[selinux-policy: 1234/3172] patch from dan Sun, 19 Feb 2006 08:16:18 -0500
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:51:49 UTC 2010
commit 46c69cb27ac3b001be4b3a55512847aee3f8795c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Feb 20 16:31:54 2006 +0000
patch from dan Sun, 19 Feb 2006 08:16:18 -0500
refpolicy/policy/global_tunables | 14 ++++++++
refpolicy/policy/modules/admin/amanda.if | 37 +++++++++++++++++++++
refpolicy/policy/modules/admin/amanda.te | 4 +-
refpolicy/policy/modules/admin/vpn.te | 4 ++-
refpolicy/policy/modules/apps/java.fc | 1 +
refpolicy/policy/modules/apps/java.if | 28 ++++++++++++++++
refpolicy/policy/modules/apps/java.te | 16 ++++++++-
refpolicy/policy/modules/kernel/corenetwork.te.in | 3 +-
refpolicy/policy/modules/kernel/devices.if | 19 +++++++++++
refpolicy/policy/modules/kernel/devices.te | 2 +-
refpolicy/policy/modules/services/automount.te | 4 +-
refpolicy/policy/modules/services/avahi.te | 3 +-
refpolicy/policy/modules/services/fetchmail.te | 3 +-
refpolicy/policy/modules/services/hal.te | 4 +-
refpolicy/policy/modules/services/ktalk.fc | 1 +
refpolicy/policy/modules/services/ktalk.te | 2 +-
refpolicy/policy/modules/services/spamassassin.te | 10 ++++--
refpolicy/policy/modules/services/xserver.fc | 1 +
refpolicy/policy/modules/services/xserver.if | 10 +++++-
refpolicy/policy/modules/services/xserver.te | 2 +-
refpolicy/policy/modules/services/zebra.te | 3 +-
refpolicy/policy/modules/system/fstools.te | 9 ++++-
refpolicy/policy/modules/system/init.te | 5 ++-
refpolicy/policy/modules/system/libraries.fc | 2 +-
refpolicy/policy/modules/system/libraries.te | 2 +-
refpolicy/policy/modules/system/lvm.te | 3 +-
refpolicy/policy/modules/system/modutils.if | 2 +-
refpolicy/policy/modules/system/modutils.te | 2 +-
refpolicy/policy/modules/system/unconfined.te | 10 +++++-
29 files changed, 178 insertions(+), 28 deletions(-)
---
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index b96f390..1d556fb 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -469,3 +469,17 @@ gen_tunable(write_untrusted_content,false)
## </desc>
gen_tunable(xdm_sysadm_login,false)
')
+
+########################################
+#
+# Targeted policy specific
+#
+
+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow spammd to read/write user home directories.
+## </p>
+## </desc>
+gen_tunable(spamd_enable_home_dirs,true)
+')
diff --git a/refpolicy/policy/modules/admin/amanda.if b/refpolicy/policy/modules/admin/amanda.if
index 0b9281f..f7b1645 100644
--- a/refpolicy/policy/modules/admin/amanda.if
+++ b/refpolicy/policy/modules/admin/amanda.if
@@ -90,3 +90,40 @@ interface(`amanda_dontaudit_read_dumpdates',`
dontaudit $1 amanda_dumpdates_t:file { getattr read };
')
+
+########################################
+## <summary>
+## Allow read/writing /etc/dumpdates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`amanda_rw_dumpdates_files',`
+ gen_require(`
+ type amanda_dumpdates_t;
+ ')
+
+ allow $1 amanda_dumpdates_t:file rw_file_perms;
+')
+########################################
+## <summary>
+## Allow read/writing amanda logs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`amanda_append_log_files',`
+ gen_require(`
+ type amanda_log_t;
+ ')
+
+ allow $1 amanda_log_t:file ra_file_perms;
+')
+
+
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index b4e07e0..df244b7 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda,1.2.0)
+policy_module(amanda,1.2.1)
#######################################
#
@@ -86,7 +86,7 @@ optional_policy(`prelink',`
# Amanda local policy
#
-allow amanda_t self:capability { chown dac_override setuid };
+allow amanda_t self:capability { chown dac_override setuid kill };
allow amanda_t self:process { setpgid signal };
allow amanda_t self:fifo_file { getattr read write ioctl lock };
allow amanda_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te
index 3e59ad2..60e0330 100644
