision 1.114
diff -u -p -r1.113 -r1.114
--- policy-20090105.patch 4 May 2009 18:20:20 -0000 1.113
+++ policy-20090105.patch 5 May 2009 20:48:32 -0000 1.114
@@ -4897,7 +4897,7 @@ diff -b -B --ignore-all-space --exclude-
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-30 08:31:43.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-05 14:05:47.000000000 -0400
@@ -32,6 +32,8 @@
#
# /etc
@@ -4907,16 +4907,18 @@ diff -b -B --ignore-all-space --exclude-
/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0)
-@@ -134,6 +136,8 @@
+@@ -134,6 +136,10 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
#
# /usr
#
-@@ -210,6 +214,7 @@
+@@ -210,6 +216,7 @@
/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
@@ -4924,7 +4926,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-@@ -299,3 +304,20 @@
+@@ -299,3 +306,20 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5157,7 +5159,7 @@ diff -b -B --ignore-all-space --exclude-
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-03-05 12:28:56.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-04-28 15:25:49.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-05-05 16:42:47.000000000 -0400
@@ -2268,6 +2268,25 @@
########################################
@@ -11482,7 +11484,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-05-05 14:06:36.000000000 -0400
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -11660,7 +11662,7 @@ diff -b -B --ignore-all-space --exclude-
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +240,16 @@
+@@ -195,19 +240,21 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -11681,7 +11683,12 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(cupsd_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-@@ -217,17 +263,21 @@
+ libs_read_lib_files(cupsd_t)
++libs_exec_lib_files(cupsd_t)
+
+ logging_send_audit_msgs(cupsd_t)
+ logging_send_syslog_msg(cupsd_t)
+@@ -217,17 +264,21 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@@ -11706,7 +11713,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -244,8 +294,16 @@
+@@ -244,8 +295,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -11723,7 +11730,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -261,6 +319,10 @@
+@@ -261,6 +320,10 @@
')
optional_policy(`
@@ -11734,7 +11741,7 @@ diff -b -B --ignore-all-space --exclude-
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -279,7 +341,7 @@
+@@ -279,7 +342,7 @@
# Cups configuration daemon local policy
#
@@ -11743,7 +11750,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -302,8 +364,10 @@
+@@ -302,8 +365,10 @@
allow cupsd_config_t cupsd_log_t:file rw_file_perms;
@@ -11756,7 +11763,7 @@ diff -b -B --ignore-all-space --exclude-
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
-@@ -311,7 +375,7 @@
+@@ -311,7 +376,7 @@
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
kernel_read_system_state(cupsd_config_t)
@@ -11765,7 +11772,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -324,6 +388,7 @@
+@@ -324,6 +389,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -11773,7 +11780,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -341,13 +406,14 @@
+@@ -341,13 +407,14 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
@@ -11789,7 +11796,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -359,14 +425,16 @@
+@@ -359,14 +426,16 @@
lpd_read_config(cupsd_config_t)
ifdef(`distro_redhat',`
@@ -11808,7 +11815,7 @@ diff -b -B --ignore-all-space --exclude-
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -382,6 +450,7 @@
+@@ -382,6 +451,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -11816,7 +11823,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -491,7 +560,10 @@
+@@ -491,7 +561,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -11828,7 +11835,7 @@ diff -b -B --ignore-all-space --exclude-
cups_stream_connect(hplip_t)
-@@ -500,6 +572,13 @@
+@@ -500,6 +573,13 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -11842,7 +11849,7 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -529,7 +608,8 @@
+@@ -529,7 +609,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -11852,7 +11859,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -553,7 +633,9 @@
+@@ -553,7 +634,9 @@
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -11863,7 +11870,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -635,3 +717,49 @@
+@@ -635,3 +718,49 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -13478,6 +13485,17 @@ diff -b -B --ignore-all-space --exclude-
# pid file
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te
+--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te 2009-05-04 15:58:59.000000000 -0400
+@@ -9,6 +9,7 @@
+ type fetchmail_t;
+ type fetchmail_exec_t;
+ init_daemon_domain(fetchmail_t, fetchmail_exec_t)
++application_executable_file(fetchmail_exec_t)
+
+ type fetchmail_var_run_t;
+ files_pid_file(fetchmail_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc
--- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-04-28 15:26:41.000000000 -0400
@@ -24168,8 +24186,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-30 18:07:51.000000000 -0400
