rpms/selinux-policy/F-9 modules-targeted.conf, 1.88, 1.89 policy-20071130.patch, 1.172, 1.173 selinux-policy.spec, 1.682, 1.683
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jun 10 20:45:38 UTC 2008
- Previous message: rpms/perl-Object-MultiType/F-9 import.log, NONE, 1.1 perl-Object-MultiType.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: rpms/kernel/F-8 config-powerpc64, 1.8, 1.9 kernel.spec, 1.464, 1.465 linux-2.6-wireless-pending.patch, 1.46, 1.47 linux-2.6-wireless.patch, 1.40, 1.41
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv8785
Modified Files:
modules-targeted.conf policy-20071130.patch
selinux-policy.spec
Log Message:
* Wed Jun 4 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-66
- Add slattach policy for eparis testing
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/modules-targeted.conf,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- modules-targeted.conf 4 Jun 2008 13:34:08 -0000 1.88
+++ modules-targeted.conf 10 Jun 2008 20:44:51 -0000 1.89
@@ -1667,4 +1667,4 @@
#
# test package for eparis
#
-slattach = base
+#slattach = base
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.172
retrieving revision 1.173
diff -u -r1.172 -r1.173
--- policy-20071130.patch 4 Jun 2008 13:34:08 -0000 1.172
+++ policy-20071130.patch 10 Jun 2008 20:44:51 -0000 1.173
@@ -1445,7 +1445,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.3.1/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-06-02 13:05:27.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-06-10 15:04:15.884188000 -0400
@@ -82,8 +82,7 @@
allow amanda_t amanda_config_t:file { getattr read };
@@ -1465,6 +1465,14 @@
manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
+@@ -220,6 +219,7 @@
+ auth_use_nsswitch(amanda_recover_t)
+
+ fstools_domtrans(amanda_t)
++fstools_signal(amanda_t)
+
+ libs_use_ld_so(amanda_recover_t)
+ libs_use_shared_libs(amanda_recover_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.3.1/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/anaconda.te 2008-06-02 13:05:27.000000000 -0400
@@ -5946,7 +5954,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-06-02 13:05:27.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-06-10 09:36:52.955480000 -0400
@@ -0,0 +1,210 @@
+
+policy_module(nsplugin,1.0.0)
@@ -6737,6 +6745,43 @@
')
allow $2 $1_userhelper_t:process sigchld;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.if serefpolicy-3.3.1/policy/modules/apps/usernetctl.if
+--- nsaserefpolicy/policy/modules/apps/usernetctl.if 2008-02-26 08:23:12.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/usernetctl.if 2008-06-05 15:40:01.000000000 -0400
+@@ -63,4 +63,8 @@
+ optional_policy(`
+ modutils_run_insmod(usernetctl_t,$2,$3)
+ ')
++
++ optional_policy(`
++ ppp_run(usernetctl_t,$2,$3)
++ ')
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.3.1/policy/modules/apps/usernetctl.te
+--- nsaserefpolicy/policy/modules/apps/usernetctl.te 2008-02-26 08:23:12.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/usernetctl.te 2008-06-05 15:40:47.000000000 -0400
+@@ -49,15 +49,21 @@
+
+ fs_search_auto_mountpoints(usernetctl_t)
+
++auth_use_nsswitch(usernetctl_t)
++
+ libs_use_ld_so(usernetctl_t)
+ libs_use_shared_libs(usernetctl_t)
+
++logging_send_syslog_msg(usernetctl_t)
++
+ miscfiles_read_localization(usernetctl_t)
+
+ seutil_read_config(usernetctl_t)
+
+ sysnet_read_config(usernetctl_t)
+
++term_search_ptys(usernetctl_t)
++
+ optional_policy(`
+ hostname_exec(usernetctl_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.3.1/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-02-26 08:23:12.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/apps/vmware.fc 2008-06-02 13:05:27.000000000 -0400
@@ -6891,6 +6936,17 @@
')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.3.1/policy/modules/apps/wine.fc
+--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-02-26 08:23:12.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/wine.fc 2008-06-10 16:19:37.571466000 -0400
+@@ -1,4 +1,5 @@
+ /usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++HOME_DIR/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.3.1/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2008-02-26 08:23:12.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/apps/wine.if 2008-06-02 13:05:27.000000000 -0400
@@ -8256,7 +8312,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.3.1/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.te 2008-06-02 13:05:27.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/files.te 2008-06-10 14:33:02.588488000 -0400
