- Update to upstream

This commit is contained in:
Dan Walsh 2010-10-12 16:47:46 -04:00
parent f0a56ee31d
commit 5a152bc135
4 changed files with 44 additions and 50 deletions

1
.gitignore vendored
View File

@ -226,3 +226,4 @@ serefpolicy*
/serefpolicy-3.9.3.tgz /serefpolicy-3.9.3.tgz
/serefpolicy-3.9.4.tgz /serefpolicy-3.9.4.tgz
/serefpolicy-3.9.5.tgz /serefpolicy-3.9.5.tgz
/serefpolicy-3.9.7.tgz

View File

@ -344,10 +344,10 @@ index a2e9cb5..cec5c56 100644
optional_policy(` optional_policy(`
apache_exec_modules(certwatch_t) apache_exec_modules(certwatch_t)
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index a768511..c07eff8 100644 index 66fee7d..6ddebdb 100644
--- a/policy/modules/admin/consoletype.te --- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te
@@ -82,10 +82,7 @@ optional_policy(` @@ -85,10 +85,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -1447,10 +1447,10 @@ index 3863241..5280124 100644
xserver_dontaudit_write_log(shutdown_t) xserver_dontaudit_write_log(shutdown_t)
') ')
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index a0aa8c5..1b60ad8 100644 index 8c5fa3c..1a46f56 100644
--- a/policy/modules/admin/su.if --- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if
@@ -212,7 +212,7 @@ template(`su_role_template',` @@ -210,7 +210,7 @@ template(`su_role_template',`
auth_domtrans_chk_passwd($1_su_t) auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t) auth_dontaudit_read_shadow($1_su_t)
@ -1459,7 +1459,7 @@ index a0aa8c5..1b60ad8 100644
auth_rw_faillog($1_su_t) auth_rw_faillog($1_su_t)
corecmd_search_bin($1_su_t) corecmd_search_bin($1_su_t)
@@ -236,6 +236,7 @@ template(`su_role_template',` @@ -234,6 +234,7 @@ template(`su_role_template',`
userdom_use_user_terminals($1_su_t) userdom_use_user_terminals($1_su_t)
userdom_search_user_home_dirs($1_su_t) userdom_search_user_home_dirs($1_su_t)
@ -1477,7 +1477,7 @@ index 7bddc02..2b59ed0 100644
+ +
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 5f44f1b..bb95e79 100644 index 975af1a..30a7f38 100644
--- a/policy/modules/admin/sudo.if --- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -32,6 +32,7 @@ template(`sudo_role_template',`
@ -1505,10 +1505,10 @@ index 5f44f1b..bb95e79 100644
+ userdom_domtrans_user_home($1_sudo_t, $3) + userdom_domtrans_user_home($1_sudo_t, $3)
+ userdom_domtrans_user_tmp($1_sudo_t, $3) + userdom_domtrans_user_tmp($1_sudo_t, $3)
allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_file_perms; allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms; allow $3 $1_sudo_t:process signal_perms;
@@ -111,12 +117,15 @@ template(`sudo_role_template',` @@ -113,12 +119,15 @@ template(`sudo_role_template',`
term_getattr_pty_fs($1_sudo_t)
term_relabel_all_ttys($1_sudo_t) term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t) term_relabel_all_ptys($1_sudo_t)
+ term_getattr_pty_fs($1_sudo_t) + term_getattr_pty_fs($1_sudo_t)
@ -1523,7 +1523,7 @@ index 5f44f1b..bb95e79 100644
init_rw_utmp($1_sudo_t) init_rw_utmp($1_sudo_t)
logging_send_audit_msgs($1_sudo_t) logging_send_audit_msgs($1_sudo_t)
@@ -133,13 +142,18 @@ template(`sudo_role_template',` @@ -135,13 +144,18 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t) userdom_use_user_terminals($1_sudo_t)
@ -1544,7 +1544,7 @@ index 5f44f1b..bb95e79 100644
fs_manage_nfs_files($1_sudo_t) fs_manage_nfs_files($1_sudo_t)
') ')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index c368bdc..c927b85 100644 index 91944a8..d1c11b9 100644
--- a/policy/modules/admin/sudo.te --- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,7 @@ attribute sudodomain; @@ -7,3 +7,7 @@ attribute sudodomain;
@ -1555,14 +1555,6 @@ index c368bdc..c927b85 100644
+type sudo_db_t; +type sudo_db_t;
+files_type(sudo_db_t) +files_type(sudo_db_t)
+ +
diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
index 81077db..8208e86 100644
--- a/policy/modules/admin/tmpreaper.fc
+++ b/policy/modules/admin/tmpreaper.fc
@@ -1,2 +1,3 @@
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index 6a5004b..c59c3cd 100644 index 6a5004b..c59c3cd 100644
--- a/policy/modules/admin/tmpreaper.te --- a/policy/modules/admin/tmpreaper.te
@ -7636,10 +7628,10 @@ index 3b2da10..7c29e17 100644
+# +#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 8b09281..3fb8756 100644 index 99482ca..8d34173 100644
--- a/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if
@@ -318,6 +318,24 @@ interface(`dev_dontaudit_getattr_generic_files',` @@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
######################################## ########################################
## <summary> ## <summary>
@ -7664,7 +7656,7 @@ index 8b09281..3fb8756 100644
## Read and write generic files in /dev. ## Read and write generic files in /dev.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -498,6 +516,24 @@ interface(`dev_getattr_generic_chr_files',` @@ -516,6 +534,24 @@ interface(`dev_getattr_generic_chr_files',`
######################################## ########################################
