rpms/selinux-policy/devel booleans-targeted.conf, 1.30, 1.31 policy-20070703.patch, 1.81, 1.82 selinux-policy.spec, 1.540, 1.541
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Oct 5 19:47:42 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28686
Modified Files:
booleans-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Thu Oct 4 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-18
- Remove homedir_template
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- booleans-targeted.conf 5 Oct 2007 11:43:46 -0000 1.30
+++ booleans-targeted.conf 5 Oct 2007 19:47:10 -0000 1.31
@@ -1,6 +1,6 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
-allow_execmem = True
+allow_execmem = true
# Allow making a modified private filemapping executable (text relocation).
#
@@ -8,7 +8,7 @@
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = True
+allow_execstack = true
# Allow ftpd to read cifs directories.
#
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -r1.81 -r1.82
--- policy-20070703.patch 5 Oct 2007 11:43:46 -0000 1.81
+++ policy-20070703.patch 5 Oct 2007 19:47:10 -0000 1.82
@@ -1268,6 +1268,15 @@
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.8/policy/modules/admin/vbetool.te
+--- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/vbetool.te 2007-10-05 09:50:03.000000000 -0400
+@@ -33,4 +33,5 @@
+ optional_policy(`
+ hal_rw_pid_files(vbetool_t)
+ hal_write_log(vbetool_t)
++ hal_dontaudit_append_lib_files(vbetool_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.0.8/policy/modules/admin/vpn.fc
--- nsaserefpolicy/policy/modules/admin/vpn.fc 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/vpn.fc 2007-10-03 11:10:24.000000000 -0400
@@ -1277,6 +1286,35 @@
/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.0.8/policy/modules/admin/vpn.if
+--- nsaserefpolicy/policy/modules/admin/vpn.if 2007-05-29 14:10:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/vpn.if 2007-10-05 10:12:04.000000000 -0400
+@@ -67,3 +67,25 @@
+
+ allow $1 vpnc_t:process signal;
+ ')
++
++########################################
++## <summary>
++## Send and receive messages from
++## Vpnc over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vpnc_dbus_chat',`
++ gen_require(`
++ type vpnc_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 vpnc_t:dbus send_msg;
++ allow vpnc_t $1:dbus send_msg;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-07-25 10:37:43.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-03 11:10:24.000000000 -0400
@@ -2716,7 +2754,7 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-10-05 10:05:26.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2826,7 +2864,52 @@
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3323,6 +3377,42 @@
+@@ -3198,6 +3252,44 @@
+
+ ########################################
+ ## <summary>
++## Allow attempts to get the attributes
++## of all tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain not to audit.
++## </summary>
++## </param>
++#
++interface(`files_getattr_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file getattr;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain not to audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ dontaudit $1 tmpfile:sock_file getattr;
++')
++
++########################################
++## <summary>
+ ## Read all tmp files.
+ ## </summary>
+ ## <param name="domain">
+@@ -3323,6 +3415,42 @@
########################################
## <summary>
@@ -2869,7 +2952,7 @@
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3381,7 +3471,7 @@
+@@ -3381,7 +3509,7 @@
########################################
## <summary>
@@ -2878,7 +2961,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3389,17 +3479,17 @@
+@@ -3389,17 +3517,17 @@
## </summary>
## </param>
#
@@ -2899,7 +2982,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3407,12 +3497,12 @@
+@@ -3407,12 +3535,12 @@
## </summary>
## </param>
#
@@ -2914,7 +2997,7 @@
')
########################################
-@@ -4043,7 +4133,7 @@
+@@ -4043,7 +4171,7 @@
type var_t, var_lock_t;
')
@@ -2923,7 +3006,7 @@
')
########################################
-@@ -4560,6 +4650,8 @@
+@@ -4560,6 +4688,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2932,7 +3015,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4674,11 @@
+@@ -4582,6 +4712,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2944,7 +3027,7 @@
')
########################################
-@@ -4619,3 +4716,28 @@
+@@ -4619,3 +4754,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -3003,7 +3086,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-04 12:58:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-05 10:23:56.000000000 -0400
@@ -271,45 +271,6 @@
########################################
@@ -3146,7 +3229,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-05 13:59:53.000000000 -0400
@@ -80,6 +80,7 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
@@ -3155,6 +3238,18 @@
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+@@ -133,6 +134,11 @@
+ genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+ files_mountpoint(spufs_t)
+
++type squash_t;
++fs_type(squash_t)
++genfscon squash / gen_context(system_u:object_r:squash_t,s0)
++files_mountpoint(squash_t)
++
+ type vxfs_t;
+ fs_noxattr_type(vxfs_t)
+ files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-03 11:10:24.000000000 -0400
@@ -5196,7 +5291,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-10-05 09:02:24.000000000 -0400
@@ -48,9 +48,8 @@
type hplip_t;
type hplip_exec_t;
@@ -5293,15 +5388,21 @@
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -202,6 +206,7 @@
- files_dontaudit_getattr_all_tmp_files(cupsd_t)
+@@ -196,12 +200,9 @@
+ files_read_var_symlinks(cupsd_t)
+ # for /etc/printcap
+ files_dontaudit_write_etc_files(cupsd_t)
+-# smbspool seems to be iterating through all existing tmp files.
