rpms/selinux-policy/devel modules-minimum.conf, 1.60, 1.61 modules-mls.conf, 1.72, 1.73 modules-targeted.conf, 1.169, 1.170 policy-F14.patch, 1.25, 1.26 selinux-policy.spec, 1.991, 1.992
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Jul 26 20:32:19 UTC 2010
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv25780
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-F14.patch selinux-policy.spec
Log Message:
* Mon Jul 26 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-5
- New permissions for syslog
- New labels for /lib/upstart
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -p -r1.60 -r1.61
--- modules-minimum.conf 15 Jul 2010 13:08:11 -0000 1.60
+++ modules-minimum.conf 26 Jul 2010 20:32:18 -0000 1.61
@@ -968,6 +968,13 @@ mls = base
#
mock = module
+# Layer: services
+# Module: mojomojo
+#
+# Wiki server
+#
+mojomojo = module
+
# Layer: system
# Module: modutils
#
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -p -r1.72 -r1.73
--- modules-mls.conf 15 Jul 2010 13:08:11 -0000 1.72
+++ modules-mls.conf 26 Jul 2010 20:32:18 -0000 1.73
@@ -920,6 +920,13 @@ modemmanager = module
#
modutils = base
+# Layer: services
+# Module: mojomojo
+#
+# Wiki server
+#
+mojomojo = module
+
# Layer: apps
# Module: mono
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.169
retrieving revision 1.170
diff -u -p -r1.169 -r1.170
--- modules-targeted.conf 15 Jul 2010 13:08:12 -0000 1.169
+++ modules-targeted.conf 26 Jul 2010 20:32:18 -0000 1.170
@@ -968,6 +968,13 @@ mls = base
#
mock = module
+# Layer: services
+# Module: mojomojo
+#
+# Wiki server
+#
+mojomojo = module
+
# Layer: system
# Module: modutils
#
policy-F14.patch:
Makefile | 2
man/man8/git_selinux.8 | 109 +
policy/global_tunables | 24
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 164 ++
policy/modules/admin/accountsd.te | 64 +
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 3
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.te | 6
policy/modules/admin/firstboot.te | 1
policy/modules/admin/logrotate.te | 3
policy/modules/admin/logwatch.fc | 4
policy/modules/admin/logwatch.te | 14
policy/modules/admin/mrtg.te | 1
policy/modules/admin/ncftool.fc | 2
policy/modules/admin/ncftool.if | 74 +
policy/modules/admin/ncftool.te | 79 +
policy/modules/admin/netutils.te | 35
policy/modules/admin/prelink.te | 5
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.fc | 4
policy/modules/admin/rpm.if | 111 +
policy/modules/admin/rpm.te | 28
policy/modules/admin/sectoolm.te | 1
policy/modules/admin/shorewall.if | 11
policy/modules/admin/shorewall.te | 3
policy/modules/admin/shutdown.if | 70 +
policy/modules/admin/shutdown.te | 2
policy/modules/admin/su.if | 3
policy/modules/admin/sudo.if | 6
policy/modules/admin/tmpreaper.te | 13
policy/modules/admin/usermanage.if | 3
policy/modules/admin/usermanage.te | 13
policy/modules/admin/vbetool.te | 3
policy/modules/admin/vpn.te | 1
policy/modules/apps/awstats.te | 1
policy/modules/apps/chrome.fc | 3
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 86 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 49
policy/modules/apps/execmem.if | 110 +
policy/modules/apps/execmem.te | 10
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 +++++++
policy/modules/apps/gnome.te | 118 +-
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 37
policy/modules/apps/gpg.te | 68 +
policy/modules/apps/irc.fc | 4
policy/modules/apps/irc.if | 15
policy/modules/apps/irc.te | 104 +
policy/modules/apps/java.fc | 4
policy/modules/apps/java.if | 6
policy/modules/apps/java.te | 4
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.if | 20
policy/modules/apps/livecd.te | 6
policy/modules/apps/mono.if | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 8
policy/modules/apps/mozilla.te | 8
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 8
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 391 ++++++
policy/modules/apps/nsplugin.te | 299 +++++
policy/modules/apps/openoffice.fc | 4
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 16
policy/modules/apps/podsleuth.te | 1
policy/modules/apps/pulseaudio.if | 4
policy/modules/apps/pulseaudio.te | 16
policy/modules/apps/qemu.if | 82 +
policy/modules/apps/qemu.te | 6
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 314 +++++
policy/modules/apps/sandbox.te | 390 ++++++
policy/modules/apps/seunshare.if | 33
policy/modules/apps/seunshare.te | 35
policy/modules/apps/telepathy.fc | 14
policy/modules/apps/telepathy.if | 188 +++
policy/modules/apps/telepathy.te | 309 +++++
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 56
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.if | 13
policy/modules/apps/wine.te | 22
policy/modules/apps/wireshark.te | 3
policy/modules/apps/wm.if | 4
policy/modules/kernel/corecommands.fc | 35
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.fc | 3
policy/modules/kernel/corenetwork.te.in | 32
policy/modules/kernel/devices.fc | 10
policy/modules/kernel/devices.if | 95 +
policy/modules/kernel/devices.te | 3
policy/modules/kernel/domain.if | 45
policy/modules/kernel/domain.te | 110 +