@@ -50,11 +50,15 @@
#
# etc_t is the type of the system etc directories.
@@ -8274,7 +8330,15 @@
#
# etc_runtime_t is the type of various
-@@ -195,10 +199,7 @@
+@@ -172,6 +176,7 @@
+ #
+ type var_run_t;
+ files_pid_file(var_run_t)
++files_mountpoint(var_run_t)
+
+ #
+ # var_spool_t is the type of /var/spool
+@@ -195,10 +200,7 @@
#
# Rules for all tmp file types
#
@@ -9204,11 +9268,11 @@
# amavis local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-06-02 13:05:27.000000000 -0400
-@@ -1,10 +1,9 @@
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-06-09 15:29:28.000000000 -0400
+@@ -1,10 +1,8 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-
+-
++HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -9218,7 +9282,7 @@
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-@@ -16,7 +15,6 @@
+@@ -16,7 +14,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -9226,7 +9290,7 @@
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -33,6 +31,7 @@
+@@ -33,6 +30,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -9234,7 +9298,7 @@
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,11 +47,14 @@
+@@ -48,11 +46,14 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -9249,7 +9313,7 @@
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +68,21 @@
+@@ -66,10 +67,21 @@
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -9884,7 +9948,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-06-02 13:05:28.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-06-05 14:17:18.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10188,16 +10252,17 @@
')
optional_policy(`
-@@ -472,13 +559,14 @@
- openca_kill(httpd_t)
+@@ -473,12 +560,15 @@
')
+ optional_policy(`
+tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
+ postgresql_tcp_connect(httpd_sys_script_t)
+')
++')
+
- optional_policy(`
++optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-
@@ -10207,7 +10272,7 @@
')
optional_policy(`
-@@ -486,6 +574,7 @@
+@@ -486,6 +576,7 @@
')
optional_policy(`
@@ -10215,7 +10280,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +610,22 @@
+@@ -521,6 +612,22 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -10238,7 +10303,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +655,24 @@
+@@ -550,18 +657,26 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -10257,6 +10322,8 @@
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
++ corenet_tcp_connect_mysqld_port(httpd_suexec_t)
++ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
')
optional_policy(`
@@ -10266,7 +10333,7 @@
')
########################################
-@@ -585,6 +696,8 @@
+@@ -585,6 +700,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -10275,7 +10342,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +706,7 @@
+@@ -593,9 +710,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -10286,7 +10353,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +739,7 @@
+@@ -628,6 +743,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -10294,7 +10361,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +750,12 @@
+@@ -638,6 +754,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -10307,7 +10374,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +773,6 @@
+@@ -655,10 +777,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -10318,7 +10385,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +782,8 @@
+@@ -668,7 +786,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -10328,7 +10395,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +797,44 @@
+@@ -682,15 +801,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -10340,15 +10407,15 @@
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -10374,15 +10441,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +844,15 @@
- clamav_domtrans_clamscan(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_mysqld_port(httpd_t)
-+ corenet_sendrecv_mysqld_client_packets(httpd_t)
-+')
-+
+@@ -703,6 +851,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -10390,7 +10449,7 @@
')
########################################
-@@ -724,3 +874,60 @@
+@@ -724,3 +873,60 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -12093,8 +12152,33 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.3.1/policy/modules/services/courier.fc
--- nsaserefpolicy/policy/modules/services/courier.fc 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-06-02 13:48:21.000000000 -0400
-@@ -19,3 +19,5 @@
++++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-06-10 16:00:43.285817000 -0400
+@@ -1,4 +1,5 @@
+ /etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
++/etc/authlib(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+
+ /usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+
+@@ -6,11 +7,18 @@
+ /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+
++/usr/libexec/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+ /usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