+-# redhat bug #214953
+-# cjp: this might be a broken behavior
+-files_dontaudit_getattr_all_tmp_files(cupsd_t)
selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
init_exec_script_files(cupsd_t)
-@@ -221,17 +226,37 @@
+@@ -221,17 +222,37 @@
sysnet_read_config(cupsd_t)
@@ -5339,7 +5440,7 @@
apm_domtrans_client(cupsd_t)
')
-@@ -263,16 +288,16 @@
+@@ -263,16 +284,16 @@
')
optional_policy(`
@@ -5360,7 +5461,7 @@
seutil_sigchld_newrole(cupsd_t)
')
-@@ -377,6 +402,14 @@
+@@ -377,6 +398,14 @@
')
optional_policy(`
@@ -5375,7 +5476,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -393,6 +426,7 @@
+@@ -393,6 +422,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -5383,7 +5484,7 @@
')
optional_policy(`
-@@ -525,11 +559,9 @@
+@@ -525,11 +555,9 @@
allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
@@ -5398,7 +5499,7 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -560,7 +592,7 @@
+@@ -560,7 +588,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5407,7 +5508,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +619,6 @@
+@@ -587,8 +615,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -5416,6 +5517,22 @@
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
+@@ -668,3 +694,15 @@
+ optional_policy(`
+ udev_read_db(ptal_t)
+ ')
++
++
++# This whole section needs to be moved to a smbspool policy
++# smbspool seems to be iterating through all existing tmp files.
++# Looking for kerberos files
++files_getattr_all_tmp_files(cupsd_t)
++userdom_read_unpriv_users_tmp_files(cupsd_t)
++files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
++
++optional_policy(`
++ unconfined_read_tmp_files(cupsd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.8/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cvs.te 2007-10-03 11:10:24.000000000 -0400
@@ -6062,8 +6179,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-03 11:10:24.000000000 -0400
-@@ -0,0 +1,227 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-05 09:27:09.000000000 -0400
+@@ -0,0 +1,229 @@
+# $Id$
+# Draft SELinux refpolicy module for the Exim MTA
+#
@@ -6173,6 +6290,8 @@
+files_search_var(exim_t)
+files_read_etc_files(exim_t)
+
++fs_getattr_xattr_fs(exim_t)
++
+kernel_read_kernel_sysctls(exim_t)
+kernel_dontaudit_read_system_state(exim_t)
+
@@ -6387,7 +6506,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2007-10-05 15:23:01.000000000 -0400
@@ -13,9 +13,12 @@
/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
@@ -6403,8 +6522,27 @@
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-03 11:10:24.000000000 -0400
-@@ -93,6 +93,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-05 11:48:00.000000000 -0400
+@@ -49,6 +49,9 @@
+ type hald_var_lib_t;
+ files_type(hald_var_lib_t)
+
++typealias hald_log_t alias pmtools_log_t;
++typealias hald_var_run_t alias pmtools_var_run_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -70,7 +73,7 @@
+ manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
+
+ # log files for hald
+-allow hald_t hald_log_t:file manage_file_perms;
++manage_files_pattern(hald_t, hald_log_t, hald_log_t)
+ logging_log_filetrans(hald_t,hald_log_t,file)
+
+ manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
+@@ -93,6 +96,7 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
@@ -6412,7 +6550,7 @@
auth_read_pam_console_data(hald_t)
-@@ -155,6 +156,8 @@
+@@ -155,6 +159,8 @@
selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t)
@@ -6421,7 +6559,7 @@
storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
-@@ -293,6 +296,7 @@
+@@ -293,6 +299,7 @@
#
allow hald_acl_t self:capability { dac_override fowner };
@@ -6429,7 +6567,7 @@
allow hald_acl_t self:fifo_file read_fifo_file_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -344,6 +348,8 @@