policy/modules/kernel/files.fc | 32
policy/modules/kernel/files.if | 420 +++++++
policy/modules/kernel/files.te | 12
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 158 ++
policy/modules/kernel/filesystem.te | 13
policy/modules/kernel/kernel.if | 40
policy/modules/kernel/kernel.te | 18
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 5
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 10
policy/modules/roles/auditadm.te | 3
policy/modules/roles/guest.te | 6
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 118 ++
policy/modules/roles/sysadm.te | 102 +
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 +++++++++++
policy/modules/roles/unconfineduser.te | 448 +++++++
policy/modules/roles/unprivuser.te | 27
policy/modules/roles/xguest.te | 83 +
policy/modules/services/abrt.fc | 1
policy/modules/services/abrt.if | 45
policy/modules/services/abrt.te | 51
policy/modules/services/afs.te | 4
policy/modules/services/aiccu.fc | 6
policy/modules/services/aiccu.if | 118 ++
policy/modules/services/aiccu.te | 72 +
policy/modules/services/aisexec.te | 5
policy/modules/services/amavis.te | 3
policy/modules/services/apache.fc | 17
policy/modules/services/apache.if | 222 +++
policy/modules/services/apache.te | 253 ++++
policy/modules/services/apcupsd.te | 4
policy/modules/services/apm.te | 6
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.te | 6
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 1
policy/modules/services/avahi.te | 3
policy/modules/services/bind.if | 7
policy/modules/services/bind.te | 3
policy/modules/services/bitlbee.te | 5
policy/modules/services/bluetooth.if | 26
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 96 +
policy/modules/services/bugzilla.fc | 4
policy/modules/services/bugzilla.if | 81 +
policy/modules/services/bugzilla.te | 56
policy/modules/services/cachefilesd.fc | 29
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 147 ++
policy/modules/services/canna.te | 3
policy/modules/services/ccs.te | 5
policy/modules/services/certmaster.if | 19
policy/modules/services/certmonger.if | 4
policy/modules/services/certmonger.te | 2
policy/modules/services/cgroup.te | 7
policy/modules/services/chronyd.if | 80 +
policy/modules/services/chronyd.te | 8
policy/modules/services/clamav.te | 6
policy/modules/services/cmirrord.fc | 6
policy/modules/services/cmirrord.if | 118 ++
policy/modules/services/cmirrord.te | 56
policy/modules/services/cobbler.fc | 35
policy/modules/services/cobbler.if | 133 +-
policy/modules/services/cobbler.te | 156 ++
policy/modules/services/consolekit.te | 22
policy/modules/services/corosync.fc | 1
policy/modules/services/corosync.te | 33
policy/modules/services/courier.if | 2
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 125 +-
policy/modules/services/cron.te | 98 +
policy/modules/services/cups.fc | 6
policy/modules/services/cups.if | 5
policy/modules/services/cups.te | 21
policy/modules/services/cvs.te | 1
policy/modules/services/cyphesis.te | 3
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 28
policy/modules/services/dbus.te | 24
policy/modules/services/dcc.te | 3
policy/modules/services/denyhosts.te | 10
policy/modules/services/devicekit.te | 14
policy/modules/services/dhcp.te | 5
policy/modules/services/djbdns.te | 2
policy/modules/services/dnsmasq.te | 6
policy/modules/services/dovecot.fc | 2
policy/modules/services/dovecot.if | 16
policy/modules/services/dovecot.te | 15
policy/modules/services/exim.fc | 3
policy/modules/services/exim.if | 61 +
policy/modules/services/exim.te | 8
policy/modules/services/fail2ban.if | 20
policy/modules/services/fail2ban.te | 4
policy/modules/services/fetchmail.te | 3
policy/modules/services/fprintd.te | 1
policy/modules/services/ftp.fc | 1
policy/modules/services/ftp.te | 70 +
policy/modules/services/git.fc | 9
policy/modules/services/git.if | 526 +++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/gnomeclock.if | 21
policy/modules/services/gpsd.te | 4
policy/modules/services/hal.if | 20
policy/modules/services/hal.te | 28
policy/modules/services/hddtemp.fc | 2
policy/modules/services/icecast.te | 6
policy/modules/services/inn.te | 3
policy/modules/services/kerberos.fc | 2
policy/modules/services/kerberos.te | 6
policy/modules/services/ksmtuned.fc | 2
policy/modules/services/ksmtuned.if | 2
policy/modules/services/ksmtuned.te | 13
policy/modules/services/ldap.fc | 5
policy/modules/services/ldap.if | 81 +
policy/modules/services/ldap.te | 16
policy/modules/services/lircd.te | 5
policy/modules/services/lpd.te | 5
policy/modules/services/memcached.if | 1
policy/modules/services/milter.if | 20
policy/modules/services/mock.fc | 6
policy/modules/services/mock.if | 238 ++++
policy/modules/services/mock.te | 98 +
policy/modules/services/modemmanager.te | 8
policy/modules/services/mojomojo.fc | 5
policy/modules/services/mojomojo.if | 43
policy/modules/services/mojomojo.te | 45
policy/modules/services/mpd.fc | 10
policy/modules/services/mpd.if | 274 ++++
policy/modules/services/mpd.te | 111 +
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 39