++/usr/lib(64)?/courier/bin(/.*)? gen_context(system_u:object_r:courier_exec_t,s0)
++/usr/lib(64)?/courier/sbin(/.*)? gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
++/usr/lib(64)?/courier/libexec/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
++/usr/lib(64)?/courier/courier/libexec/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib(64)?/courier/courier/libexec/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib(64)?/courier/courier/libexec/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+ /usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+@@ -19,3 +27,5 @@
/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
@@ -24010,13 +24094,13 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/slattach.fc serefpolicy-3.3.1/policy/modules/services/slattach.fc
--- nsaserefpolicy/policy/modules/services/slattach.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/slattach.fc 2008-06-04 09:21:54.419020000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/slattach.fc 2008-06-04 09:21:54.000000000 -0400
@@ -0,0 +1,2 @@
+
+/sbin/slattach -- gen_context(system_u:object_r:slattach_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/slattach.if serefpolicy-3.3.1/policy/modules/services/slattach.if
--- nsaserefpolicy/policy/modules/services/slattach.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/slattach.if 2008-06-04 09:21:54.426013000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/slattach.if 2008-06-04 09:21:54.000000000 -0400
@@ -0,0 +1,22 @@
+
+## <summary>policy for slattach</summary>
@@ -24042,7 +24126,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/slattach.te serefpolicy-3.3.1/policy/modules/services/slattach.te
--- nsaserefpolicy/policy/modules/services/slattach.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/slattach.te 2008-06-04 09:21:54.429013000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/slattach.te 2008-06-04 09:21:54.000000000 -0400
@@ -0,0 +1,31 @@
+policy_module(slattach,1.0.0)
+
@@ -25069,7 +25153,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-06-02 13:05:29.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-06-10 14:58:24.317719000 -0400
@@ -21,8 +21,10 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -25199,7 +25283,7 @@
')
optional_policy(`
-@@ -212,3 +260,214 @@
+@@ -212,3 +260,215 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -25294,6 +25378,7 @@
+ corenet_udp_sendrecv_all_ports(spamassassin_t)
+ corenet_tcp_connect_all_ports(spamassassin_t)
+ corenet_sendrecv_all_client_packets(spamassassin_t)
++ corenet_udp_bind_generic_port(spamassassin_t)
+
+ sysnet_read_config(spamassassin_t)
+')
@@ -28629,7 +28714,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-06-02 13:05:29.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-06-10 15:02:19.035613000 -0400
@@ -56,10 +56,6 @@
miscfiles_read_localization($1_chkpwd_t)
@@ -29004,20 +29089,29 @@
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.3.1/policy/modules/system/fstools.if
--- nsaserefpolicy/policy/modules/system/fstools.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/fstools.if 2008-06-02 13:05:29.000000000 -0400
-@@ -81,10 +81,10 @@
- #
- interface(`fstools_read_pipes',`
- gen_require(`
-- type fsadm_t;
-+ type fstools_t;
- ')
++++ serefpolicy-3.3.1/policy/modules/system/fstools.if 2008-06-10 15:03:47.642923000 -0400
+@@ -142,3 +142,21 @@
-- allow $1 fsadm_t:fifo_file read_fifo_file_perms;
-+ allow $1 fstools_t:fifo_file read_fifo_file_perms;
+ allow $1 swapfile_t:file getattr;
')
-
- ########################################
++
++########################################
++## <summary>
++## Send signal to fsadm process
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fstools_signal',`
++ gen_require(`
++ type fsadm_t;
++ ')
++
++ allow $1 fsadm_t:process signal;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.3.1/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2008-02-26 08:23:09.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-06-02 13:05:29.000000000 -0400
@@ -33537,7 +33631,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-02 13:05:29.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-05 15:28:32.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -34108,7 +34202,7 @@
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
-@@ -692,183 +672,201 @@
+@@ -692,187 +672,201 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -34342,21 +34436,18 @@
- optional_policy(`
- # to allow monitoring of pcmcia status
- pcmcia_read_pid($1_t)
+- ')
+ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
+ postgresql_stream_connect($1_usertype)
+ ')
+ ')
-+
-+ tunable_policy(`user_ttyfile_stat',`
-+ term_getattr_all_user_ttys($1_usertype)
- ')
- optional_policy(`
+- optional_policy(`
- pcscd_read_pub_files($1_t)
- pcscd_stream_connect($1_t)
