rpms/selinux-policy/F-12 policy-20100106.patch, NONE, 1.1 selinux-policy.spec, 1.990, 1.991

Miroslav Grepl mgrepl at fedoraproject.org
Wed Jan 6 16:14:55 UTC 2010 

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15181

Modified Files:
	selinux-policy.spec 
Added Files:
	policy-20100106.patch 
Log Message:

- Allow snmbd to send itself signal
- Allow virt_domain to read /dev/random
- Allow apcupsd to send itself signull
- Allow swat to transition to nmbd
- Add textrel_shlib_t label for /usr/local/lib/codecs/



policy-20100106.patch:
 services/apache.if       |    3 +++
 services/apcupsd.te      |    2 +-
 services/postfix.te      |    3 +++
 services/samba.te        |    5 +++++
 services/snmp.te         |    2 +-
 services/spamassassin.if |   18 ++++++++++++++++++
 services/virt.te         |    2 ++
 system/libraries.fc      |    1 +
 8 files changed, 34 insertions(+), 2 deletions(-)

--- NEW FILE policy-20100106.patch ---
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-01-06 15:16:37.000000000 +0100
@@ -16,6 +16,7 @@
 		attribute httpd_exec_scripts;
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
+        type httpd_sys_content_t;
 	')
 	#This type is for webpages
 	type httpd_$1_content_t;
@@ -123,6 +124,8 @@
 		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
 		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
 		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+
+        allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te	2010-01-06 13:06:31.000000000 +0100
@@ -31,7 +31,7 @@
 #
 
 allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
-allow apcupsd_t self:process signal;
+allow apcupsd_t self:process { signal signull };
 allow apcupsd_t self:fifo_file rw_file_perms;
 allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
 allow apcupsd_t self:tcp_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te	2010-01-06 15:41:16.000000000 +0100
@@ -443,6 +443,7 @@
 
 optional_policy(`
 	spamassassin_domtrans_client(postfix_pipe_t)
+    spamassassin_kill_client(postfix_pipe_t)
 ')
 
 optional_policy(`
@@ -573,6 +574,8 @@
 # Postfix smtp delivery local policy
 #
 
+allow postfix_smtp_t self:capability { sys_chroot };
+
 # connect to master process
 stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-01-06 13:55:09.000000000 +0100
@@ -286,6 +286,8 @@
 
 allow smbd_t winbind_t:process { signal signull };
 
+allow smbd_t swat_t:process signal;  
+
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
 kernel_read_network_state(smbd_t)
@@ -485,6 +487,8 @@
 
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 
+allow nmbd_t swat_t:process signal;
+
 allow nmbd_t smbcontrol_t:process signal;
 
 allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -661,6 +665,7 @@
 allow swat_t self:udp_socket create_socket_perms;
 allow swat_t self:unix_stream_socket connectto;
 
+samba_domtrans_nmbd(swat_t)
 allow swat_t nmbd_t:process { signal signull };
 
 allow swat_t nmbd_exec_t:file mmap_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te	2010-01-06 15:41:37.000000000 +0100
@@ -27,7 +27,7 @@
 #
 allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
 dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:process { signal signal_perms getsched setsched };
 allow snmpd_t self:fifo_file rw_fifo_file_perms;
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if	2010-01-06 15:40:10.000000000 +0100
@@ -267,6 +267,24 @@
 	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
 ')
 
+######################################
+## <summary>
+##  Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+    gen_require(`
+        type spamc_t;
+    ')
+
+    allow $1 spamc_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te	2010-01-06 16:09:14.000000000 +0100
@@ -430,6 +430,8 @@
 corenet_tcp_connect_virt_migration_port(virt_domain)
 
 dev_read_sound(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_urand(virt_domain)
 dev_write_sound(virt_domain)
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc	2010-01-06 15:08:52.000000000 +0100
@@ -245,6 +245,7 @@
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* --  gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.990
retrieving revision 1.991
diff -u -p -r1.990 -r1.991
--- selinux-policy.spec	4 Jan 2010 21:31:36 -0000	1.990
+++ selinux-policy.spec	6 Jan 2010 16:14:55 -0000	1.991
@@ -20,11 +20,12 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 66%{?dist}
+Release: 67%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
-patch: policy-F12.patch
+patch1: policy-F12.patch
+patch2: policy-20100106.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -193,7 +194,8 @@ Based off of reference policy: Checked o
 
 %prep 
 %setup -n serefpolicy-%{version} -q
-%patch -p1
+%patch1 -p1
+%patch2 -p1
 
 %install
 tar zxvf $RPM_SOURCE_DIR/config.tgz
@@ -449,6 +451,13 @@ exit 0
 %endif
 
 %changelog
+* Wed Jan 6 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-67
+- Allow snmbd to send itself signal
+- Allow virt_domain to read /dev/random
+- Allow apcupsd to send itself signull
+- Allow swat to transition to nmbd
+- Add textrel_shlib_t label for /usr/local/lib/codecs/ 
+
 * Mon Jan 4 2010 Dan Walsh <dwalsh at redhat.com> 3.6.32-66
 - Allow lircd to use tcp_socket and connect/bind to port 8675

More information about the fedora-extras-commits mailing list