policy/modules/services/mta.te | 28
policy/modules/services/munin.if | 19
policy/modules/services/munin.te | 24
policy/modules/services/mysql.te | 6
policy/modules/services/nagios.if | 20
policy/modules/services/nagios.te | 8
policy/modules/services/networkmanager.fc | 4
policy/modules/services/networkmanager.if | 68 +
policy/modules/services/networkmanager.te | 25
policy/modules/services/nis.fc | 3
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 32
policy/modules/services/nslcd.te | 2
policy/modules/services/ntp.te | 3
policy/modules/services/nut.te | 6
policy/modules/services/nx.if | 1
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.fc | 1
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openct.te | 3
policy/modules/services/openvpn.te | 8
policy/modules/services/pegasus.te | 31
policy/modules/services/piranha.fc | 21
policy/modules/services/piranha.if | 175 +++
policy/modules/services/piranha.te | 188 +++
policy/modules/services/plymouthd.te | 5
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 86 +
policy/modules/services/portreserve.fc | 3
policy/modules/services/portreserve.if | 55
policy/modules/services/portreserve.te | 7
policy/modules/services/postfix.fc | 3
policy/modules/services/postfix.if | 152 ++
policy/modules/services/postfix.te | 56
policy/modules/services/postgresql.te | 3
policy/modules/services/postgrey.te | 3
policy/modules/services/ppp.te | 10
policy/modules/services/prelude.te | 3
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.if | 20
policy/modules/services/procmail.te | 17
policy/modules/services/psad.if | 22
policy/modules/services/psad.te | 4
policy/modules/services/puppet.te | 13
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 59 +
policy/modules/services/radius.te | 5
policy/modules/services/radvd.te | 3
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 33
policy/modules/services/rgmanager.fc | 2
policy/modules/services/rgmanager.if | 61 +
policy/modules/services/rgmanager.te | 20
policy/modules/services/rhcs.if | 85 +
policy/modules/services/rhcs.te | 26
policy/modules/services/ricci.fc | 3
policy/modules/services/ricci.if | 63 +
policy/modules/services/ricci.te | 13
policy/modules/services/rlogin.fc | 3
policy/modules/services/rlogin.te | 4
policy/modules/services/rpc.if | 21
policy/modules/services/rpc.te | 18
policy/modules/services/rpcbind.if | 2
policy/modules/services/rpcbind.te | 4
policy/modules/services/rshd.te | 1
policy/modules/services/rsync.if | 47
policy/modules/services/rsync.te | 26
policy/modules/services/rtkit.if | 21
policy/modules/services/rtkit.te | 1
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 106 +
policy/modules/services/samba.te | 54
policy/modules/services/sasl.te | 6
policy/modules/services/sendmail.fc | 2
policy/modules/services/sendmail.if | 65 +
policy/modules/services/sendmail.te | 15
policy/modules/services/setroubleshoot.if | 23
policy/modules/services/setroubleshoot.te | 19
policy/modules/services/smartmon.te | 2
policy/modules/services/smokeping.te | 2
policy/modules/services/snmp.fc | 2
policy/modules/services/snmp.te | 6
policy/modules/services/snort.te | 2
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 136 ++
policy/modules/services/ssh.fc | 9
policy/modules/services/ssh.if | 83 +
policy/modules/services/ssh.te | 129 +-
policy/modules/services/sssd.te | 4
policy/modules/services/stunnel.te | 3
policy/modules/services/sysstat.te | 5
policy/modules/services/telnet.te | 3
policy/modules/services/tftp.if | 50
policy/modules/services/tftp.te | 4
policy/modules/services/tgtd.te | 4
policy/modules/services/tor.te | 5
policy/modules/services/tuned.te | 5
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 2
policy/modules/services/varnishd.if | 19
policy/modules/services/varnishd.te | 2
policy/modules/services/vhostmd.if | 4
policy/modules/services/vhostmd.te | 2
policy/modules/services/virt.fc | 7
policy/modules/services/virt.if | 98 +
policy/modules/services/virt.te | 211 +++
policy/modules/services/w3c.te | 9
policy/modules/services/xserver.fc | 61 -
policy/modules/services/xserver.if | 453 +++++++
policy/modules/services/xserver.te | 434 ++++++-
policy/modules/services/zabbix.te | 3
policy/modules/services/zarafa.fc | 27
policy/modules/services/zarafa.if | 105 +
policy/modules/services/zarafa.te | 133 ++
policy/modules/services/zebra.te | 3
policy/modules/system/application.te | 16
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 56
policy/modules/system/authlogin.te | 11
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 12
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 7
policy/modules/system/hotplug.te | 6
policy/modules/system/init.fc | 8
policy/modules/system/init.if | 229 +++
policy/modules/system/init.te | 270 ++++
policy/modules/system/ipsec.fc | 1
policy/modules/system/ipsec.if | 76 +
policy/modules/system/ipsec.te | 53
policy/modules/system/iptables.fc | 11
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 23
policy/modules/system/iscsi.if | 18
policy/modules/system/iscsi.te | 2
