|
|
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv9732
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Thu Nov 8 2006 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.3-7
- Fix spec of jre files
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 3
policy/global_tunables | 36 ++
policy/mls | 3
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.te | 1
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 5
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 33 --
policy/modules/apps/java.fc | 2
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 12
policy/modules/kernel/corenetwork.te.in | 17 -
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 67 ++++
policy/modules/kernel/files.te | 2
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.if | 56 +++
policy/modules/services/aide.te | 52 +++
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 10
policy/modules/services/automount.te | 1
policy/modules/services/bind.te | 1
policy/modules/services/ccs.fc | 10
policy/modules/services/ccs.if | 83 +++++
policy/modules/services/ccs.te | 89 +++++
policy/modules/services/cron.if | 26 -
policy/modules/services/cron.te | 5
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 4
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/hal.fc | 4
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.te | 1
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.te | 1
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 3
policy/modules/services/oddjob.te | 1
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 16 +
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 479 ++++++++++++++++++++++++++++++++
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 6
policy/modules/services/sasl.te | 2
policy/modules/services/snmp.te | 1
policy/modules/services/spamassassin.te | 4
policy/modules/services/squid.te | 7
policy/modules/services/ssh.te | 2
policy/modules/services/telnet.te | 1
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 2
policy/modules/system/authlogin.te | 1
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 6
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 14
policy/modules/system/iscsi.if | 2
policy/modules/system/libraries.fc | 12
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/modutils.te | 4
policy/modules/system/mount.te | 19 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.if | 4
policy/modules/system/selinuxutil.te | 13
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 11
policy/modules/system/userdomain.if | 201 +++++++++++++
policy/modules/system/userdomain.te | 10
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 26 +
91 files changed, 1782 insertions(+), 143 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20061106.patch 8 Nov 2006 20:21:53 -0000 1.6
+++ policy-20061106.patch 9 Nov 2006 18:57:53 -0000 1.7
@@ -239,7 +239,7 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/admin/rpm.te
serefpolicy-2.4.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-11-06 11:13:22.000000000
-0500
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.te 2006-11-06
16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.te 2006-11-09
08:20:10.000000000 -0500
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -259,6 +259,38 @@
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
+@@ -368,31 +373,3 @@
+ usermanage_domtrans_useradd(rpm_script_t)
+ ')
+
+-ifdef(`TODO',`
+-optional_policy(`
+-can_exec(rpm_script_t,printconf_t)
+-')
+-
+-optional_policy(`
+-allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
+-allow cupsd_t rpm_var_lib_t:file r_file_perms;
+-allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
+-allow cupsd_t initrc_exec_t:file r_file_perms;
+-domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
+-')
+-
+-optional_policy(`
+-domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
+-')
+-
+-optional_policy(`
+-domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
+-')
+-
+-ifdef(`hide_broken_symptoms', `
+- optional_policy(`
+- domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
+- ')
+-')
+-
+-') dnl end TODO
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/apps/java.fc
serefpolicy-2.4.3/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-11-06 11:13:17.000000000
-0500
+++ serefpolicy-2.4.3/policy/modules/apps/java.fc 2006-11-06
16:45:08.000000000 -0500
@@ -1479,7 +1511,7 @@
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/procmail.te
serefpolicy-2.4.3/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-11-06
11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/procmail.te 2006-11-06
16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/procmail.te 2006-11-09
08:05:56.000000000 -0500
@@ -10,6 +10,7 @@
type procmail_exec_t;
domain_type(procmail_t)
@@ -1724,8 +1756,8 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/ricci.te
serefpolicy-2.4.3/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 1969-12-31
19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.te 2006-11-06
16:45:08.000000000 -0500
-@@ -0,0 +1,477 @@
++++ serefpolicy-2.4.3/policy/modules/services/ricci.te 2006-11-09
10:30:02.000000000 -0500
+@@ -0,0 +1,479 @@
+policy_module(ricci,1.0.0)
+
+########################################
@@ -2108,12 +2140,14 @@
+allow ricci_modstorage_t self:process setsched;
+allow ricci_modstorage_t self:capability { mknod sys_nice };
+allow ricci_modstorage_t self:fifo_file rw_file_perms;
++allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
+
+corecmd_exec_bin(ricci_modstorage_t)
+corecmd_exec_sbin(ricci_modstorage_t)
+
+files_read_etc_files(ricci_modstorage_t)
+files_read_etc_runtime_files(ricci_modstorage_t)
++files_read_usr_files(ricci_modstorage_t)
+
+fstools_domtrans(ricci_modstorage_t)
+
