rpms/selinux-policy/F-11 policy-20090521.patch, 1.1, 1.2 selinux-policy.spec, 1.862, 1.863

Daniel J Walsh dwalsh at fedoraproject.org
Fri May 22 14:37:51 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9017

Modified Files:
	policy-20090521.patch selinux-policy.spec 
Log Message:
* Thu May 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-41
- Allow sysadm_t to connect to virt stream


policy-20090521.patch:

Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- policy-20090521.patch	21 May 2009 17:08:51 -0000	1.1
+++ policy-20090521.patch	22 May 2009 14:37:50 -0000	1.2
@@ -1,3 +1,62 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
+--- nsaserefpolicy/policy/modules/apps/sandbox.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te	2009-05-22 10:14:07.000000000 -0400
+@@ -38,3 +38,6 @@
+ miscfiles_read_localization(sandbox_t)
+ 
+ userdom_use_user_ptys(sandbox_t)
++
++kernel_dontaudit_read_system_state(sandbox_t)
++corecmd_exec_all_executables(sandbox_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-05-22 08:57:14.000000000 -0400
+@@ -5224,6 +5224,7 @@
+ 		attribute file_type;
+ 	')
+ 
++	allow $1 file_type:dir search_dir_perms;
+ 	allow $1 file_type:file { getattr read write append lock };
+ 	allow $1 file_type:fifo_file { getattr read write append ioctl lock };
+ 	allow $1 file_type:sock_file { getattr read write append ioctl lock };
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-05-22 08:57:53.000000000 -0400
+@@ -817,7 +817,7 @@
+ 		type proc_t;
+ 	')
+ 
+-	dontaudit $1 proc_t:file { getattr read };
++	dontaudit $1 proc_t:file { open getattr read };
+ ')
+ 
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
+--- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-05-21 15:11:07.000000000 -0400
+@@ -334,6 +334,10 @@
+ ')
+ 
+ optional_policy(`
++	virt_stream_connect(sysadm_t)
++')
++
++optional_policy(`
+ 	yam_run(sysadm_t, sysadm_r)
+ ')
+ 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
+--- nsaserefpolicy/policy/modules/roles/unconfineduser.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-05-22 05:49:21.000000000 -0400
+@@ -52,6 +52,8 @@
+ init_system_domain(unconfined_execmem_t, execmem_exec_t)
+ role unconfined_r types unconfined_execmem_t;
+ typealias execmem_exec_t alias unconfined_execmem_exec_t;
++userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
++userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
+ 
+ type unconfined_notrans_t;
+ type unconfined_notrans_exec_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/devicekit.te	2009-05-21 12:57:07.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.862
retrieving revision 1.863
diff -u -p -r1.862 -r1.863
--- selinux-policy.spec	21 May 2009 17:08:51 -0000	1.862
+++ selinux-policy.spec	22 May 2009 14:37:50 -0000	1.863
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 40%{?dist}
+Release: 41%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
 %endif
 
 %changelog
+* Thu May 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-41
+- Allow sysadm_t to connect to virt stream
+
 * Thu May 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-40
 - Add context for /root/.spamassassin

More information about the fedora-extras-commits mailing list