policy/modules/system/libraries.fc | 159 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.fc | 1
policy/modules/system/locallogin.te | 41
policy/modules/system/logging.fc | 16
policy/modules/system/logging.if | 43
policy/modules/system/logging.te | 35
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.te | 22
policy/modules/system/miscfiles.fc | 6
policy/modules/system/miscfiles.if | 3
policy/modules/system/modutils.if | 20
policy/modules/system/modutils.te | 19
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 163 ++
policy/modules/system/mount.te | 152 ++
policy/modules/system/raid.te | 4
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 +++++
policy/modules/system/selinuxutil.te | 236 +---
policy/modules/system/setrans.te | 4
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 131 ++
policy/modules/system/sosreport.te | 154 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 190 ++-
policy/modules/system/sysnetwork.te | 49
policy/modules/system/udev.fc | 1
policy/modules/system/udev.te | 18
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 -------
policy/modules/system/unconfined.te | 224 ---
policy/modules/system/userdomain.fc | 12
policy/modules/system/userdomain.if | 1734 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 42
policy/modules/system/xen.fc | 2
policy/modules/system/xen.if | 23
policy/modules/system/xen.te | 101 -
policy/support/misc_patterns.spt | 8
policy/support/obj_perm_sets.spt | 38
policy/users | 15
support/Makefile.devel | 4
435 files changed, 19762 insertions(+), 2095 deletions(-)
Index: policy-F14.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F14.patch,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -p -r1.25 -r1.26
--- policy-F14.patch 22 Jul 2010 16:58:57 -0000 1.25
+++ policy-F14.patch 26 Jul 2010 20:32:18 -0000 1.26
@@ -339,8 +339,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.8.8/policy/modules/admin/accountsd.te
--- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te 2010-07-20 10:46:10.000000000 -0400
-@@ -0,0 +1,62 @@
++++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te 2010-07-26 13:19:45.000000000 -0400
+@@ -0,0 +1,64 @@
+policy_module(accountsd,1.0.0)
+
+########################################
@@ -351,6 +351,8 @@ diff --exclude-from=exclude -N -u -r nsa
+type accountsd_t;
+type accountsd_exec_t;
+dbus_system_domain(accountsd_t, accountsd_exec_t)
++init_daemon_domain(accountsd_t, accountsd_exec_t)
++role system_r types accountsd_t;
+
+type accountsd_var_lib_t;
+files_type(accountsd_var_lib_t)
@@ -6230,7 +6232,7 @@ diff --exclude-from=exclude -N -u -r nsa
dbus_session_bus_client($1_wm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-20 11:36:00.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-26 07:56:45.000000000 -0400
@@ -9,8 +9,10 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -6252,7 +6254,15 @@ diff --exclude-from=exclude -N -u -r nsa
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -145,6 +150,10 @@
+@@ -126,6 +131,7 @@
+ /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
+ /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+ ')
++/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ #
+ # /sbin
+@@ -145,6 +151,10 @@
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6263,7 +6273,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -169,6 +178,7 @@
+@@ -169,6 +179,7 @@
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6271,7 +6281,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +238,8 @@
+@@ -228,6 +239,8 @@
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6280,7 +6290,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +326,7 @@
+@@ -314,6 +327,7 @@
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -6288,7 +6298,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
ifdef(`distro_suse', `
-@@ -340,3 +353,24 @@
+@@ -340,3 +354,24 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6509,7 +6519,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-20 11:30:38.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-26 14:00:19.000000000 -0400
@@ -606,6 +606,24 @@
########################################
@@ -6662,7 +6672,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow devices_unconfined_type mtrr_device_t:file *;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.8.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-23 08:55:47.000000000 -0400
@@ -611,7 +611,7 @@
########################################
@@ -7014,7 +7024,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-07-20 13:55:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-07-26 13:59:34.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -7265,7 +7275,34 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Do not audit attempts to search
-@@ -5522,6 +5687,7 @@
+@@ -5505,6 +5670,26 @@
+
+ ########################################
+ ## <summary>
++## manage all pidfile directories
++## in the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_all_pids_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ manage_dirs_pattern($1,pidfile,pidfile)
++')
++
++
++########################################
