rpms/selinux-policy/devel policy-F12.patch, 1.88, 1.89 selinux-policy.spec, 1.925, 1.926
Daniel J Walsh
dwalsh at fedoraproject.org
Sun Sep 20 14:32:31 UTC 2009
- Previous message (by thread): rpms/xfwm4/F-11 xfwm4.spec,1.38,1.39
- Next message (by thread): rpms/python-jinja2/devel .cvsignore, 1.4, 1.5 import.log, 1.3, 1.4 python-jinja2.spec, 1.6, 1.7 sources, 1.4, 1.5 python-jinja2-docs.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6420
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Sun Sep 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-7
- Remove allow_exec* booleans for confined users. Only available for unconfined_t
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/anaconda.te | 3
policy/modules/admin/certwatch.te | 2
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 7
policy/modules/admin/firstboot.te | 6
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 1
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 1
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 17
policy/modules/admin/rpm.if | 199 ++++
policy/modules/admin/rpm.te | 65 +
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 2
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 67 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 4
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 5
policy/modules/admin/usermanage.te | 31
policy/modules/admin/vbetool.te | 16
policy/modules/apps/calamaris.te | 7
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 63 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 ++
policy/modules/apps/gpg.te | 16
policy/modules/apps/java.fc | 17
policy/modules/apps/java.if | 111 ++
policy/modules/apps/java.te | 14
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 65 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50 +
policy/modules/apps/livecd.te | 26
policy/modules/apps/mono.if | 101 ++
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 31
policy/modules/apps/mozilla.te | 21
policy/modules/apps/nsplugin.fc | 12
policy/modules/apps/nsplugin.if | 319 ++++++
policy/modules/apps/nsplugin.te | 292 ++++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/pulseaudio.te | 6
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 190 ++++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 56 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 179 +++
policy/modules/apps/sandbox.te | 324 ++++++
policy/modules/apps/screen.if | 5
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 80 +
policy/modules/apps/seunshare.te | 45
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 59 +
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 28
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 31
policy/modules/kernel/devices.fc | 7
policy/modules/kernel/devices.if | 164 +++
policy/modules/kernel/devices.te | 19
policy/modules/kernel/domain.if | 151 ++-
policy/modules/kernel/domain.te | 84 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 298 ++++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 211 ++++
policy/modules/kernel/filesystem.te | 8
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 --
policy/modules/roles/sysadm.te | 124 --
policy/modules/roles/unconfineduser.fc | 36
policy/modules/roles/unconfineduser.if | 638 +++++++++++++
policy/modules/roles/unconfineduser.te | 402 ++++++++
policy/modules/roles/unprivuser.te | 131 --
policy/modules/roles/xguest.te | 18
policy/modules/services/abrt.fc | 2
policy/modules/services/abrt.if | 21
policy/modules/services/abrt.te | 5
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 37
policy/modules/services/apache.if | 391 +++++---
policy/modules/services/apache.te | 438 +++++++--
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.te | 9
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 ++
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 16
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 18
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 109 ++
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 4
policy/modules/services/cron.if | 72 +
policy/modules/services/cron.te | 82 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 29
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49 -
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 54 +
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.te | 7
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 1
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 58 +
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 47 -
policy/modules/services/inetd.te | 2
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.te | 11
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 5
policy/modules/services/mta.te | 34
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 +
policy/modules/services/nagios.te | 55 -
policy/modules/services/networkmanager.fc | 13
policy/modules/services/networkmanager.if | 45
policy/modules/services/networkmanager.te | 115 ++
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.te | 10
policy/modules/services/nslcd.if | 8
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 19
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48 +
policy/modules/services/policykit.te | 63 +
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++-
policy/modules/services/postfix.te | 136 ++
policy/modules/services/postgresql.fc | 1
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 14
policy/modules/services/prelude.te | 1
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47 +
policy/modules/services/pyzor.te | 37
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 6
policy/modules/services/rgmanager.if | 40
policy/modules/services/rgmanager.te | 54 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 214 ++++
policy/modules/services/rhcs.te | 336 +++++++
policy/modules/services/ricci.te | 5
policy/modules/services/rpc.if | 6
policy/modules/services/rpc.te | 14
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 2
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 ++
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 88 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 84 +
policy/modules/services/setroubleshoot.te | 80 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 2
policy/modules/services/spamassassin.fc | 14