-@@ -8,19 +8,24 @@
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-05 16:45:39.000000000 -0400
+@@ -8,19 +8,31 @@
## <desc>
## <p>
@@ -24190,14 +24208,21 @@ diff -b -B --ignore-all-space --exclude-
-attribute virt_image_type;
+## <desc>
+## <p>
-+## Allow svirt to user serial/parallell communication ports
++## Allow svirt to manage device configuration, (pci)
++## </p>
++## </desc>
++gen_tunable(virt_manage_sysfs, false)
++
++## <desc>
++## <p>
++## Allow svirt to use serial/parallell communication ports
+## </p>
+## </desc>
+gen_tunable(virt_use_comm, false)
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -29,8 +34,13 @@
+@@ -29,8 +41,13 @@
files_type(virt_etc_rw_t)
# virt Image files
@@ -24213,7 +24238,7 @@ diff -b -B --ignore-all-space --exclude-
type virt_log_t;
logging_log_file(virt_log_t)
-@@ -48,17 +58,39 @@
+@@ -48,17 +65,39 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -24255,7 +24280,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -67,7 +99,11 @@
+@@ -67,7 +106,11 @@
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -24268,7 +24293,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +122,7 @@
+@@ -86,6 +129,7 @@
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
kernel_load_module(virtd_t)
@@ -24276,7 +24301,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -96,7 +133,7 @@
+@@ -96,7 +140,7 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -24285,7 +24310,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -104,21 +141,39 @@
+@@ -104,21 +148,39 @@
dev_read_sysfs(virtd_t)
dev_read_rand(virtd_t)
@@ -24326,7 +24351,7 @@ diff -b -B --ignore-all-space --exclude-
term_getattr_pty_fs(virtd_t)
term_use_ptmx(virtd_t)
-@@ -129,6 +184,13 @@
+@@ -129,6 +191,13 @@
logging_send_syslog_msg(virtd_t)
@@ -24340,7 +24365,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_read_all_users_state(virtd_t)
tunable_policy(`virt_use_nfs',`
-@@ -167,22 +229,34 @@
+@@ -167,22 +236,34 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -24363,15 +24388,15 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
-
- optional_policy(`
-- qemu_domtrans(virtd_t)
++
++optional_policy(`
+ polkit_domtrans_auth(virtd_t)
+ polkit_domtrans_resolve(virtd_t)
+ polkit_read_lib(virtd_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- qemu_domtrans(virtd_t)
+ qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t)
qemu_signal(virtd_t)
@@ -24380,7 +24405,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -195,8 +269,84 @@
+@@ -195,8 +276,88 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -24444,6 +24469,10 @@ diff -b -B --ignore-all-space --exclude-
+ dev_rw_printer(svirt_t)
+')
+
++tunable_policy(`virt_manage_sysfs',`
++ dev_rw_sysfs(svirt_t)
++')
++
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_t)
+ fs_manage_nfs_files(svirt_t)
@@ -32373,7 +32402,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.12/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-05-05 08:21:50.000000000 -0400
@@ -8,13 +8,6 @@
## <desc>
@@ -32433,7 +32462,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -95,3 +91,23 @@
+@@ -95,3 +91,25 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
@@ -32457,6 +32486,8 @@ diff -b -B --ignore-all-space --exclude-
+ fs_read_cifs_named_sockets(userhomereader)
+ fs_read_cifs_named_pipes(userhomereader)
+')
++
++allow userdomain userdomain:process signull;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.12/policy/modules/system/virtual.fc
--- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/system/virtual.fc 2009-04-23 09:44:57.000000000 -0400
@@ -32783,7 +32814,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-05-05 14:42:25.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -32970,7 +33001,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
-@@ -312,18 +358,21 @@
+@@ -312,24 +358,28 @@
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
@@ -32993,7 +33024,14 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_generic_node(xm_t)
-@@ -339,15 +388,58 @@
+ corenet_tcp_connect_soundd_port(xm_t)
+
+ dev_read_urand(xm_t)
++dev_search_sysfs(xm_t)
+
+ files_read_etc_runtime_files(xm_t)
+ files_read_usr_files(xm_t)
+@@ -339,15 +389,58 @@
storage_raw_read_fixed_disk(xm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.851
retrieving revision 1.852
diff -u -p -r1.851 -r1.852
--- selinux-policy.spec 4 May 2009 19:36:29 -0000 1.851
+++ selinux-policy.spec 5 May 2009 20:48:33 -0000 1.852
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -477,6 +477,9 @@ exit 0
%endif
%changelog
+* Tue May 5 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-29
+- Allow svirt to manage pci and other sysfs device data
+
* Mon May 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-28
- Fix package selection handling
- Previous message (by thread): rpms/slv2/F-11 .cvsignore, 1.2, 1.3 slv2.spec, 1.2, 1.3 sources, 1.2, 1.3 slv2_plugininstance.h_r1948.diff, 1.1, NONE
- Next message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.108, 1.109 selinux-policy.spec, 1.846, 1.847
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list