++## <summary>
+ ## Read all process ID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -5522,6 +5707,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -7273,7 +7310,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -5807,3 +5973,229 @@
+@@ -5807,3 +5993,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -7537,6 +7574,14 @@ diff --exclude-from=exclude -N -u -r nsa
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc
+--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2010-06-08 10:35:48.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc 2010-07-26 14:44:11.000000000 -0400
+@@ -1,3 +1,3 @@
+ /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+
+-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
++/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-14 11:21:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-21 11:43:41.000000000 -0400
@@ -7941,7 +7986,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Unlabeled process local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.8.8/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-07-26 13:20:35.000000000 -0400
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -8001,7 +8046,16 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.8.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-06-04 17:11:28.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-21 10:39:42.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-23 09:57:06.000000000 -0400
+@@ -5,7 +5,7 @@
+ /dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
+-/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/[shmvx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
@@ -77,3 +77,6 @@
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -10478,13 +10532,8 @@ diff --exclude-from=exclude -N -u -r nsa
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-22 11:54:47.000000000 -0400
-@@ -20,11 +20,11 @@
- /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
- /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
++++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-23 06:10:20.000000000 -0400
+@@ -24,7 +24,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -10492,7 +10541,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,10 +43,10 @@
+@@ -43,7 +42,6 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -10500,11 +10549,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-@@ -74,6 +74,7 @@
+@@ -74,6 +72,7 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -10512,7 +10557,7 @@ diff --exclude-from=exclude -N -u -r nsa
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-@@ -86,7 +87,6 @@
+@@ -86,7 +85,6 @@
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -10520,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +109,17 @@
+@@ -109,3 +107,16 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -10532,7 +10577,6 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -10540,7 +10584,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-07-21 11:17:41.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-07-23 08:55:49.000000000 -0400
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -12025,8 +12069,8 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.8.8/policy/modules/services/bugzilla.if
--- nsaserefpolicy/policy/modules/services/bugzilla.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-20 10:46:10.000000000 -0400
-@@ -0,0 +1,39 @@
++++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-23 06:11:39.000000000 -0400
+@@ -0,0 +1,81 @@
+## <summary>Bugzilla server</summary>
+
+########################################
@@ -12066,6 +12110,48 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an bugzilla environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the bugzilla domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`bugzilla_admin',`
++ gen_require(`
++ type httpd_bugzilla_script_t;
++ type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
++ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t;
++ type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t;
++ ')
++
++ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, httpd_bugzilla_script_t)
++
++ files_list_tmps($1)
++ admin_pattern($1, httpd_bugzilla_tmp_t)
++
++ files_search_var_lib(httpd_bugzilla_script_t)
++
++ apache_search_sys_content($1)
++ admin_pattern($1, httpd_bugzilla_script_exec_t)
++ admin_pattern($1, httpd_bugzilla_script_t)
++ admin_pattern($1, httpd_bugzilla_content_t)
++ admin_pattern($1, httpd_bugzilla_htaccess_t)
++ admin_pattern($1, httpd_bugzilla_rw_content_t)
++ admin_pattern($1, httpd_bugzilla_ra_content_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.8.8/policy/modules/services/bugzilla.te
--- nsaserefpolicy/policy/modules/services/bugzilla.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.te 2010-07-20 10:46:10.000000000 -0400
@@ -13130,7 +13216,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.8/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-07-22 16:37:05.000000000 -0400
@@ -1,3 +1,4 @@
+
policy_module(cobbler, 1.1.0)
@@ -13225,7 +13311,7 @@ diff --exclude-from=exclude -N -u -r nsa