-+ # to allow monitoring of pcmcia status
-+ pcmcia_read_pid($1_usertype)
++ tunable_policy(`user_ttyfile_stat',`
++ term_getattr_all_user_ttys($1_usertype)
')
optional_policy(`
@@ -34364,34 +34455,40 @@
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
- ')
-+ pcscd_read_pub_files($1_usertype)
-+ pcscd_stream_connect($1_usertype)
++ # to allow monitoring of pcmcia status
++ pcmcia_read_pid($1_usertype)
')
optional_policy(`
- resmgr_stream_connect($1_t)
-+ resmgr_stream_connect($1_usertype)
++ pcscd_read_pub_files($1_usertype)
++ pcscd_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
++ resmgr_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- samba_stream_connect_winbind($1_t)
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
-- samba_stream_connect_winbind($1_t)
+- slrnpull_search_spool($1_t)
+ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
-- slrnpull_search_spool($1_t)
+- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ slrnpull_search_spool($1_usertype)
')
+ ')
- optional_policy(`
-@@ -895,6 +893,8 @@
+@@ -895,6 +889,8 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -34400,7 +34497,7 @@
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -923,70 +923,73 @@
+@@ -923,70 +919,73 @@
allow $1_t self:context contains;
@@ -34507,7 +34604,7 @@
')
')
-@@ -1020,9 +1023,6 @@
+@@ -1020,9 +1019,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -34517,7 +34614,7 @@
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1031,16 +1031,29 @@
+@@ -1031,16 +1027,29 @@
#
# privileged home directory writers
@@ -34554,7 +34651,7 @@
')
#######################################
-@@ -1068,6 +1081,13 @@
+@@ -1068,6 +1077,13 @@
userdom_restricted_user_template($1)
@@ -34568,7 +34665,7 @@
userdom_xwindows_client_template($1)
##############################
-@@ -1076,14 +1096,16 @@
+@@ -1076,14 +1092,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -34590,7 +34687,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1113,29 @@
+@@ -1091,32 +1109,29 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -34634,7 +34731,7 @@
')
')
-@@ -1127,10 +1146,10 @@
+@@ -1127,10 +1142,10 @@
## </summary>
## <desc>
## <p>
@@ -34649,7 +34746,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1164,7 +1183,6 @@
+@@ -1164,7 +1179,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
@@ -34657,7 +34754,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1182,32 +1200,45 @@
+@@ -1182,32 +1196,45 @@
')
')
@@ -34715,7 +34812,7 @@
')
')
-@@ -1284,8 +1315,6 @@
+@@ -1284,8 +1311,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -34724,7 +34821,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1307,8 +1336,6 @@
+@@ -1307,8 +1332,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -34733,7 +34830,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1363,13 +1390,6 @@
+@@ -1363,13 +1386,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -34747,7 +34844,7 @@
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1442,7 @@
+@@ -1422,6 +1438,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -34755,7 +34852,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1808,14 @@
+@@ -1787,10 +1804,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -34771,7 +34868,7 @@
')
########################################
-@@ -1886,11 +1911,11 @@
+@@ -1886,11 +1907,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -34785,7 +34882,7 @@
')
########################################
-@@ -1920,11 +1945,11 @@
+@@ -1920,11 +1941,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -34799,7 +34896,7 @@
')
########################################
-@@ -1968,12 +1993,12 @@
+@@ -1968,12 +1989,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -34815,7 +34912,7 @@
')
########################################
-@@ -2003,10 +2028,11 @@
+@@ -2003,10 +2024,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -34829,7 +34926,7 @@
')
########################################
-@@ -2038,11 +2064,48 @@
+@@ -2038,11 +2060,48 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -34880,7 +34977,7 @@
')
########################################
-@@ -2074,10 +2137,10 @@
+@@ -2074,10 +2133,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -34893,7 +34990,7 @@
')
########################################
-@@ -2107,11 +2170,11 @@
+@@ -2107,11 +2166,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -34907,7 +35004,7 @@
')
########################################
-@@ -2141,11 +2204,11 @@
+@@ -2141,11 +2200,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -34922,7 +35019,7 @@
')
########################################
-@@ -2175,10 +2238,14 @@
+@@ -2175,10 +2234,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -34939,7 +35036,7 @@
')
########################################
-@@ -2208,11 +2275,11 @@
+@@ -2208,11 +2271,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -34953,7 +35050,7 @@