+@@ -344,6 +351,8 @@
files_read_usr_files(hald_mac_t)
@@ -7257,7 +7395,7 @@
+/var/log/wpa_supplicant.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-10-05 10:11:35.000000000 -0400
@@ -97,3 +97,24 @@
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
@@ -8434,13 +8572,13 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2007-10-05 13:58:37.000000000 -0400
@@ -21,11 +21,13 @@
# rpcbind local policy
#
-allow rpcbind_t self:capability setuid;
-+allow rpcbind_t self:capability { setuid sys_tty_config };
++allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
allow rpcbind_t self:fifo_file rw_file_perms;
allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
@@ -13968,7 +14106,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-05 14:12:30.000000000 -0400
@@ -5,28 +5,38 @@
#
# Declarations
@@ -14041,17 +14179,17 @@
optional_policy(`
- ada_domtrans(unconfined_t)
-+ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
--')
--
--optional_policy(`
++ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
@@ -14069,7 +14207,18 @@
')
optional_policy(`
-@@ -118,11 +122,11 @@
+@@ -107,6 +111,10 @@
+ optional_policy(`
+ oddjob_dbus_chat(unconfined_t)
+ ')
++
++ optional_policy(`
++ vpnc_dbus_chat(unconfined_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -118,11 +126,11 @@
')
optional_policy(`
@@ -14083,7 +14232,7 @@
')
optional_policy(`
-@@ -134,11 +138,7 @@
+@@ -134,11 +142,7 @@
')
optional_policy(`
@@ -14096,7 +14245,7 @@
')
optional_policy(`
-@@ -155,32 +155,23 @@
+@@ -155,32 +159,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -14133,7 +14282,7 @@
')
optional_policy(`
-@@ -205,11 +196,18 @@
+@@ -205,11 +200,18 @@
')
optional_policy(`
@@ -14154,7 +14303,7 @@
')
########################################
-@@ -225,8 +223,20 @@
+@@ -225,8 +227,20 @@
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
@@ -14186,7 +14335,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-04 17:33:14.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-05 14:11:08.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -14699,7 +14848,7 @@
allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
-@@ -834,21 +780,18 @@
+@@ -834,20 +780,20 @@
')
optional_policy(`
@@ -14719,13 +14868,13 @@
+ evolution_alarm_dbus_chat($1,$1_t)
')
-- optional_policy(`
+ optional_policy(`
- networkmanager_dbus_chat($1_t)
-- ')
++ vpnc_dbus_chat($1_t)
+ ')
')
- optional_policy(`
-@@ -876,17 +819,17 @@
+@@ -876,17 +822,17 @@
')
optional_policy(`
@@ -14751,7 +14900,7 @@
')
optional_policy(`
-@@ -900,16 +843,6 @@
+@@ -900,16 +846,6 @@
')
optional_policy(`
@@ -14768,7 +14917,7 @@
resmgr_stream_connect($1_t)
')
-@@ -919,11 +852,6 @@
+@@ -919,11 +855,6 @@
')
optional_policy(`
@@ -14780,7 +14929,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -954,21 +882,165 @@
+@@ -954,21 +885,165 @@
## </summary>
## </param>
#
@@ -14952,7 +15101,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1049,51 @@
+@@ -977,23 +1052,51 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -15015,24 +15164,31 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1129,7 @@
+@@ -1029,20 +1132,12 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_generic_port($1_t)
++ corenet_tcp_bind_all_unreserved_ports($1_t)
+ ')
+
+ optional_policy(`
+- kerberos_use($1_t)
- ')
-
- optional_policy(`
-- kerberos_use($1_t)
+- loadkeys_run($1_t,$1_r,$1_tty_device_t)
- ')
-
- optional_policy(`
-- loadkeys_run($1_t,$1_r,$1_tty_device_t)
-+ corenet_tcp_bind_all_unreserved_ports($1_t)
+- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++ netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++ netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
- optional_policy(`
-@@ -1054,17 +1146,6 @@
+ # Run pppd in pppd_t by default for user