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,39 +92,92 @@
+@@ -52,39 +92,93 @@
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
@@ -13268,6 +13354,7 @@ diff --exclude-from=exclude -N -u -r nsa
+files_read_etc_runtime_files(cobblerd_t)
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
++files_read_boot_files(cobblerd_t)
files_list_tmp(cobblerd_t)
-# read /etc/nsswitch.conf
-files_read_etc_files(cobblerd_t)
@@ -13322,7 +13409,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
-@@ -95,6 +188,10 @@
+@@ -95,6 +189,10 @@
')
optional_policy(`
@@ -13333,7 +13420,7 @@ diff --exclude-from=exclude -N -u -r nsa
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
-@@ -110,12 +207,20 @@
+@@ -110,12 +208,20 @@
')
optional_policy(`
@@ -13357,7 +13444,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -123,6 +228,18 @@
+@@ -123,6 +229,18 @@
# Cobbler web local policy.
#
@@ -13594,7 +13681,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.8/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.if 2010-07-21 08:55:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.if 2010-07-23 08:29:53.000000000 -0400
@@ -12,6 +12,10 @@
## </param>
#
@@ -13637,7 +13724,29 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -154,27 +164,14 @@
+@@ -106,6 +116,8 @@
+ interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
++ type user_cron_spool_t;
++ type crond_t;
+ ')
+
+ role $1 types { cronjob_t crontab_t };
+@@ -116,6 +128,12 @@
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
++ allow crond_t $2:process transition;
++ allow $2 crond_t:process sigchld;
++
++ # needs to be authorized SELinux context for cron
++ allow $2 user_cron_spool_t:file entrypoint;
++
+ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
+ allow $2 crontab_t:process signal;
+@@ -154,27 +172,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
@@ -13667,7 +13776,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
gen_require(`
class dbus send_msg;
-@@ -408,7 +405,43 @@
+@@ -408,7 +413,43 @@
type crond_t;
')
@@ -13712,7 +13821,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -554,7 +587,7 @@
+@@ -554,7 +595,7 @@
type system_cronjob_t;
')
@@ -13721,7 +13830,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -587,11 +620,14 @@
+@@ -587,11 +628,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -13737,7 +13846,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -627,7 +663,48 @@
+@@ -627,7 +671,48 @@
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -15958,6 +16067,18 @@ diff --exclude-from=exclude -N -u -r nsa
mta_send_mail(innd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.8.8/policy/modules/services/kerberos.fc
+--- nsaserefpolicy/policy/modules/services/kerberos.fc 2009-07-23 14:11:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/kerberos.fc 2010-07-23 06:51:35.000000000 -0400
+@@ -8,7 +8,7 @@
+ /etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+ /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+-/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/kadmin -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.8/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/kerberos.te 2010-07-20 10:46:10.000000000 -0400
@@ -16702,6 +16823,111 @@ diff --exclude-from=exclude -N -u -r nsa
+optional_policy(`
udev_read_db(modemmanager_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.fc serefpolicy-3.8.8/policy/modules/services/mojomojo.fc
+--- nsaserefpolicy/policy/modules/services/mojomojo.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.fc 2010-07-23 06:06:40.000000000 -0400
+@@ -0,0 +1,5 @@
++/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
++
++/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
++
++/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.if serefpolicy-3.8.8/policy/modules/services/mojomojo.if
+--- nsaserefpolicy/policy/modules/services/mojomojo.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.if 2010-07-23 06:39:20.000000000 -0400
+@@ -0,0 +1,43 @@
++## <summary>Mojomojo server</summary>
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mojomojo environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the mojomojo domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mojomojo_admin',`
++ gen_require(`
++ type httpd_mojomojo_script_t;
++ type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
++ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t;
++ type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
++ ')
++
++ allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, httpd_mojomojo_script_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, httpd_mojomojo_tmp_t)
++
++ files_search_var_lib(httpd_mojomojo_script_t)
++
++ apache_search_sys_content($1)
++ admin_pattern($1, httpd_mojomojo_script_exec_t)
++ admin_pattern($1, httpd_mojomojo_script_t)
++ admin_pattern($1, httpd_mojomojo_content_t)
++ admin_pattern($1, httpd_mojomojo_htaccess_t)
++ admin_pattern($1, httpd_mojomojo_rw_content_t)
++ admin_pattern($1, httpd_mojomojo_ra_content_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.te serefpolicy-3.8.8/policy/modules/services/mojomojo.te