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 130 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 183 +++
policy/modules/services/ssh.te | 78 +
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 43
policy/modules/services/sssd.te | 6
policy/modules/services/sysstat.te | 2
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 12
policy/modules/services/virt.if | 127 ++
policy/modules/services/virt.te | 279 +++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 30
policy/modules/services/xserver.if | 534 ++++++++++-
policy/modules/services/xserver.te | 311 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 204 +++-
policy/modules/system/authlogin.te | 9
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 158 +++
policy/modules/system/init.te | 277 ++++-
policy/modules/system/ipsec.fc | 3
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 55 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 ++
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/libraries.fc | 158 ++-
policy/modules/system/libraries.if | 4
policy/modules/system/libraries.te | 17
policy/modules/system/locallogin.te | 28
policy/modules/system/logging.fc | 11
policy/modules/system/logging.if | 4
policy/modules/system/logging.te | 34
policy/modules/system/lvm.te | 17
policy/modules/system/miscfiles.if | 19
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 46
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 75 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 288 ++++++
policy/modules/system/selinuxutil.te | 228 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 75 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 21
policy/modules/system/udev.te | 38
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 ---------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1402 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 50 -
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
317 files changed, 14553 insertions(+), 2581 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -p -r1.88 -r1.89
--- policy-F12.patch 19 Sep 2009 02:03:03 -0000 1.88
+++ policy-F12.patch 20 Sep 2009 14:32:30 -0000 1.89
@@ -7579,8 +7579,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-18 09:45:33.000000000 -0400
-@@ -0,0 +1,392 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-20 08:49:01.000000000 -0400
+@@ -0,0 +1,402 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -7686,6 +7686,14 @@ diff -b -B --ignore-all-space --exclude-
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
++tunable_policy(`allow_execmem',`
++ allow unconfined_t self:process execmem;
++')
++
++tunable_policy(`allow_execmem && allow_execstack',`
++ allow unconfined_t self:process execstack;
++')
++
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
@@ -7973,6 +7981,8 @@ diff -b -B --ignore-all-space --exclude-
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.32/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2009-09-16 10:03:09.000000000 -0400
@@ -17882,7 +17892,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-18 21:47:14.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-19 07:07:53.000000000 -0400
@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
@@ -17920,7 +17930,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -126,11 +129,12 @@
+@@ -126,11 +129,13 @@
read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
# ssh servers can read the user keys and config
@@ -17930,13 +17940,14 @@ diff -b -B --ignore-all-space --exclude-
+manage_dirs_pattern(ssh_server, home_ssh_t, home_ssh_t)
+manage_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
+userdom_user_home_dir_filetrans(ssh_server, home_ssh_t, dir)
++userdom_admin_home_dir_filetrans(ssh_server, home_ssh_t, dir)
kernel_read_kernel_sysctls(ssh_t)
+kernel_read_system_state(ssh_t)
corenet_all_recvfrom_unlabeled(ssh_t)
corenet_all_recvfrom_netlabel(ssh_t)
-@@ -139,6 +143,8 @@
+@@ -139,6 +144,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -17945,7 +17956,7 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(ssh_t)
-@@ -160,19 +166,19 @@
+@@ -160,19 +167,19 @@
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@@ -17968,7 +17979,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -194,23 +200,13 @@
+@@ -194,23 +201,13 @@
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port(ssh_t)
@@ -17994,7 +18005,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -301,6 +297,7 @@
+@@ -301,6 +298,7 @@
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
@@ -18002,7 +18013,7 @@ diff -b -B --ignore-all-space --exclude-
term_use_all_user_ptys(sshd_t)
term_setattr_all_user_ptys(sshd_t)
-@@ -310,16 +307,34 @@
+@@ -310,16 +308,34 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -18039,7 +18050,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -331,6 +346,10 @@
+@@ -331,6 +347,10 @@
')
optional_policy(`
@@ -18050,7 +18061,7 @@ diff -b -B --ignore-all-space --exclude-
rpm_use_script_fds(sshd_t)
')
-@@ -341,7 +360,11 @@
+@@ -341,7 +361,11 @@
')
optional_policy(`
@@ -18063,7 +18074,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_shell_domtrans(sshd_t)
')
-@@ -400,15 +423,13 @@
+@@ -400,15 +424,13 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -25429,7 +25440,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-18 21:52:11.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-20 08:32:58.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -25441,7 +25452,7 @@ diff -b -B --ignore-all-space --exclude-
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -41,71 +42,88 @@
+@@ -41,80 +42,93 @@
allow system_r $1_r;
term_user_pty($1_t, user_devpts_t)
@@ -25554,47 +25565,43 @@ diff -b -B --ignore-all-space --exclude-
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)
--
-- libs_exec_ld_so($1_t)
--
-- miscfiles_read_localization($1_t)
-- miscfiles_read_certs($1_t)
--
-- sysnet_read_config($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_all_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
-+
+
+- libs_exec_ld_so($1_t)
+ storage_rw_fuse($1_usertype)
-+
+
+- miscfiles_read_localization($1_t)
+- miscfiles_read_certs($1_t)
+ auth_use_nsswitch($1_usertype)
-+
+
+- sysnet_read_config($1_t)
+ libs_exec_ld_so($1_usertype)
-+
+
+- tunable_policy(`allow_execmem',`
+- # Allow loading DSOs that require executable stack.
