rpms/selinux-policy/F-8 modules-targeted.conf, 1.69, 1.70 policy-20070703.patch, 1.120, 1.121 selinux-policy.spec, 1.566, 1.567
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Nov 5 20:47:48 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10740
Modified Files:
modules-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Thu Nov 2 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-45
- Allow system_mail_t to domtrans to exim_t
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/modules-targeted.conf,v
retrieving revision 1.69
retrieving revision 1.70
diff -u -r1.69 -r1.70
--- modules-targeted.conf 24 Oct 2007 02:54:01 -0000 1.69
+++ modules-targeted.conf 5 Nov 2007 20:47:14 -0000 1.70
@@ -110,7 +110,14 @@
#
avahi = base
-# Layer: services
+# Layer: modules
+# Module: awstats
+#
+# awstats executable
+#
+awstats = module
+
+ # Layer: services
# Module: bind
#
# Berkeley internet name domain DNS server.
@@ -1529,3 +1536,9 @@
#
munin = module
+# Layer: services
+# Module: bitlbee
+#
+# An IRC to other chat networks gateway
+#
+bitlbee = module
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.120
retrieving revision 1.121
diff -u -r1.120 -r1.121
--- policy-20070703.patch 1 Nov 2007 17:27:00 -0000 1.120
+++ policy-20070703.patch 5 Nov 2007 20:47:14 -0000 1.121
@@ -1050,7 +1050,7 @@
# Init script handling
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-11-02 13:11:15.000000000 -0400
@@ -8,9 +8,11 @@
type consoletype_t;
@@ -1066,7 +1066,13 @@
role system_r types consoletype_t;
########################################
-@@ -48,7 +50,7 @@
+@@ -43,12 +45,12 @@
+ mls_file_write_all_levels(consoletype_t)
+
+ term_use_console(consoletype_t)
+-term_use_unallocated_ttys(consoletype_t)
++term_use_all_terms(consoletype_t)
+
init_use_fds(consoletype_t)
init_use_script_ptys(consoletype_t)
init_use_script_fds(consoletype_t)
@@ -2315,6 +2321,142 @@
+ role $2 types ada_t;
+ allow ada_t $3:chr_file rw_term_perms;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.fc serefpolicy-3.0.8/policy/modules/apps/awstats.fc
+--- nsaserefpolicy/policy/modules/apps/awstats.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/awstats.fc 2007-11-05 15:32:38.000000000 -0500
+@@ -0,0 +1,5 @@
++/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
++/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
++/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
++
++/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.if serefpolicy-3.0.8/policy/modules/apps/awstats.if
+--- nsaserefpolicy/policy/modules/apps/awstats.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/awstats.if 2007-11-05 15:32:38.000000000 -0500
+@@ -0,0 +1,42 @@
++## <summary>
++## AWStats is a free powerful and featureful tool that generates advanced
++## web, streaming, ftp or mail server statistics, graphically.
++## </summary>
++
++########################################
++## <summary>
++## Read and write awstats unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`awstats_rw_pipes',`
++ gen_require(`
++ type awstats_t;
++ ')
++
++ allow $1 awstats_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Execute awstats cgi scripts in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`awstats_cgi_exec',`
++ gen_require(`
++ type httpd_awstats_script_exec_t;
++ ')
++
++ allow $1 httpd_awstats_content_t:dir search_dir_perms;
++ allow $1 httpd_awstats_script_exec_t:dir search_dir_perms;
++ can_exec($1,httpd_awstats_script_exec_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.0.8/policy/modules/apps/awstats.te
+--- nsaserefpolicy/policy/modules/apps/awstats.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/awstats.te 2007-11-05 15:32:38.000000000 -0500
+@@ -0,0 +1,77 @@
++
++policy_module(awstats,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type awstats_t;
++type awstats_exec_t;
++domain_type(awstats_t)
++domain_entry_file(awstats_t, awstats_exec_t)
++role system_r types awstats_t;
++
++type awstats_tmp_t;
++files_tmp_file(awstats_tmp_t)
++
++type awstats_var_lib_t;
++files_type(awstats_var_lib_t)
++
++apache_content_template(awstats)
++
++########################################
++#
++# awstats policy
++#
++
++awstats_rw_pipes(awstats_t)
++awstats_cgi_exec(awstats_t)
++
++manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
++manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
++files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
++
++manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
++files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file)
++
++# dontaudit access to /proc/meminfo
++kernel_dontaudit_read_system_state(awstats_t)
++
++corecmd_exec_bin(awstats_t)
++corecmd_exec_shell(awstats_t)
++
++dev_read_urand(awstats_t)
++
++files_read_etc_files(awstats_t)
++# e.g. /usr/share/awstats/lang/awstats-en.txt
++files_read_usr_files(awstats_t)
++
++libs_read_lib_files(awstats_t)
++libs_use_ld_so(awstats_t)
++libs_use_shared_libs(awstats_t)
++
++miscfiles_read_localization(awstats_t)
++
++sysnet_dns_name_resolve(awstats_t)
++
++apache_read_log(awstats_t)
++
++optional_policy(`
++ cron_system_entry(awstats_t, awstats_exec_t)
++')
++
++optional_policy(`
++ # dontaudit searching nscd pid directory
++ nscd_dontaudit_search_pid(awstats_t)
++')
++
++########################################
++#
++# awstats cgi script policy
++#
++
++allow httpd_awstats_script_t awstats_var_lib_t:dir read;
++
++read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
++files_search_var_lib(httpd_awstats_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.0.8/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2007-10-22 13:21:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/gnome.fc 2007-10-29 23:59:29.000000000 -0400
@@ -3576,7 +3718,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-11-05 11:44:18.000000000 -0500
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -3589,7 +3731,15 @@
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
-@@ -93,10 +98,11 @@
+@@ -67,6 +72,7 @@
+ network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+ network_port(amavisd_recv, tcp,10024,s0)
+ network_port(amavisd_send, tcp,10025,s0)
++network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
+ network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+ network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
+ network_port(auth, tcp,113,s0)
+@@ -93,10 +99,11 @@
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
@@ -3603,7 +3753,7 @@
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ircd, tcp,6667,s0)
-@@ -108,12 +114,13 @@
+@@ -108,12 +115,15 @@
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -3612,14 +3762,16 @@
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
++network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-network_port(mysqld, tcp,3306,s0)
++network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(mysqld, tcp,3306,s0, tcp,1186,s0)
+portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -146,7 +153,7 @@
+@@ -146,7 +156,7 @@
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
@@ -3628,7 +3780,7 @@
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +167,19 @@
+@@ -160,13 +170,19 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
@@ -3678,7 +3830,16 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-10-31 09:46:00.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-01 14:02:44.000000000 -0400
+@@ -65,7 +65,7 @@
+
+ relabelfrom_dirs_pattern($1,device_t,device_node)
+ relabelfrom_files_pattern($1,device_t,device_node)
+- relabelfrom_lnk_files_pattern($1,device_t,device_node)
++ relabelfrom_lnk_files_pattern($1,device_t,{ device_t device_node })
+ relabelfrom_fifo_files_pattern($1,device_t,device_node)
+ relabelfrom_sock_files_pattern($1,device_t,device_node)
+ relabel_blk_files_pattern($1,device_t,{ device_t device_node })
@@ -1306,6 +1306,44 @@
########################################
@@ -4383,7 +4544,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-11-02 11:06:28.000000000 -0400
@@ -271,45 +271,6 @@
########################################
@@ -4481,7 +4642,32 @@
interface(`fs_dontaudit_read_ramfs_files',`
gen_require(`
type ramfs_t;
-@@ -3533,3 +3513,42 @@
+@@ -3322,6 +3302,24 @@
+
+ ########################################
+ ## <summary>
++## Dontaudit Search all directories with a filesystem type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_search_all',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ## List all directories with a filesystem type.
