rpms/selinux-policy/F-11 policy-20090105.patch, 1.121, 1.122 selinux-policy.spec, 1.858, 1.859
Daniel J Walsh
dwalsh at fedoraproject.org
Thu May 14 18:54:13 UTC 2009
- Previous message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.115, 1.116 selinux-policy.spec, 1.853, 1.854
- Next message (by thread): rpms/mkinitrd/devel .cvsignore, 1.221, 1.222 mkinitrd.spec, 1.315, 1.316 sources, 1.263, 1.264
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10630
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Thu May 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-37
- Fixes for kpropd
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -p -r1.121 -r1.122
--- policy-20090105.patch 14 May 2009 14:37:28 -0000 1.121
+++ policy-20090105.patch 14 May 2009 18:54:12 -0000 1.122
@@ -1887,7 +1887,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.12/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/gnome.if 2009-05-14 10:31:02.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/gnome.if 2009-05-14 11:05:16.000000000 -0400
@@ -89,5 +89,175 @@
allow $1 gnome_home_t:dir manage_dir_perms;
@@ -10664,7 +10664,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-05-14 13:42:00.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -13790,8 +13790,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-05-12 15:30:13.000000000 -0400
-@@ -0,0 +1,48 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-05-14 13:42:21.000000000 -0400
+@@ -0,0 +1,49 @@
+policy_module(fprintd,1.0.0)
+
+########################################
@@ -13806,6 +13806,7 @@ diff -b -B --ignore-all-space --exclude-
+type fprintd_var_lib_t;
+files_type(fprintd_var_lib_t)
+
++allow fprintd_t self:capability sys_ptrace;
+allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:process { getsched signal };
+
@@ -14919,7 +14920,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.12/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc 2009-05-14 08:39:20.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc 2009-05-14 13:29:16.000000000 -0400
@@ -6,13 +6,14 @@
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -14936,6 +14937,34 @@ diff -b -B --ignore-all-space --exclude-
/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+@@ -21,7 +22,7 @@
+ /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+ /var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+ /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
+ /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
+ /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
+--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-03-23 13:47:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-05-14 13:28:31.000000000 -0400
+@@ -33,6 +33,7 @@
+ type kpropd_t;
+ type kpropd_exec_t;
+ init_daemon_domain(kpropd_t, kpropd_exec_t)
++domain_obj_id_change_exemption(kpropd_t)
+
+ type krb5_conf_t;
+ files_type(krb5_conf_t)
+@@ -281,6 +282,7 @@
+
+ allow kpropd_t krb5_keytab_t:file read_file_perms;
+
++manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
+ manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+
+ corecmd_exec_bin(kpropd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if
--- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if 2009-05-12 15:30:13.000000000 -0400
@@ -23298,7 +23327,7 @@ diff -b -B --ignore-all-space --exclude-
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-05-14 14:05:37.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -23474,7 +23503,15 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -454,6 +455,24 @@
+@@ -345,6 +346,7 @@
+ allow ssh_t $3:unix_stream_socket connectto;
+
+ # user can manage the keys and config
++ userdom_search_user_home_dirs($1_t)
+ manage_files_pattern($3, home_ssh_t, home_ssh_t)
+ manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t)
+ manage_sock_files_pattern($3, home_ssh_t, home_ssh_t)