')
########################################
-@@ -2242,11 +2309,11 @@
+@@ -2242,11 +2305,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -34967,7 +35064,7 @@
')
########################################
-@@ -2276,10 +2343,10 @@
+@@ -2276,10 +2339,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -34980,7 +35077,7 @@
')
########################################
-@@ -2311,12 +2378,12 @@
+@@ -2311,12 +2374,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -34996,7 +35093,7 @@
')
########################################
-@@ -2348,10 +2415,10 @@
+@@ -2348,10 +2411,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -35009,7 +35106,7 @@
')
########################################
-@@ -2383,12 +2450,12 @@
+@@ -2383,12 +2446,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -35025,7 +35122,7 @@
')
########################################
-@@ -2420,12 +2487,12 @@
+@@ -2420,12 +2483,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -35041,7 +35138,7 @@
')
########################################
-@@ -2457,12 +2524,12 @@
+@@ -2457,12 +2520,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -35057,7 +35154,7 @@
')
########################################
-@@ -2507,11 +2574,11 @@
+@@ -2507,11 +2570,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -35071,7 +35168,7 @@
')
########################################
-@@ -2556,11 +2623,11 @@
+@@ -2556,11 +2619,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -35085,7 +35182,7 @@
')
########################################
-@@ -2600,11 +2667,11 @@
+@@ -2600,11 +2663,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -35099,7 +35196,7 @@
')
########################################
-@@ -2634,11 +2701,11 @@
+@@ -2634,11 +2697,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -35113,7 +35210,7 @@
')
########################################
-@@ -2668,11 +2735,11 @@
+@@ -2668,11 +2731,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -35127,7 +35224,7 @@
')
########################################
-@@ -2704,10 +2771,10 @@
+@@ -2704,10 +2767,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -35140,7 +35237,7 @@
')
########################################
-@@ -2739,10 +2806,10 @@
+@@ -2739,10 +2802,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -35153,7 +35250,7 @@
')
########################################
-@@ -2772,12 +2839,12 @@
+@@ -2772,12 +2835,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -35169,7 +35266,7 @@
')
########################################
-@@ -2809,10 +2876,10 @@
+@@ -2809,10 +2872,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -35182,7 +35279,7 @@
')
########################################
-@@ -2844,10 +2911,48 @@
+@@ -2844,10 +2907,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -35233,7 +35330,7 @@
')
########################################
-@@ -2877,12 +2982,12 @@
+@@ -2877,12 +2978,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -35249,7 +35346,7 @@
')
########################################
-@@ -2914,10 +3019,10 @@
+@@ -2914,10 +3015,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -35262,7 +35359,7 @@
')
########################################
-@@ -2949,12 +3054,12 @@
+@@ -2949,12 +3050,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -35278,7 +35375,7 @@
')
########################################
-@@ -2986,11 +3091,11 @@
+@@ -2986,11 +3087,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -35292,7 +35389,7 @@
')
########################################
-@@ -3022,11 +3127,11 @@
+@@ -3022,11 +3123,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -35306,7 +35403,7 @@
')
########################################
-@@ -3058,11 +3163,11 @@
+@@ -3058,11 +3159,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -35320,7 +35417,7 @@
')
########################################
-@@ -3094,11 +3199,11 @@
+@@ -3094,11 +3195,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -35334,7 +35431,7 @@
')
########################################
-@@ -3130,11 +3235,11 @@
+@@ -3130,11 +3231,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -35348,7 +35445,7 @@
')
########################################
-@@ -3179,10 +3284,10 @@
+@@ -3179,10 +3280,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -35361,7 +35458,7 @@
files_search_tmp($2)
')
-@@ -3223,10 +3328,10 @@
+@@ -3223,10 +3324,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -35374,7 +35471,7 @@
')
########################################
-@@ -3254,24 +3359,24 @@
+@@ -3254,24 +3355,24 @@
## </summary>
## </param>
#
@@ -35403,7 +35500,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3290,17 +3395,89 @@
+@@ -3290,12 +3391,84 @@
## </summary>
## </param>
#
@@ -35419,11 +35516,10 @@
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to list user
++')
++
++########################################
++## <summary>
+## Unlink user tmpfs files.