+--- nsaserefpolicy/policy/modules/services/mojomojo.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.te 2010-07-23 06:08:31.000000000 -0400
+@@ -0,0 +1,45 @@
++policy_module(mojomojo, 1.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(mojomojo)
++
++type httpd_mojomojo_tmp_t;
++files_tmp_file(httpd_mojomojo_tmp_t)
++
++########################################
++#
++# mojomojo local policy
++#
++
++allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
++
++manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
++manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
++files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
++
++corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
++corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
++
++corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
++corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
++
++corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
++corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
++
++files_search_var_lib(httpd_mojomojo_script_t)
++
++mta_send_mail(httpd_mojomojo_script_t)
++
++sysnet_dns_name_resolve(httpd_mojomojo_script_t)
++
++optional_policy(`
++ mysql_stream_connect(httpd_mojomojo_script_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_mojomojo_script_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.8.8/policy/modules/services/mpd.fc
--- nsaserefpolicy/policy/modules/services/mpd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.8/policy/modules/services/mpd.fc 2010-07-20 10:46:10.000000000 -0400
@@ -17749,7 +17975,14 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.8.8/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nis.fc 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nis.fc 2010-07-23 09:52:27.000000000 -0400
+@@ -1,5 +1,5 @@
+ /etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/yppasswdd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+ /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
@@ -11,6 +11,7 @@
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
@@ -22976,6 +23209,18 @@ diff --exclude-from=exclude -N -u -r nsa
#######################################
## <summary>
## Read varnish logs.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.8.8/policy/modules/services/varnishd.te
+--- nsaserefpolicy/policy/modules/services/varnishd.te 2010-06-18 13:07:19.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/varnishd.te 2010-07-26 07:45:50.000000000 -0400
+@@ -50,7 +50,7 @@
+ # varnishd local policy
+ #
+
+-allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+ allow varnishd_t self:process signal;
+ allow varnishd_t self:fifo_file rw_fifo_file_perms;
+ allow varnishd_t self:tcp_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.8/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if 2010-07-21 11:07:39.000000000 -0400
@@ -26448,7 +26693,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-22 12:34:15.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-26 14:00:27.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -26560,7 +26805,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,61 @@
+@@ -185,15 +216,64 @@
sysadm_shell_domtrans(init_t)
')
@@ -26580,10 +26825,10 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ dev_write_kmsg(init_t)
+ dev_rw_autofs(init_t)
-+ dev_rw_generic_chr_files(init_t)
-+ dev_create_generic_dirs(init_t)
++ dev_manage_generic_dirs(init_t)
+
+ files_mounton_all_mountpoints(init_t)
++ files_manage_all_pids_dirs(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
@@ -26593,8 +26838,11 @@ diff --exclude-from=exclude -N -u -r nsa
+ fs_write_cgroup_files(init_t)
+
+ selinux_compute_create_context(init_t)
++ selinux_validate_context(init_t)
+
+ init_read_script_state(init_t)
++
++ seutil_read_file_contexts(init_t)
+')
+
optional_policy(`
@@ -26622,7 +26870,7 @@ diff --exclude-from=exclude -N -u -r nsa
nscd_socket_use(init_t)
')
-@@ -211,7 +288,7 @@
+@@ -211,7 +291,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -26631,7 +26879,7 @@ diff --exclude-from=exclude -N -u -r nsa
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +317,7 @@
+@@ -240,6 +320,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -26639,7 +26887,7 @@ diff --exclude-from=exclude -N -u -r nsa
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +335,22 @@
+@@ -257,11 +338,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -26662,7 +26910,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +386,13 @@
+@@ -297,11 +389,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -26676,7 +26924,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +411,10 @@
+@@ -320,8 +414,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -26688,7 +26936,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,6 +430,8 @@
+@@ -337,6 +433,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -26697,7 +26945,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +445,8 @@