+- allow $1_t self:process execmem;
+- ')
+ miscfiles_read_certs($1_usertype)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_man_pages($1_usertype)
+ miscfiles_read_public_files($1_usertype)
- tunable_policy(`allow_execmem',`
- # Allow loading DSOs that require executable stack.
-@@ -116,6 +134,12 @@
- # Allow making the stack executable via mprotect.
- allow $1_t self:process execstack;
- ')
-+
+- tunable_policy(`allow_execmem && allow_execstack',`
+- # Allow making the stack executable via mprotect.
+- allow $1_t self:process execstack;
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
+ ssh_delete_tmp($1_t)
+ ssh_signal($1_t)
-+ ')
+ ')
')
- #######################################
-@@ -147,6 +171,7 @@
+@@ -147,6 +161,7 @@
interface(`userdom_ro_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -25602,7 +25609,7 @@ diff -b -B --ignore-all-space --exclude-
')
role $1 types { user_home_t user_home_dir_t };
-@@ -157,6 +182,7 @@
+@@ -157,6 +172,7 @@
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
@@ -25610,7 +25617,7 @@ diff -b -B --ignore-all-space --exclude-
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
-@@ -168,27 +194,6 @@
+@@ -168,27 +184,6 @@
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -25638,7 +25645,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -220,9 +225,10 @@
+@@ -220,9 +215,10 @@
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -25650,7 +25657,7 @@ diff -b -B --ignore-all-space --exclude-
##############################
#
-@@ -232,17 +238,20 @@
+@@ -232,17 +228,20 @@
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -25681,7 +25688,7 @@ diff -b -B --ignore-all-space --exclude-
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -250,25 +259,23 @@
+@@ -250,25 +249,23 @@
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -25711,7 +25718,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -303,6 +310,7 @@
+@@ -303,6 +300,7 @@
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -25719,7 +25726,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -322,6 +330,7 @@
+@@ -322,6 +320,7 @@
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -25727,7 +25734,7 @@ diff -b -B --ignore-all-space --exclude-
files_search_tmp($1)
')
-@@ -368,46 +377,41 @@
+@@ -368,46 +367,41 @@
#######################################
## <summary>
@@ -25794,7 +25801,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -412,7 +416,7 @@
+@@ -412,7 +406,7 @@
#######################################
## <summary>
@@ -25803,7 +25810,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="userdomain_prefix">