+ ## </summary>
+ ## <param name="domain">
+@@ -3533,3 +3531,42 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
@@ -7620,7 +7806,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-11-05 15:39:00.000000000 -0500
@@ -0,0 +1,157 @@
+## <summary>Exim service</summary>
+
@@ -7640,7 +7826,7 @@
+ type exim_exec_t;
+ ')
+
-+ corecmd_search_sbin($1)
++ corecmd_search_bin($1)
+ domtrans_pattern($1, exim_exec_t, exim_t)
+')
+
@@ -8806,7 +8992,7 @@
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-31 07:35:09.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-11-02 09:53:17.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -8871,6 +9057,17 @@
cron_dontaudit_write_pipes(system_mail_t)
')
+@@ -81,6 +96,10 @@
+ ')
+
+ optional_policy(`
++ exim_domtrans(system_mail_t)
++')
++
++optional_policy(`
+ logrotate_read_tmp_files(system_mail_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/munin.if 2007-10-29 23:59:29.000000000 -0400
@@ -11022,7 +11219,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-11-01 13:41:52.000000000 -0400
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -11823,7 +12020,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-10-31 09:26:27.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-11-01 13:43:05.000000000 -0400
@@ -81,7 +81,7 @@
# var/lib files for spamd
@@ -11833,6 +12030,19 @@
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -150,10 +150,12 @@
+ userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(spamd_t)
+ fs_manage_nfs_files(spamd_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(spamd_t)
+ fs_manage_cifs_files(spamd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/squid.fc 2007-10-29 23:59:29.000000000 -0400
@@ -12095,6 +12305,42 @@
')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd.if serefpolicy-3.0.8/policy/modules/services/tcpd.if
+--- nsaserefpolicy/policy/modules/services/tcpd.if 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/tcpd.if 2007-11-05 15:37:04.000000000 -0500
+@@ -15,5 +15,31 @@
+ type tcpd_t, tcpd_exec_t;
+ ')
+
+- domtrans_pattern($1,tcpd_exec_t,tcpd_t)
++ domtrans_pattern($1, tcpd_exec_t, tcpd_t)
++')
++
++########################################
++## <summary>
++## Create a domain for services that
++## utilize tcp wrappers.
++## </summary>
++## <param name="domain">
++## <summary>
++## Type to be used as a domain.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Type of the program to be used as an entry point to this domain.
++## </summary>
++## </param>
++#
++interface(`tcpd_wrapped_domain',`
++ gen_require(`
++ type tcpd_t;
++ role system_r;
++ ')
++
++ domtrans_pattern(tcpd_t, $2, $1)
++ role system_r types $1;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.8/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2007-10-29 23:59:29.000000000 -0400
@@ -16201,7 +16447,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-11-01 11:58:24.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -16238,7 +16484,18 @@
# for the dhcp client to run ping to check IP addresses
optional_policy(`
netutils_domtrans_ping(dhcpc_t)
-@@ -203,9 +209,7 @@
+@@ -187,6 +193,10 @@
+ ')
+
+ optional_policy(`
++ networkmanager_domtrans(dhcpc_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(dhcpc_t)
+ nis_signal_ypbind(dhcpc_t)
+ nis_read_ypbind_pid(dhcpc_t)
+@@ -203,9 +213,7 @@
')
optional_policy(`
@@ -16249,7 +16506,7 @@
')
optional_policy(`
-@@ -216,6 +220,7 @@
+@@ -216,6 +224,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -16257,7 +16514,7 @@
')
optional_policy(`
-@@ -227,6 +232,10 @@
+@@ -227,6 +236,10 @@
')
optional_policy(`
@@ -16268,7 +16525,7 @@
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
-@@ -240,7 +249,6 @@
+@@ -240,7 +253,6 @@
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
@@ -16276,7 +16533,7 @@
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-@@ -254,6 +262,7 @@
+@@ -254,6 +266,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -16284,7 +16541,7 @@
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -270,6 +279,8 @@
+@@ -270,6 +283,8 @@
kernel_read_network_state(ifconfig_t)
kernel_search_network_sysctl(ifconfig_t)
kernel_rw_net_sysctls(ifconfig_t)
@@ -16293,7 +16550,7 @@
corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -280,8 +291,11 @@
+@@ -280,8 +295,11 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -16305,7 +16562,7 @@
domain_use_interactive_fds(ifconfig_t)
-@@ -327,6 +341,14 @@
+@@ -327,6 +345,14 @@
')
optional_policy(`
@@ -16322,7 +16579,7 @@
xen_append_log(ifconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-30 19:53:35.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-11-01 14:06:19.000000000 -0400
@@ -132,6 +132,7 @@
init_read_utmp(udev_t)
@@ -16376,7 +16633,7 @@