--- a/refpolicy/policy/modules/admin/vpn.te
+++ b/refpolicy/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
-policy_module(vpnc,1.1.0)
+policy_module(vpnc,1.1.1)
########################################
#
@@ -11,6 +11,7 @@ domain_type(vpnc_t)
type vpnc_exec_t;
domain_entry_file(vpnc_t,vpnc_exec_t)
+role system_r types vpnc_t;
type vpnc_tmp_t;
files_tmp_file(vpnc_tmp_t)
@@ -69,6 +70,7 @@ dev_read_urand(vpnc_t)
dev_read_sysfs(vpnc_t)
fs_getattr_xattr_fs(vpnc_t)
+fs_getattr_tmpfs(vpnc_t)
term_use_all_user_ptys(vpnc_t)
term_use_all_user_ttys(vpnc_t)
diff --git a/refpolicy/policy/modules/apps/java.fc b/refpolicy/policy/modules/apps/java.fc
index 782c8ab..9375e71 100644
--- a/refpolicy/policy/modules/apps/java.fc
+++ b/refpolicy/policy/modules/apps/java.fc
@@ -2,4 +2,5 @@
# /usr
#
/usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index f82d416..930d7a6 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -178,3 +178,31 @@ template(`java_per_userdomain_template',`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
')
+
+########################################
+## <summary>
+## Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`java_domtrans',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type java_t, java_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, java_exec_t, java_t)
+
+ allow $1 java_t:fd use;
+ allow java_t $1:fd use;
+ allow java_t $1:fifo_file rw_file_perms;
+ allow java_t $1:process sigchld;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
diff --git a/refpolicy/policy/modules/apps/java.te b/refpolicy/policy/modules/apps/java.te
index d7ffdc2..caea9aa 100644
--- a/refpolicy/policy/modules/apps/java.te
+++ b/refpolicy/policy/modules/apps/java.te
@@ -1,10 +1,24 @@
-policy_module(java,1.0.0)
+policy_module(java,1.0.1)
########################################
#
# Declarations
#
+type java_t;
+domain_type(java_t)
+
type java_exec_t;
files_type(java_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+ allow java_t self:process { execstack execmem };
+ unconfined_domain_noaudit(java_t)
+ role system_r types java_t;
+')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index e0ef744..e846d39 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.0.3)
+policy_module(corenetwork,1.0.4)
########################################
#
@@ -106,6 +106,7 @@ network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(razor, tcp,2703,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
+network_port(router, udp,520,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 917c544..d037910 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -206,6 +206,25 @@ interface(`dev_delete_generic_files',`
########################################
## <summary>
+## Create a file in the device directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to create the files.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Dontaudit getattr on generic pipes.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 0827543..b1a555b 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.0.2)
+policy_module(devices,1.0.3)
########################################
#
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index 3037e1f..ecc8e84 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.1.2)
+policy_module(automount,1.1.3)
########################################
#
@@ -92,7 +92,7 @@ domain_use_wide_inherit_fd(automount_t)
files_dontaudit_write_var_dirs(automount_t)
files_search_var_lib(automount_t)
-files_search_mnt(automount_t)
+files_list_mnt(automount_t)
files_getattr_home_dir(automount_t)
files_read_etc_files(automount_t)
files_read_etc_runtime_files(automount_t)
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index 477d7ee..7065f36 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi,1.1.0)
+policy_module(avahi,1.1.1)
########################################
#
@@ -63,6 +63,7 @@ term_dontaudit_use_console(avahi_t)
domain_use_wide_inherit_fd(avahi_t)