+## </summary>
+## <desc>
@@ -35489,15 +35585,10 @@
+ ')
+
+ allow $2 $1_untrusted_content_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to list user
- ## untrusted directories.
- ## </summary>
- ## <desc>
-@@ -3962,6 +4139,24 @@
+ ')
+
+ ########################################
+@@ -3962,6 +4135,24 @@
########################################
## <summary>
@@ -35522,7 +35613,7 @@
## Manage unpriviledged user SysV shared
## memory segments.
## </summary>
-@@ -4231,11 +4426,11 @@
+@@ -4231,11 +4422,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -35536,7 +35627,7 @@
')
########################################
-@@ -4251,10 +4446,10 @@
+@@ -4251,10 +4442,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -35549,7 +35640,7 @@
')
########################################
-@@ -4270,11 +4465,11 @@
+@@ -4270,11 +4461,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -35563,7 +35654,7 @@
')
########################################
-@@ -4289,16 +4484,16 @@
+@@ -4289,16 +4480,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -35583,7 +35674,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4502,35 @@
+@@ -4307,12 +4498,35 @@
## </summary>
## </param>
#
@@ -35622,7 +35713,7 @@
')
########################################
-@@ -4327,13 +4545,13 @@
+@@ -4327,13 +4541,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -35640,7 +35731,7 @@
')
########################################
-@@ -4531,10 +4749,10 @@
+@@ -4531,10 +4745,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -35653,7 +35744,7 @@
')
########################################
-@@ -4551,10 +4769,10 @@
+@@ -4551,10 +4765,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -35666,7 +35757,7 @@
')
########################################
-@@ -4569,10 +4787,10 @@
+@@ -4569,10 +4783,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -35679,7 +35770,7 @@
')
########################################
-@@ -4588,10 +4806,10 @@
+@@ -4588,10 +4802,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -35692,7 +35783,7 @@
')
########################################
-@@ -4606,10 +4824,10 @@
+@@ -4606,10 +4820,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -35705,7 +35796,7 @@
')
########################################
-@@ -4625,10 +4843,10 @@
+@@ -4625,10 +4839,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -35718,7 +35809,7 @@
')
########################################
-@@ -4644,12 +4862,11 @@
+@@ -4644,12 +4858,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -35734,7 +35825,7 @@
')
########################################
-@@ -4676,10 +4893,10 @@
+@@ -4676,10 +4889,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -35747,7 +35838,7 @@
')
########################################
-@@ -4694,10 +4911,10 @@
+@@ -4694,10 +4907,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -35760,7 +35851,7 @@
')
########################################
-@@ -4712,13 +4929,13 @@
+@@ -4712,13 +4925,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -35778,7 +35869,7 @@
')
########################################
-@@ -4754,11 +4971,49 @@
+@@ -4754,11 +4967,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -35829,7 +35920,7 @@
')
########################################
-@@ -4778,6 +5033,14 @@
+@@ -4778,6 +5029,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -35844,7 +35935,7 @@
')
########################################
-@@ -4839,6 +5102,26 @@
+@@ -4839,6 +5098,26 @@
########################################
## <summary>
@@ -35871,7 +35962,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5142,25 @@
+@@ -4859,6 +5138,25 @@
########################################
## <summary>
@@ -35897,7 +35988,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5181,26 @@
+@@ -4879,6 +5177,26 @@
########################################
## <summary>
@@ -35924,7 +36015,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5437,7 @@
+@@ -5115,7 +5433,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -35933,7 +36024,7 @@
')
files_search_home($1)
-@@ -5304,6 +5626,63 @@
+@@ -5304,6 +5622,63 @@
########################################
## <summary>
@@ -35997,7 +36088,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,7 +5888,7 @@