## <summary> ## <summary>
@ -7689,7 +7681,7 @@ index 8b09281..3fb8756 100644
## Dontaudit getattr for generic character device files. ## Dontaudit getattr for generic character device files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -534,6 +570,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',` @@ -552,6 +588,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
######################################## ########################################
## <summary> ## <summary>
@ -7714,7 +7706,7 @@ index 8b09281..3fb8756 100644
## Read and write generic character device files. ## Read and write generic character device files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -552,6 +606,24 @@ interface(`dev_rw_generic_chr_files',` @@ -570,6 +624,24 @@ interface(`dev_rw_generic_chr_files',`
######################################## ########################################
## <summary> ## <summary>
@ -7739,7 +7731,7 @@ index 8b09281..3fb8756 100644
## Dontaudit attempts to read/write generic character device files. ## Dontaudit attempts to read/write generic character device files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -661,6 +733,24 @@ interface(`dev_delete_generic_symlinks',` @@ -679,6 +751,24 @@ interface(`dev_delete_generic_symlinks',`
######################################## ########################################
## <summary> ## <summary>
@ -7764,7 +7756,7 @@ index 8b09281..3fb8756 100644
## Create, delete, read, and write symbolic links in device directories. ## Create, delete, read, and write symbolic links in device directories.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1070,6 +1160,42 @@ interface(`dev_create_all_chr_files',` @@ -1088,6 +1178,42 @@ interface(`dev_create_all_chr_files',`
######################################## ########################################
## <summary> ## <summary>
@ -7807,7 +7799,7 @@ index 8b09281..3fb8756 100644
## Delete all block device files. ## Delete all block device files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1332,6 +1458,24 @@ interface(`dev_getattr_autofs_dev',` @@ -1350,6 +1476,24 @@ interface(`dev_getattr_autofs_dev',`
######################################## ########################################
## <summary> ## <summary>
@ -7832,7 +7824,7 @@ index 8b09281..3fb8756 100644
## Do not audit attempts to get the attributes of ## Do not audit attempts to get the attributes of
## the autofs device node. ## the autofs device node.
## </summary> ## </summary>
@@ -3595,6 +3739,24 @@ interface(`dev_manage_smartcard',` @@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',`
######################################## ########################################
## <summary> ## <summary>
@ -7857,7 +7849,7 @@ index 8b09281..3fb8756 100644
## Get the attributes of sysfs directories. ## Get the attributes of sysfs directories.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3737,6 +3899,24 @@ interface(`dev_rw_sysfs',` @@ -3755,6 +3917,24 @@ interface(`dev_rw_sysfs',`
######################################## ########################################
## <summary> ## <summary>
@ -7882,7 +7874,7 @@ index 8b09281..3fb8756 100644
## Read from pseudo random number generator devices (e.g., /dev/urandom). ## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary> ## </summary>
## <desc> ## <desc>
@@ -3906,6 +4086,24 @@ interface(`dev_read_usbmon_dev',` @@ -3924,6 +4104,24 @@ interface(`dev_read_usbmon_dev',`
######################################## ########################################
## <summary> ## <summary>
@ -7907,7 +7899,7 @@ index 8b09281..3fb8756 100644
## Mount a usbfs filesystem. ## Mount a usbfs filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4216,11 +4414,10 @@ interface(`dev_write_video_dev',` @@ -4234,11 +4432,10 @@ interface(`dev_write_video_dev',`
# #
interface(`dev_rw_vhost',` interface(`dev_rw_vhost',`
gen_require(` gen_require(`
@ -7922,7 +7914,7 @@ index 8b09281..3fb8756 100644
######################################## ########################################
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index eb9c360..20c2d34 100644 index 7047f2f..ef76289 100644
--- a/policy/modules/kernel/devices.te --- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te
@@ -102,6 +102,7 @@ dev_node(ksm_device_t) @@ -102,6 +102,7 @@ dev_node(ksm_device_t)
@ -18206,7 +18198,7 @@ index e182bf4..f80e725 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t) snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 39e901a..74fa3d6 100644 index 0d5711c..ea74262 100644
--- a/policy/modules/services/dbus.if --- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -41,9 +41,9 @@ interface(`dbus_stub',`