files_read_etc_files(avahi_t)
+files_read_etc_runtime_files(avahi_t)
init_use_fd(avahi_t)
init_use_script_ptys(avahi_t)
diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te
index 4ab327c..bd72615 100644
--- a/refpolicy/policy/modules/services/fetchmail.te
+++ b/refpolicy/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
-policy_module(fetchmail,1.0.2)
+policy_module(fetchmail,1.0.3)
########################################
#
@@ -67,6 +67,7 @@ dev_read_urand(fetchmail_t)
files_read_etc_files(fetchmail_t)
files_read_etc_runtime_files(fetchmail_t)
+files_dontaudit_search_home(fetchmail_t)
fs_getattr_all_fs(fetchmail_t)
fs_search_auto_mountpoints(fetchmail_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 59f8012..a060299 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.2.5)
+policy_module(hal,1.2.6)
########################################
#
@@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
#
# execute openvt which needs setuid
-allow hald_t self:capability { setuid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
+allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/ktalk.fc b/refpolicy/policy/modules/services/ktalk.fc
index 48c7cad..720bca5 100644
--- a/refpolicy/policy/modules/services/ktalk.fc
+++ b/refpolicy/policy/modules/services/ktalk.fc
@@ -1,2 +1,3 @@
+/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te
index f8bfffb..284c1c3 100644
--- a/refpolicy/policy/modules/services/ktalk.te
+++ b/refpolicy/policy/modules/services/ktalk.te
@@ -1,5 +1,5 @@
-policy_module(ktalk,1.1.0)
+policy_module(ktalk,1.1.1)
########################################
#
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index a3643ff..b5f6f5e 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.2.2)
+policy_module(spamassassin,1.2.3)
########################################
#
@@ -77,6 +77,7 @@ corenet_tcp_bind_spamd_port(spamd_t)
# DnsResolver.pm module which binds to
# random ports >= 1024.
corenet_udp_bind_generic_port(spamd_t)
+corenet_udp_bind_imaze_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
dev_read_sysfs(spamd_t)
@@ -122,8 +123,11 @@ ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(spamd_t)
term_dontaudit_use_generic_ptys(spamd_t)
files_dontaudit_read_root_files(spamd_t)
- userdom_manage_generic_user_home_dirs(spamd_t)
- userdom_manage_generic_user_home_files(spamd_t)
+ tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_generic_user_home_dirs(spamd_t)
+ userdom_manage_generic_user_home_files(spamd_t)
+ userdom_manage_generic_user_home_symlinks(spamd_t)
+ ')
')
tunable_policy(`use_nfs_home_dirs',`
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index 5c1ffe8..d0ba416 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -52,6 +52,7 @@ ifdef(`strict_policy',`
/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index 49de4bc..0c92946 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -39,11 +39,12 @@ template(`xserver_common_domain_template',`
# admin of APM bios?
# sys_nice is so that the X server can set a negative nice value
# execheap needed until the X module loader is fixed.
+ # NVIDIA Needs execstack
allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_xserver_t self:process { execmem execheap setsched };
+ allow $1_xserver_t self:process { execmem execheap execstack setsched };
allow $1_xserver_t self:fd use;
allow $1_xserver_t self:fifo_file rw_file_perms;
allow $1_xserver_t self:sock_file r_file_perms;
@@ -53,6 +54,7 @@ template(`xserver_common_domain_template',`
allow $1_xserver_t self:msg { send receive };
allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms;
allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
allow $1_xserver_t self:udp_socket create_socket_perms;
@@ -86,6 +88,7 @@ template(`xserver_common_domain_template',`
kernel_read_modprobe_sysctls($1_xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls($1_xserver_t)
+ kernel_write_proc_files($1_xserver_t)