+@@ -5509,7 +5884,7 @@
########################################
## <summary>
@@ -36006,7 +36097,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5517,18 +5896,17 @@
+@@ -5517,18 +5892,17 @@
## </summary>
## </param>
#
@@ -36029,13 +36120,14 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5536,7 +5914,44 @@
+@@ -5536,9 +5910,46 @@
## </summary>
## </param>
#
-interface(`userdom_dontaudit_use_unpriv_users_ttys',`
+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
-+ gen_require(`
+ gen_require(`
+- attribute user_ttynode;
+ type user_tmp_t;
+ ')
+
@@ -36072,10 +36164,12 @@
+## </param>
+#
+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
- gen_require(`
- attribute user_ttynode;
++ gen_require(`
++ attribute user_ttynode;
')
-@@ -5559,7 +5974,7 @@
+
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
+@@ -5559,7 +5970,7 @@
attribute userdomain;
')
@@ -36084,7 +36178,7 @@
kernel_search_proc($1)
')
-@@ -5674,6 +6089,42 @@
+@@ -5674,6 +6085,42 @@
########################################
## <summary>
@@ -36127,7 +36221,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6155,408 @@
+@@ -5704,3 +6151,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -37451,7 +37545,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-06-02 13:05:29.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-06-10 14:35:09.018062000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -37562,7 +37656,16 @@
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
-@@ -257,7 +264,7 @@
+@@ -245,6 +252,8 @@
+
+ files_read_usr_files(xenconsoled_t)
+
++fs_list_tmpfs(xenconsoled_t)
++
+ term_create_pty(xenconsoled_t,xen_devpts_t);
+ term_use_generic_ptys(xenconsoled_t)
+ term_use_console(xenconsoled_t)
+@@ -257,7 +266,7 @@
miscfiles_read_localization(xenconsoled_t)
@@ -37571,7 +37674,7 @@
xen_stream_connect_xenstore(xenconsoled_t)
########################################
-@@ -265,7 +272,7 @@
+@@ -265,7 +274,7 @@
# Xen store local policy
#
@@ -37580,7 +37683,18 @@
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
-@@ -318,12 +325,13 @@
+@@ -310,6 +319,10 @@
+
+ xen_append_log(xenstored_t)
+
++optional_policy(`
++ unconfined_domain(xenstored_t)
++')
++
+ ########################################
+ #
+ # xm local policy
+@@ -318,12 +331,13 @@
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets.
@@ -37595,7 +37709,7 @@
files_search_var_lib(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
-@@ -336,6 +344,7 @@
+@@ -336,6 +350,7 @@
kernel_write_xen_state(xm_t)
corecmd_exec_bin(xm_t)
@@ -37603,7 +37717,7 @@
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -351,8 +360,11 @@
+@@ -351,8 +366,11 @@
storage_raw_read_fixed_disk(xm_t)
@@ -37615,7 +37729,7 @@
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
-@@ -363,6 +375,23 @@
+@@ -363,6 +381,23 @@
sysnet_read_config(xm_t)
@@ -37808,8 +37922,8 @@
+## <summary>Policy for staff user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-06-02 13:05:29.000000000 -0400
-@@ -0,0 +1,25 @@
++++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-06-05 15:29:01.000000000 -0400
+@@ -0,0 +1,29 @@
+policy_module(staff,1.0.1)
+userdom_admin_login_user_template(staff)
+
@@ -37829,6 +37943,10 @@
+ cron_per_role_template(staff, staff_t, staff_r)
+')
+
++optional_policy(`
++ usernetctl_run(staff_t,staff_r,{ staff_devpts_t staff_tty_device_t })
++')
++
+ifndef(`enable_mls',`
+optional_policy(`
+userdom_role_change_template(staff, unconfined)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.682
retrieving revision 1.683
diff -u -r1.682 -r1.683
--- selinux-policy.spec 4 Jun 2008 13:34:08 -0000 1.682
+++ selinux-policy.spec 10 Jun 2008 20:44:51 -0000 1.683
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 66%{?dist}
+Release: 67%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
- Previous message: rpms/perl-Object-MultiType/F-9 import.log, NONE, 1.1 perl-Object-MultiType.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: rpms/kernel/F-8 config-powerpc64, 1.8, 1.9 kernel.spec, 1.464, 1.465 linux-2.6-wireless-pending.patch, 1.46, 1.47 linux-2.6-wireless.patch, 1.40, 1.41
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list