+@@ -1054,17 +1149,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -15050,7 +15206,7 @@
')
#######################################
-@@ -1102,6 +1183,8 @@
+@@ -1102,6 +1186,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -15059,7 +15215,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1210,7 @@
+@@ -1127,7 +1213,7 @@
# $1_t local policy
#
@@ -15068,7 +15224,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,7 +1222,11 @@
+@@ -1139,7 +1225,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -15081,7 +15237,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1642,9 +1729,11 @@
+@@ -1642,9 +1732,11 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -15093,7 +15249,7 @@
files_type($2)
')
-@@ -1894,10 +1983,46 @@
+@@ -1894,10 +1986,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
@@ -15141,7 +15297,7 @@
')
########################################
-@@ -3078,7 +3203,7 @@
+@@ -3078,7 +3206,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -15150,7 +15306,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4740,24 @@
+@@ -4615,6 +4743,24 @@
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
')
@@ -15175,7 +15331,7 @@
########################################
## <summary>
-@@ -4633,6 +4776,14 @@
+@@ -4633,6 +4779,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -15190,7 +15346,7 @@
')
########################################
-@@ -5323,7 +5474,7 @@
+@@ -5323,7 +5477,7 @@
attribute user_tmpfile;
')
@@ -15199,7 +15355,7 @@
')
########################################
-@@ -5559,3 +5710,380 @@
+@@ -5559,3 +5713,380 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -15422,24 +15578,24 @@
+ cups_dbus_chat($1_usertype)
+ ')
+
-+')
+
-+optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+')
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ ')
+
-+optional_policy(`
-+ java_per_role_template($1, $1_t, $1_r)
-+')
++ optional_policy(`
++ java_per_role_template($1, $1_t, $1_r)
++ ')
+
-+optional_policy(`
-+ mono_per_role_template($1, $1_t, $1_r)
-+')
++ optional_policy(`
++ networkmanager_dontaudit_dbus_chat($1_t)
++ ')
+
-+optional_policy(`
-+ networkmanager_dontaudit_dbus_chat($1_usertype)
-+')
++ optional_policy(`
++ mono_per_role_template($1, $1_t, $1_r)
++ ')
+
++')
+optional_policy(`
+ setroubleshoot_dontaudit_stream_connect($1_usertype)
+')
@@ -15582,7 +15738,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-10-05 08:59:51.000000000 -0400
@@ -24,13 +24,6 @@
## <desc>
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.540
retrieving revision 1.541
diff -u -r1.540 -r1.541
--- selinux-policy.spec 5 Oct 2007 11:43:46 -0000 1.540
+++ selinux-policy.spec 5 Oct 2007 19:47:10 -0000 1.541
@@ -150,9 +150,9 @@
%define loadpolicy() \
( cd /usr/share/selinux/%1; \
-semodule %2 -b base.pp %{expand:%%moduleList %1} -s %1; \
+semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
);\
-rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew
+rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew;
%define relabel() \
. %{_sysconfdir}/selinux/config; \
@@ -285,15 +285,14 @@
%post targeted
semodule -s targeted -r moilscanner 2>/dev/null
+%loadpolicy targeted
+
if [ $1 = 1 ]; then
semanage login -m -s "system_u" __default__ 2> /dev/null
semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u
semanage user -a -P guest -R guest_r guest_u
semanage user -a -P xguest -R xguest_r xguest_u
-# Don't load on initial install
-%loadpolicy targeted
else
-%loadpolicy targeted
%relabel targeted
fi
exit 0
@@ -330,6 +329,7 @@
%post olpc
%loadpolicy olpc
+
if [ $1 != 1 ]; then
%relabel olpc
fi
@@ -359,6 +359,7 @@
%post mls
%loadpolicy mls
+
if [ $1 != 1 ]; then
%relabel mls
fi
More information about the scm-commits
mailing list