# Run helper programs in $1_xserver_t.
corecmd_search_sbin($1_xserver_t)
@@ -122,9 +125,12 @@ template(`xserver_common_domain_template',`
dev_rw_xserver_misc($1_xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
+ dev_rwx_zero($1_xserver_t)
files_read_etc_files($1_xserver_t)
files_read_etc_runtime_files($1_xserver_t)
+ files_read_usr_files($1_xserver_t)
+
# brought on by rhgb
files_search_mnt($1_xserver_t)
# for nscd
@@ -134,6 +140,8 @@ template(`xserver_common_domain_template',`
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
+ init_getpgid($1_xserver_t)
+
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 248032d..a7998e9 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.0.2)
+policy_module(xserver,1.0.3)
########################################
#
diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te
index 9d5d17e..117d11d 100644
--- a/refpolicy/policy/modules/services/zebra.te
+++ b/refpolicy/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
-policy_module(zebra,1.1.1)
+policy_module(zebra,1.1.2)
########################################
#
@@ -73,6 +73,7 @@ corenet_non_ipsec_sendrecv(zebra_t)
corenet_tcp_bind_all_nodes(zebra_t)
corenet_udp_bind_all_nodes(zebra_t)
corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
dev_associate_usbfs(zebra_var_run_t)
dev_list_all_dev_nodes(zebra_t)
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 7c345eb..7edd190 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
-policy_module(fstools,1.2.1)
+policy_module(fstools,1.2.2)
########################################
#
@@ -15,7 +15,7 @@ role system_r types fsadm_t;
type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)
-type swapfile_t;
+type swapfile_t; # customizable
files_type(swapfile_t)
########################################
@@ -154,6 +154,11 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(fsadm_t)
')
+optional_policy(`amanda',`
+ amanda_rw_dumpdates_files(fsadm_t)
+ amanda_append_log_files(fsadm_t)
+')
+
optional_policy(`cron',`
# for smartctl cron jobs
cron_system_entry(fsadm_t,fsadm_exec_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 233b778..ed05cac 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.2.4)
+policy_module(init,1.2.5)
gen_require(`
class passwd rootok;
@@ -231,6 +231,8 @@ allow initrc_t initrc_tmp_t:file create_file_perms;
allow initrc_t initrc_tmp_t:dir create_dir_perms;
files_filetrans_tmp(initrc_t,initrc_tmp_t, { file dir })
+init_write_initctl(initrc_t)
+
kernel_read_system_state(initrc_t)
kernel_read_software_raid_state(initrc_t)
kernel_read_network_state(initrc_t)
@@ -272,6 +274,7 @@ dev_setattr_all_chr_files(initrc_t)
dev_read_lvm_control(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
+dev_manage_generic_files(initrc_t)
# Wants to remove udev.tbl:
dev_delete_generic_symlinks(initrc_t)
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index b24ad99..677bfdc 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -62,7 +62,7 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 1ad32c8..30052b2 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.2.2)
+policy_module(libraries,1.2.3)
########################################
#
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 0d7651c..c06d05f 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm,1.2.1)
+policy_module(lvm,1.2.2)
########################################
#
@@ -203,6 +203,7 @@ dev_dontaudit_getattr_generic_pipes(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
+fs_donaudit_read_removable_files(lvm_t)
storage_relabel_fixed_disk(lvm_t)
# LVM creates block devices in /dev/mapper or /dev/<vg>
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index c82e973..ddd0e8c 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -204,7 +204,7 @@ interface(`modutils_run_depmod',`
')
modutils_domtrans_depmod($1)
- role $2 types insmod_t;
+ role $2 types depmod_t;
allow insmod_t $3:chr_file rw_term_perms;
')
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 4313886..94a1b59 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
-policy_module(modutils,1.0.1)
+policy_module(modutils,1.0.2)
gen_require(`
bool secure_mode_insmod;
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 596ba65..c45086d 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.2.5)
+policy_module(unconfined,1.2.6)
########################################
#
@@ -93,6 +93,10 @@ ifdef(`targeted_policy',`
fstools_domtrans(unconfined_t)
')
+ optional_policy(`java',`
+ java_domtrans(unconfined_t)
+ ')
+
optional_policy(`lpd',`
lpd_domtrans_checkpc(unconfined_t)
')
@@ -149,6 +153,10 @@ ifdef(`targeted_policy',`
usermanage_domtrans_admin_passwd(unconfined_t)
')
+ optional_policy(`vpn',`
+ vpn_domtrans(unconfined_t)
+ ')
+
optional_policy(`webalizer',`
webalizer_domtrans(unconfined_t)
')
More information about the scm-commits
mailing list