+@@ -350,6 +448,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -26706,7 +26954,7 @@ diff --exclude-from=exclude -N -u -r nsa
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -362,6 +459,7 @@
+@@ -362,6 +462,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -26714,7 +26962,7 @@ diff --exclude-from=exclude -N -u -r nsa
selinux_get_enforce_mode(initrc_t)
-@@ -393,13 +491,14 @@
+@@ -393,13 +494,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -26730,7 +26978,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +571,7 @@
+@@ -472,7 +574,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -26739,7 +26987,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -518,6 +617,19 @@
+@@ -518,6 +620,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -26759,7 +27007,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -525,10 +637,17 @@
+@@ -525,10 +640,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -26777,7 +27025,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -543,6 +662,35 @@
+@@ -543,6 +665,35 @@
')
')
@@ -26813,7 +27061,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +703,8 @@
+@@ -555,6 +706,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -26822,7 +27070,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -571,6 +721,7 @@
+@@ -571,6 +724,7 @@
optional_policy(`
cgroup_stream_connect(initrc_t)
@@ -26830,7 +27078,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -583,6 +734,11 @@
+@@ -583,6 +737,11 @@
')
optional_policy(`
@@ -26842,7 +27090,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -599,6 +755,7 @@
+@@ -599,6 +758,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -26850,7 +27098,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -700,7 +857,12 @@
+@@ -700,7 +860,12 @@
')
optional_policy(`
@@ -26863,7 +27111,7 @@ diff --exclude-from=exclude -N -u -r nsa
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -723,6 +885,10 @@
+@@ -723,6 +888,10 @@
')
optional_policy(`
@@ -26874,7 +27122,7 @@ diff --exclude-from=exclude -N -u -r nsa
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -765,8 +931,6 @@
+@@ -765,8 +934,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -26883,7 +27131,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -779,10 +943,12 @@
+@@ -779,10 +946,12 @@
squid_manage_logs(initrc_t)
')
@@ -26896,7 +27144,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +970,19 @@
+@@ -804,11 +973,19 @@
')
optional_policy(`
@@ -26917,7 +27165,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +992,25 @@
+@@ -818,6 +995,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -26943,7 +27191,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -843,3 +1036,55 @@
+@@ -843,3 +1039,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -27900,7 +28148,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-07-20 10:46:11.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-07-26 07:54:12.000000000 -0400
@@ -60,6 +60,7 @@
type syslogd_t;
type syslogd_exec_t;
@@ -27971,7 +28219,11 @@ diff --exclude-from=exclude -N -u -r nsa
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -372,6 +394,11 @@
+@@ -369,9 +391,15 @@
+ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
+
++manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)
@@ -27983,7 +28235,7 @@ diff --exclude-from=exclude -N -u -r nsa
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +439,7 @@
+@@ -412,6 +440,7 @@
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -27991,7 +28243,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_use_interactive_fds(syslogd_t)
-@@ -488,6 +516,10 @@
+@@ -488,6 +517,10 @@
')
optional_policy(`
@@ -28480,7 +28732,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-20 10:46:11.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-22 16:44:21.000000000 -0400
@@ -17,8 +17,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -28521,7 +28773,7 @@ diff --exclude-from=exclude -N -u -r nsa
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
-+allow mount_t self:process { getcap getsched ptrace setcap signal };
++allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
@@ -28830,7 +29082,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.8.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if 2010-07-20 10:46:11.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if 2010-07-26 13:21:09.000000000 -0400
@@ -361,6 +361,27 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.991
retrieving revision 1.992
diff -u -p -r1.991 -r1.992
--- selinux-policy.spec 22 Jul 2010 16:58:58 -0000 1.991
+++ selinux-policy.spec 26 Jul 2010 20:32:18 -0000 1.992
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 3%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,13 @@ exit 0
%endif
%changelog
+* Mon Jul 26 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-5
+- New permissions for syslog
+- New labels for /lib/upstart
+
+* Fri Jul 23 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-4
+- Add mojomojo policy
+
* Thu Jul 22 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-3
- Allow systemd to setsockcon on sockets to immitate other services
More information about the scm-commits
mailing list