+@@ -454,6 +456,24 @@
########################################
## <summary>
@@ -23499,7 +23536,7 @@ diff -b -B --ignore-all-space --exclude-
## Read a ssh server unnamed pipe.
## </summary>
## <param name="domain">
-@@ -469,6 +488,23 @@
+@@ -469,6 +489,23 @@
allow $1 sshd_t:fifo_file { getattr read };
')
@@ -23523,7 +23560,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
-@@ -611,3 +647,42 @@
+@@ -611,3 +648,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -24533,7 +24570,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-14 13:40:26.000000000 -0400
@@ -8,19 +8,31 @@
## <desc>
@@ -24700,7 +24737,7 @@ diff -b -B --ignore-all-space --exclude-
term_getattr_pty_fs(virtd_t)
term_use_ptmx(virtd_t)
-@@ -129,6 +192,13 @@
+@@ -129,7 +192,15 @@
logging_send_syslog_msg(virtd_t)
@@ -24710,11 +24747,13 @@ diff -b -B --ignore-all-space --exclude-
+
+userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
-+userdom_search_user_home_content(virtd_t)
++userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
++userdom_read_user_home_content_files(virtd_t)
tunable_policy(`virt_use_nfs',`
-@@ -167,22 +237,34 @@
+ fs_manage_nfs_dirs(virtd_t)
+@@ -167,22 +238,34 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -24737,15 +24776,15 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- qemu_domtrans(virtd_t)
+ polkit_domtrans_auth(virtd_t)
+ polkit_domtrans_resolve(virtd_t)
+ polkit_read_lib(virtd_t)
+')
-
- optional_policy(`
-- qemu_domtrans(virtd_t)
++
++optional_policy(`
+ qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t)
qemu_signal(virtd_t)
@@ -24754,7 +24793,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -195,8 +277,88 @@
+@@ -195,8 +278,89 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -24763,11 +24802,11 @@ diff -b -B --ignore-all-space --exclude-
+
+optional_policy(`
+ udev_domtrans(virtd_t)
-+')
-+
-+#optional_policy(`
-+# unconfined_domain(virtd_t)
-+#')
+ ')
+
+ optional_policy(`
+ unconfined_domain(virtd_t)
+ ')
+
+manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
@@ -24838,12 +24877,12 @@ diff -b -B --ignore-all-space --exclude-
+
+optional_policy(`
+ xen_rw_image_files(svirt_t)
- ')
-
- optional_policy(`
-- unconfined_domain(virtd_t)
++')
++
++optional_policy(`
+ xen_rw_image_files(svirt_t)
- ')
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.12/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/w3c.te 2009-05-12 15:30:13.000000000 -0400
@@ -30862,7 +30901,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-14 13:40:08.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -32245,40 +32284,47 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2814,12 +3012,12 @@
- type user_tmp_t;
+@@ -2682,16 +2880,17 @@
+ #
+ interface(`userdom_search_user_home_content',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ type user_home_dir_t;
++ attribute user_home_type;
')
-- allow $1 user_tmp_t:file write_file_perms;
-+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_list_home($1)
+- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
')
########################################
## <summary>
--## Do not audit attempts to use user ttys.
-+## Delete all users files in /tmp
+-## Send general signals to unprivileged user domains.
++## List users home directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -2827,17 +3025,35 @@
+@@ -2699,12 +2898,32 @@
## </summary>
## </param>
#
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_delete_user_tmp_files',`
+-interface(`userdom_signal_unpriv_users',`
++interface(`userdom_list_user_home_content',`
gen_require(`
-- type user_tty_device_t;
-+ type user_tmp_t;
+- attribute unpriv_userdomain;
++ type user_home_dir_t;
++ attribute user_home_type;
')
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ allow $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read the process state of all user domains.
-+## Do not audit attempts to use user ttys.
+- allow $1 unpriv_userdomain:process signal;
++ files_list_home($1)
++ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++## Send general signals to unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -32286,21 +32332,43 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_signal_unpriv_users',`
+ gen_require(`
-+ type user_tty_device_t;
++ attribute unpriv_userdomain;
+ ')
+
-+ dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ allow $1 unpriv_userdomain:process signal;
+ ')
+
+ ########################################
+@@ -2814,7 +3033,25 @@
+ type user_tmp_t;
+ ')
+
+- allow $1 user_tmp_t:file write_file_perms;
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
-+## Read the process state of all user domains.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2851,6 +3067,7 @@
++## Delete all users files in /tmp
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+@@ -2851,6 +3088,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -32308,7 +32376,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -2981,3 +3198,481 @@
+@@ -2981,3 +3219,481 @@
allow $1 userdomain:dbus send_msg;
')
@@ -33208,7 +33276,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-05-14 08:26:03.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-05-14 14:07:29.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -33433,7 +33501,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_runtime_files(xm_t)
files_read_usr_files(xm_t)
-@@ -339,15 +390,64 @@
+@@ -339,15 +390,67 @@
storage_raw_read_fixed_disk(xm_t)
@@ -33464,6 +33532,9 @@ diff -b -B --ignore-all-space --exclude-
+# SSH component local policy
+#
+ssh_basic_client_template(xm,xm_t,system_r)
++kernel_read_xen_state(xm_ssh_t)
++kernel_write_xen_state(xm_ssh_t)
++
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.858
retrieving revision 1.859
diff -u -p -r1.858 -r1.859
--- selinux-policy.spec 14 May 2009 14:37:29 -0000 1.858
+++ selinux-policy.spec 14 May 2009 18:54:12 -0000 1.859
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 36%{?dist}
+Release: 37%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,9 @@ exit 0
%endif
%changelog
+* Thu May 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-37
+- Fixes for kpropd
+
* Tue May 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-36
- Allow brctl to r/w tun_tap_device_t
- Previous message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.115, 1.116 selinux-policy.spec, 1.853, 1.854
- Next message (by thread): rpms/mkinitrd/devel .cvsignore, 1.221, 1.222 mkinitrd.spec, 1.315, 1.316 sources, 1.263, 1.264
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list