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-01 13:52:56.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -16677,7 +16934,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-01 13:54:05.000000000 -0400
@@ -5,36 +5,52 @@
#
# Declarations
@@ -16895,7 +17152,14 @@
')
########################################
-@@ -225,8 +242,21 @@
+@@ -219,14 +236,28 @@
+
+ allow unconfined_execmem_t self:process { execstack execmem };
+ unconfined_domain_noaudit(unconfined_execmem_t)
++allow unconfined_execmem_t unconfined_t:process transition;
+
+ optional_policy(`
+ dbus_stub(unconfined_execmem_t)
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
@@ -16928,7 +17192,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-02 11:09:48.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -17524,7 +17788,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -954,21 +887,167 @@
+@@ -954,21 +887,166 @@
## </summary>
## </param>
#
@@ -17613,8 +17877,7 @@
+
+ fs_get_all_fs_quotas($1_usertype)
+ fs_getattr_all_fs($1_usertype)
-+ fs_getattr_all_dirs($1_usertype)
-+ fs_search_auto_mountpoints($1_usertype)
++ fs_search_all($1_usertype)
+ fs_list_inotifyfs($1_usertype)
+
+ fs_rw_anon_inodefs_files($1_usertype)
@@ -17698,7 +17961,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1056,51 @@
+@@ -977,23 +1055,51 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -17761,7 +18024,7 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1136,11 @@
+@@ -1029,15 +1135,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -17779,7 +18042,7 @@
')
optional_policy(`
-@@ -1054,17 +1157,6 @@
+@@ -1054,17 +1156,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -17797,7 +18060,7 @@
')
#######################################
-@@ -1102,6 +1194,8 @@
+@@ -1102,6 +1193,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -17806,7 +18069,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1221,7 @@
+@@ -1127,7 +1220,7 @@
# $1_t local policy
#
@@ -17815,7 +18078,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,7 +1233,11 @@
+@@ -1139,7 +1232,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -17828,7 +18091,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1277,6 +1375,7 @@
+@@ -1277,6 +1374,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -17836,7 +18099,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1642,9 +1741,13 @@
+@@ -1642,9 +1740,13 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -17850,7 +18113,7 @@
files_type($2)
')
-@@ -1894,10 +1997,46 @@
+@@ -1894,10 +1996,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
@@ -17898,7 +18161,7 @@
')
########################################
-@@ -3078,7 +3217,7 @@
+@@ -3078,7 +3216,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -17907,7 +18170,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4609,11 +4748,29 @@
+@@ -4609,11 +4747,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -17938,7 +18201,7 @@
')
########################################
-@@ -4633,6 +4790,14 @@
+@@ -4633,6 +4789,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -17953,7 +18216,7 @@
')
########################################
-@@ -5323,7 +5488,7 @@
+@@ -5323,7 +5487,7 @@
attribute user_tmpfile;
')
@@ -17962,7 +18225,7 @@
')
########################################
-@@ -5529,6 +5694,24 @@
+@@ -5529,6 +5693,24 @@
########################################
## <summary>
@@ -17987,7 +18250,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5742,386 @@
+@@ -5559,3 +5741,386 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.566
retrieving revision 1.567
diff -u -r1.566 -r1.567
--- selinux-policy.spec 1 Nov 2007 17:27:01 -0000 1.566
+++ selinux-policy.spec 5 Nov 2007 20:47:14 -0000 1.567
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 44%{?dist}
+Release: 45%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -290,7 +290,7 @@
%loadpolicy targeted
if [ $1 = 1 ]; then
-semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u
+semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
semanage login -m -s "unconfined_u" __default__ 2> /dev/null
semanage login -m -s "system_u" root 2> /dev/null
semanage user -a -P guest -R guest_r guest_u
@@ -302,6 +302,10 @@
exit 0
+%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-44-1
+semanage user -m -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+exit 0
+
%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-14-1
setsebool -P use_nfs_home_dirs=1
semanage login -m -s "system_u" __default__ 2> /dev/null
@@ -375,6 +379,9 @@
%endif
%changelog
+* Thu Nov 2 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-45
+- Allow system_mail_t to domtrans to exim_t
+
* Thu Nov 1 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-44
- Add policy.xml to devel
- Dontaudit tmpreaper getattr on lost_found dir
More information about the scm-commits
mailing list