## <summary>
-@@ -420,35 +424,48 @@
+@@ -420,35 +414,48 @@
## is the prefix for user_t).
## </summary>
## </param>
@@ -25841,17 +25848,17 @@ diff -b -B --ignore-all-space --exclude-
+ dev_read_video_dev($1)
+ dev_write_video_dev($1)
+ dev_rw_wireless($1)
-+
-+ miscfiles_dontaudit_write_fonts($1)
-+
-+ optional_policy(`
-+ udev_read_db($1)
-+ ')
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
++ miscfiles_dontaudit_write_fonts($1)
++
++ optional_policy(`
++ udev_read_db($1)
++ ')
++
+ optional_policy(`
+ xserver_user_client($1, user_tmpfs_t)
+ xserver_xsession_entry_type($1)
@@ -25871,7 +25878,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -498,7 +515,7 @@
+@@ -498,7 +505,7 @@
attribute unpriv_userdomain;
')
@@ -25880,7 +25887,7 @@ diff -b -B --ignore-all-space --exclude-
##############################
#
-@@ -508,182 +525,208 @@
+@@ -508,182 +515,208 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -26011,19 +26018,19 @@ diff -b -B --ignore-all-space --exclude-
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ canna_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- canna_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- canna_stream_connect($1_t)
+ bluetooth_dbus_chat($1_usertype)
')
@@ -26162,7 +26169,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -711,13 +754,26 @@
+@@ -711,13 +744,26 @@
userdom_base_user_template($1)
@@ -26173,9 +26180,7 @@ diff -b -B --ignore-all-space --exclude-
- userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -26186,7 +26191,9 @@ diff -b -B --ignore-all-space --exclude-
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -26194,7 +26201,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_change_password_template($1)
-@@ -735,70 +791,71 @@
+@@ -735,70 +781,71 @@
allow $1_t self:context contains;
@@ -26299,7 +26306,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -835,6 +892,32 @@
+@@ -835,6 +882,32 @@
# Local policy
#
@@ -26332,7 +26339,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -865,51 +948,81 @@
+@@ -865,51 +938,81 @@
userdom_restricted_user_template($1)
@@ -26427,7 +26434,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -943,8 +1056,8 @@
+@@ -943,8 +1046,8 @@
# Declarations
#
@@ -26437,7 +26444,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_common_user_template($1)
##############################
-@@ -953,11 +1066,12 @@
+@@ -953,11 +1056,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -26452,7 +26459,7 @@ diff -b -B --ignore-all-space --exclude-
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -975,36 +1089,53 @@
+@@ -975,36 +1079,53 @@
')
')
@@ -26520,7 +26527,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -1040,7 +1171,7 @@
+@@ -1040,7 +1161,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -26529,7 +26536,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -1049,8 +1180,7 @@
+@@ -1049,8 +1170,7 @@
#
# Inherit rules for ordinary users.
@@ -26539,7 +26546,7 @@ diff -b -B --ignore-all-space --exclude-
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1205,9 @@
+@@ -1075,6 +1195,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -26549,7 +26556,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1222,7 @@
+@@ -1089,6 +1212,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -26557,7 +26564,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1230,6 @@
+@@ -1096,8 +1220,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -26566,7 +26573,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,6 +1256,8 @@
+@@ -1124,6 +1246,8 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -26575,7 +26582,7 @@ diff -b -B --ignore-all-space --exclude-
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1152,20 +1286,6 @@
+@@ -1152,20 +1276,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -26596,7 +26603,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1331,7 @@
+@@ -1211,6 +1321,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -26604,7 +26611,7 @@ diff -b -B --ignore-all-space --exclude-
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1397,15 @@
+@@ -1276,11 +1387,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -26620,7 +26627,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1391,12 +1516,13 @@
+@@ -1391,12 +1506,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -26635,7 +26642,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1429,6 +1555,14 @@
+@@ -1429,6 +1545,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -26650,7 +26657,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1444,9 +1578,11 @@
+@@ -1444,9 +1568,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -26662,7 +26669,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1503,6 +1639,25 @@
+@@ -1503,6 +1629,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -26688,7 +26695,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1577,6 +1732,8 @@
+@@ -1577,6 +1722,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -26697,7 +26704,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1670,6 +1827,7 @@
+@@ -1670,6 +1817,7 @@
type user_home_dir_t, user_home_t;
')
@@ -26705,7 +26712,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1955,32 @@
+@@ -1797,19 +1945,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -26745,7 +26752,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1844,6 +2015,7 @@
+@@ -1844,6 +2005,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -26753,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2563,7 @@
+@@ -2391,27 +2553,7 @@
########################################
## <summary>
@@ -26782,7 +26789,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2765,11 +2917,32 @@
+@@ -2765,11 +2907,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -26817,7 +26824,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,7 +3070,25 @@
+@@ -2897,7 +3060,25 @@
type user_tmp_t;
')
@@ -26844,7 +26851,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2934,6 +3125,7 @@
+@@ -2934,6 +3115,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -26852,7 +26859,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3256,559 @@
+@@ -3064,3 +3246,559 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.925
retrieving revision 1.926
diff -u -p -r1.925 -r1.926
--- selinux-policy.spec 19 Sep 2009 01:38:30 -0000 1.925
+++ selinux-policy.spec 20 Sep 2009 14:32:30 -0000 1.926
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -447,6 +447,9 @@ exit 0
%endif
%changelog
+* Sun Sep 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-7
+- Remove allow_exec* booleans for confined users. Only available for unconfined_t
+
* Fri Sep 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-6
- More fixes for sandbox_web_t
- Previous message (by thread): rpms/xfwm4/F-11 xfwm4.spec,1.38,1.39
- Next message (by thread): rpms/python-jinja2/devel .cvsignore, 1.4, 1.5 import.log, 1.3, 1.4 python-jinja2.spec, 1.6, 1.7 sources, 1.4, 1.5 python-jinja2-docs.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list