@@ -2135,9 +2169,10 @@
+
+modutils_read_module_deps(ricci_modstorage_t)
+
-+files_read_usr_files(ricci_modstorage_t)
+storage_raw_read_fixed_disk(ricci_modstorage_t)
+
++term_dontaudit_use_console(ricci_modstorage_t)
++
+optional_policy(`
+ ccs_read_config(ricci_modstorage_t)
+')
@@ -2163,6 +2198,7 @@
+
+corecmd_exec_shell(ricci_modcluster_t)
+init_exec(ricci_modcluster_t)
++init_domtrans_script(ricci_modcluster_t)
+files_search_locks(ricci_modcluster_t)
+
+logging_send_syslog_msg(ricci_modcluster_t)
@@ -2198,8 +2234,6 @@
+ ccs_manage_config(ricci_modcluster_t)
+')
+
-+
-+
+optional_policy(`
+ consoletype_exec(ricci_modcluster_t)
+')
@@ -2528,7 +2562,7 @@
allow iscsid_t $1:process sigchld;
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/libraries.fc
serefpolicy-2.4.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-11-06
11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/libraries.fc 2006-11-07
09:28:47.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/libraries.fc 2006-11-09
10:17:47.000000000 -0500
@@ -1,3 +1,4 @@
+
#
@@ -2552,14 +2586,36 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --
gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 --
gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -262,6 +265,7 @@
- /usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(local/)?(.*/)?jre.*/libj9thr23.so --
gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -258,10 +261,9 @@
+ /usr/lib(64)?/vmware/(.*/)?VmPerl\.so --
gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Java, Sun Microsystems (JPackage SRPM)
+-/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so --
gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/libraries.te
serefpolicy-2.4.3/policy/modules/system/libraries.te
+--- nsaserefpolicy/policy/modules/system/libraries.te 2006-11-06
11:13:21.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/libraries.te 2006-11-09
08:14:35.000000000 -0500
+@@ -81,12 +81,6 @@
+
+ userdom_use_all_users_fds(ldconfig_t)
+
+-ifdef(`hide_broken_symptoms',`
+- optional_policy(`
+- unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+- ')
+-')
+-
+ ifdef(`targeted_policy',`
+ allow ldconfig_t lib_t:file r_file_perms;
+ unconfined_domain(ldconfig_t)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/locallogin.if
serefpolicy-2.4.3/policy/modules/system/locallogin.if
--- nsaserefpolicy/policy/modules/system/locallogin.if 2006-10-16
12:20:18.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/system/locallogin.if 2006-11-06
16:45:08.000000000 -0500
@@ -2615,9 +2671,23 @@
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/modutils.te
serefpolicy-2.4.3/policy/modules/system/modutils.te
+--- nsaserefpolicy/policy/modules/system/modutils.te 2006-10-19
11:47:40.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/system/modutils.te 2006-11-09
08:15:16.000000000 -0500
+@@ -117,10 +117,6 @@
+ kernel_domtrans_to(insmod_t,insmod_exec_t)
+ }
+
+-ifdef(`hide_broken_symptoms',`
+- dev_dontaudit_rw_cardmgr(insmod_t)
+-')
+-
+ ifdef(`targeted_policy',`
+ unconfined_domain(insmod_t)
+ ')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/mount.te
serefpolicy-2.4.3/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-06
11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/mount.te 2006-11-06
16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/mount.te 2006-11-09
08:15:49.000000000 -0500
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -2653,6 +2723,21 @@
')
')
+@@ -163,14 +170,6 @@
+ apm_use_fds(mount_t)
+ ')
+
+-optional_policy(`
+- ifdef(`hide_broken_symptoms',`
+- # for a bug in the X server
+- rhgb_dontaudit_rw_stream_sockets(mount_t)
+- term_dontaudit_use_ptmx(mount_t)
+- ')
+-')
+-
+ # for kernel package installation
+ optional_policy(`
+ rpm_rw_pipes(mount_t)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/raid.te
serefpolicy-2.4.3/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2006-11-06
11:13:21.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/system/raid.te 2006-11-06
16:45:08.000000000 -0500
@@ -2703,7 +2788,7 @@
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/selinuxutil.te
serefpolicy-2.4.3/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-11-06
11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.te 2006-11-06
16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.te 2006-11-09
08:17:07.000000000 -0500
@@ -107,6 +107,11 @@
type semanage_exec_t;
domain_entry_file(semanage_t, semanage_exec_t)
@@ -2724,17 +2809,20 @@
corecmd_list_bin(newrole_t)
corecmd_read_bin_symlinks(newrole_t)
-@@ -413,6 +419,9 @@
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(restorecon_t)
- ')
-+ optional_policy(`
-+ xserver_use_xdm_fds(restorecon_t)
-+ ')
+@@ -409,12 +415,6 @@
+ fs_relabel_tmpfs_chr_file(restorecon_t)
')
+-ifdef(`hide_broken_symptoms',`
+- optional_policy(`
+- udev_dontaudit_rw_dgram_sockets(restorecon_t)
+- ')
+-')
+-
optional_policy(`
-@@ -449,6 +458,7 @@
+ hotplug_use_fds(restorecon_t)
+ ')
+@@ -449,6 +449,7 @@
auth_relabel_all_files_except_shadow(restorecond_t )
auth_read_all_files_except_shadow(restorecond_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.336
retrieving revision 1.337
diff -u -r1.336 -r1.337
--- selinux-policy.spec 8 Nov 2006 20:21:53 -0000 1.336
+++ selinux-policy.spec 9 Nov 2006 18:57:53 -0000 1.337
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.3
-Release: 6
+Release: 7
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,9 @@
%endif
%changelog
+* Thu Nov 8 2006 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.3-7
+- Fix spec of jre files
+
* Wed Nov 8 2006 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.3-6
- Fix unconfined access to shadow file
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|