rpms/selinux-policy/devel modules-targeted.conf, 1.128, 1.129 policy-20090105.patch, 1.120, 1.121 selinux-policy.spec, 1.855, 1.856
Daniel J Walsh
dwalsh at fedoraproject.org
Wed May 20 17:28:55 UTC 2009
- Previous message (by thread): rpms/selinux-policy/F-11 booleans-targeted.conf, 1.48, 1.49 modules-targeted.conf, 1.127, 1.128 policy-20090105.patch, 1.126, 1.127 selinux-policy.spec, 1.860, 1.861
- Next message (by thread): rpms/gnome-panel/devel .cvsignore, 1.94, 1.95 gnome-panel.spec, 1.352, 1.353 sources, 1.97, 1.98
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19449
Modified Files:
modules-targeted.conf policy-20090105.patch
selinux-policy.spec
Log Message:
* Wed May 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-39
- Allow fprintd to access sys_ptrace
- Add sandbox policy
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.128
retrieving revision 1.129
diff -u -p -r1.128 -r1.129
--- modules-targeted.conf 18 May 2009 18:41:01 -0000 1.128
+++ modules-targeted.conf 20 May 2009 17:28:24 -0000 1.129
@@ -1188,6 +1188,13 @@ rwho = module
samba = module
# Layer: apps
+# Module: sandbox
+#
+# Experimental policy for running apps within a sandbox
+#
+sandbox = module
+
+# Layer: apps
# Module: sambagui
#
# policy for system-config-samba
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.120
retrieving revision 1.121
diff -u -p -r1.120 -r1.121
--- policy-20090105.patch 19 May 2009 00:48:32 -0000 1.120
+++ policy-20090105.patch 20 May 2009 17:28:24 -0000 1.121
@@ -4578,6 +4578,134 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+permissive sambagui_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.12/policy/modules/apps/sandbox.fc
+--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/sandbox.fc 2009-05-20 13:18:54.000000000 -0400
+@@ -0,0 +1 @@
++# No types are sandbox_exec_t
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if
+--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if 2009-05-20 13:19:04.000000000 -0400
+@@ -0,0 +1,75 @@
++
++## <summary>policy for sandbox</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run sandbox.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sandbox_domtrans',`
++ gen_require(`
++ type sandbox_t;
++ type sandbox_exec_t;
++ ')
++
++ domtrans_pattern($1,sandbox_exec_t,sandbox_t)
++')
++
++
++########################################
++## <summary>
++## Execute sandbox in the sandbox domain, and
++## allow the specified role the sandbox domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the sandbox domain.
++## </summary>
++## </param>
++#
++interface(`sandbox_run',`
++ gen_require(`
++ type sandbox_t;
++ ')
++
++ sandbox_domtrans($1)
++ role $2 types sandbox_t;
++')
++
++########################################
++## <summary>
++## Role access for sandbox
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`sandbox_role',`
++ gen_require(`
++ type sandbox_t;
++ ')
++
++ role $2 types sandbox_t;
++
++ sandbox_domtrans($1)
++
++ ps_process_pattern($2, sandbox_t)
++ allow $2 sandbox_t:process signal;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
+--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-05-20 13:27:01.000000000 -0400
+@@ -0,0 +1,40 @@
++policy_module(sandbox,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sandbox_t;
++type sandbox_exec_t;
++application_domain(sandbox_t, sandbox_exec_t)
++init_daemon_domain(sandbox_t, sandbox_exec_t)
++role system_r types sandbox_t;
++
++type sandbox_file_t;
++files_type(sandbox_file_t)
++
++########################################
++#
++# sandbox local policy
++#
++
++## internal communication is often done using fifo and unix sockets.
++allow sandbox_t self:fifo_file rw_file_perms;
++allow sandbox_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
++manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
++manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
++manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
++manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
++
++files_rw_all_inherited_files(sandbox_t)
++files_entrypoint_all_files(sandbox_t)
++
++libs_use_ld_so(sandbox_t)
++libs_use_shared_libs(sandbox_t)
++
++miscfiles_read_localization(sandbox_t)
++
++userdom_use_user_ptys(sandbox_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-12 15:30:13.000000000 -0400
@@ -5575,7 +5703,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-14 08:50:17.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-20 13:26:43.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5857,7 +5985,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -4921,3 +5078,132 @@
+@@ -4921,3 +5078,172 @@
typeattribute $1 files_unconfined_type;
')
@@ -5990,6 +6118,46 @@ diff -b -B --ignore-all-space --exclude-
+
+ dontaudit $1 security_file_type:file read_file_perms;
+')
++
++########################################
++## <summary>
++## rw any files inherited from another process
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_rw_all_inherited_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:file { getattr read write append lock };
++ allow $1 file_type:fifo_file { getattr read write append ioctl lock };
++ allow $1 file_type:sock_file { getattr read write append ioctl lock };
++ allow $1 file_type:chr_file { getattr read write append ioctl lock };
++')
++
++########################################
++## <summary>
++## Allow any file point to be the entrypoint of this domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_entrypoint_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++ allow $1 file_type:file entrypoint;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.12/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/kernel/files.te 2009-05-12 15:30:13.000000000 -0400
@@ -7727,8 +7895,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-12 15:30:13.000000000 -0400
-@@ -0,0 +1,397 @@
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-20 13:21:29.000000000 -0400
+@@ -0,0 +1,401 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -8008,6 +8176,10 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
++ sandbox_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ sendmail_run_unconfined(unconfined_t, unconfined_r)
+')
+
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.855
retrieving revision 1.856
diff -u -p -r1.855 -r1.856
--- selinux-policy.spec 18 May 2009 18:41:02 -0000 1.855
+++ selinux-policy.spec 20 May 2009 17:28:24 -0000 1.856
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 38%{?dist}
+Release: 39%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,10 @@ exit 0
%endif
%changelog
+* Wed May 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-39
+- Allow fprintd to access sys_ptrace
+- Add sandbox policy
+
* Mon May 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-38
- Add varnishd policy
@@ -484,7 +488,6 @@ exit 0
* Mon May 11 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-35
- Add /usr/share/selinux/packages
-- Turn on nsplugin boolean
* Mon May 11 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-34
- Allow rpcd_t to send signals to kernel threads
- Previous message (by thread): rpms/selinux-policy/F-11 booleans-targeted.conf, 1.48, 1.49 modules-targeted.conf, 1.127, 1.128 policy-20090105.patch, 1.126, 1.127 selinux-policy.spec, 1.860, 1.861
- Next message (by thread): rpms/gnome-panel/devel .cvsignore, 1.94, 1.95 gnome-panel.spec, 1.352, 1.353 sources, 1.97, 1.98
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list