[selinux-policy: 2902/3172] Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://os
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:18:23 UTC 2010
commit cab9bc9c58cb60c3a98053ab9fc2b781c68f0fed
Merge: d7544f0 da12b54
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Sep 10 13:02:25 2010 -0400
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
policy/modules/admin/amanda.if
policy/modules/system/init.te
policy/modules/system/miscfiles.if
policy/modules/system/miscfiles.te
policy/modules/system/userdomain.if
policy/modules/admin/amanda.fc | 4 +-
policy/modules/admin/amanda.if | 40 +++++++--------
policy/modules/admin/amanda.te | 25 +--------
policy/modules/admin/amtu.if | 9 ++--
policy/modules/admin/anaconda.fc | 6 +--
policy/modules/admin/anaconda.if | 2 +-
policy/modules/admin/anaconda.te | 1 -
policy/modules/admin/certwatch.te | 4 +-
policy/modules/apps/evolution.te | 4 +-
policy/modules/services/abrt.te | 2 +-
policy/modules/services/amavis.te | 2 +-
policy/modules/services/apache.te | 2 +-
policy/modules/services/automount.te | 2 +-
policy/modules/services/avahi.te | 2 +-
policy/modules/services/bind.te | 2 +-
policy/modules/services/certmaster.if | 4 +-
policy/modules/services/certmaster.te | 6 +-
policy/modules/services/certmonger.te | 2 +-
policy/modules/services/cyrus.te | 2 +-
policy/modules/services/dbus.te | 2 +-
policy/modules/services/dovecot.te | 2 +-
policy/modules/services/exim.te | 2 +-
policy/modules/services/fetchmail.te | 2 +-
policy/modules/services/ldap.te | 2 +-
policy/modules/services/networkmanager.te | 2 +-
policy/modules/services/openvpn.te | 2 +-
policy/modules/services/postfix.if | 2 +-
policy/modules/services/radius.te | 2 +-
policy/modules/services/rpc.te | 4 +-
policy/modules/services/sasl.te | 2 +-
policy/modules/services/sendmail.te | 2 +-
policy/modules/services/squid.te | 2 +-
policy/modules/services/ssh.if | 2 +-
policy/modules/services/virt.te | 2 +-
policy/modules/services/w3c.te | 2 +-
policy/modules/system/authlogin.if | 4 +-
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/miscfiles.if | 77 ++++++++++++++++++++++++++--
policy/modules/system/miscfiles.te | 2 +-
policy/modules/system/userdomain.if | 5 ++-
41 files changed, 143 insertions(+), 104 deletions(-)
---
diff --cc policy/modules/services/w3c.te
index c37d690,1174ad8..f4c4c1b
--- a/policy/modules/services/w3c.te
+++ b/policy/modules/services/w3c.te
@@@ -26,8 -19,6 +26,8 @@@ corenet_tcp_sendrecv_http_port(httpd_w3
corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
- miscfiles_read_certs(httpd_w3c_validator_script_t)
+ miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
diff --cc policy/modules/system/userdomain.if
index e1da594,2aa8928..c67c8e8
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@@ -88,48 -79,33 +88,51 @@@ template(`userdom_base_user_template',
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
- domain_dontaudit_read_all_domains_state($1_t)
- domain_dontaudit_getattr_all_domains($1_t)
- domain_dontaudit_getsession_all_domains($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
- files_read_usr_files($1_t)
+ domain_dontaudit_read_all_domains_state($1_usertype)
+ domain_dontaudit_getattr_all_domains($1_usertype)
+ domain_dontaudit_getsession_all_domains($1_usertype)
+
+ files_read_etc_files($1_usertype)
+ files_list_mnt($1_usertype)
+ files_read_mnt_files($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
+ files_read_usr_src_files($1_usertype)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
- files_list_world_readable($1_t)
- files_read_world_readable_files($1_t)
- files_read_world_readable_symlinks($1_t)
- files_read_world_readable_pipes($1_t)
- files_read_world_readable_sockets($1_t)
+ files_list_world_readable($1_usertype)
+ files_read_world_readable_files($1_usertype)
+ files_read_world_readable_symlinks($1_usertype)
+ files_read_world_readable_pipes($1_usertype)
+ files_read_world_readable_sockets($1_usertype)
# old broswer_domain():
- files_dontaudit_list_non_security($1_t)
- files_dontaudit_getattr_non_security_files($1_t)
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_all_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
+
+ files_exec_usr_files($1_t)
+
+ fs_list_cgroup_dirs($1_usertype)
+ fs_dontaudit_rw_cgroup_files($1_usertype)
+
+ storage_rw_fuse($1_usertype)
+
+ auth_use_nsswitch($1_usertype)
- libs_exec_ld_so($1_t)
+ init_stream_connect($1_usertype)
+
+ libs_exec_ld_so($1_usertype)
- miscfiles_read_certs($1_usertype)
+ miscfiles_read_localization($1_t)
+ miscfiles_read_generic_certs($1_t)
+
- sysnet_read_config($1_t)
++ miscfiles_read_all_certs($1_usertype)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_man_pages($1_usertype)
+ miscfiles_read_public_files($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
More information about the scm-commits
mailing list