@ -18328,7 +18320,7 @@ index 39e901a..74fa3d6 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
') ')
') ')
@@ -479,3 +503,22 @@ interface(`dbus_unconfined',` @@ -497,3 +521,22 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined; typeattribute $1 dbusd_unconfined;
') ')
@ -18352,7 +18344,7 @@ index 39e901a..74fa3d6 100644
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) + delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+') +')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b354128..d9416fc 100644 index 9ce6713..ea78dc1 100644
--- a/policy/modules/services/dbus.te --- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) @@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
@ -38418,7 +38410,7 @@ index 9775375..b338481 100644
# #
# /var # /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 8419a01..5865dba 100644 index df3fa64..73dc579 100644
--- a/policy/modules/system/init.if --- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if +++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',` @@ -105,7 +105,11 @@ interface(`init_domain',`
@ -38669,7 +38661,7 @@ index 8419a01..5865dba 100644
') ')
######################################## ########################################
@@ -1356,6 +1447,27 @@ interface(`init_dbus_send_script',` @@ -1374,6 +1465,27 @@ interface(`init_dbus_send_script',`
######################################## ########################################
## <summary> ## <summary>
## Send and receive messages from ## Send and receive messages from
@ -38697,7 +38689,7 @@ index 8419a01..5865dba 100644
## init scripts over dbus. ## init scripts over dbus.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1442,6 +1554,25 @@ interface(`init_getattr_script_status_files',` @@ -1460,6 +1572,25 @@ interface(`init_getattr_script_status_files',`
######################################## ########################################
## <summary> ## <summary>
@ -38723,7 +38715,7 @@ index 8419a01..5865dba 100644
## Do not audit attempts to read init script ## Do not audit attempts to read init script
## status files. ## status files.
## </summary> ## </summary>
@@ -1655,7 +1786,7 @@ interface(`init_dontaudit_rw_utmp',` @@ -1673,7 +1804,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t; type initrc_var_run_t;
') ')
@ -38732,7 +38724,7 @@ index 8419a01..5865dba 100644
') ')
######################################## ########################################
@@ -1730,3 +1861,74 @@ interface(`init_udp_recvfrom_all_daemons',` @@ -1748,3 +1879,74 @@ interface(`init_udp_recvfrom_all_daemons',`
') ')
corenet_udp_recvfrom_labeled($1, daemon) corenet_udp_recvfrom_labeled($1, daemon)
') ')
@ -38808,7 +38800,7 @@ index 8419a01..5865dba 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms; + allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+') +')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 698c11e..63030ba 100644 index 8a105fd..e858520 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(` @@ -16,6 +16,27 @@ gen_require(`
@ -46909,7 +46901,7 @@ index 22ca011..df6b5de 100644
# #
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index b785e35..d9b0868 100644 index effb6c5..a903444 100644
--- a/policy/support/obj_perm_sets.spt --- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@ -46996,13 +46988,11 @@ index b785e35..d9b0868 100644
define(`create_chr_file_perms',`{ getattr create }') define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }') define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }') define(`delete_chr_file_perms',`{ getattr unlink }')
@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') @@ -306,6 +312,7 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
#
# Use (read and write) terminals # Use (read and write) terminals
# #
-define(`rw_term_perms', `{ getattr open read write ioctl }') define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }') +define(`rw_inherited_term_perms', `{ rw_term_perms -open }')
+define(`rw_term_perms', `{ open rw_inherited_term_perms }')
# #
# Sockets # Sockets

View File

@ -20,8 +20,8 @@
%define CHECKPOLICYVER 2.0.21-1 %define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.9.6 Version: 3.9.7
Release: 3%{?dist} Release: 1%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -470,6 +470,9 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-1
- Update to upstream
* Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-3 * Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-3
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access -Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
- dovecot-auth_t needs ipc_lock - dovecot-auth_t needs ipc_lock

View File

@ -1 +1 @@
21e517616738920ab9db791eec691b00 serefpolicy-3.9.6.tgz 04730b4c56ff60274b246bcf4576355c serefpolicy-3.9.7.tgz