rpms/selinux-policy/F-9 policy-20071130.patch, 1.178, 1.179 selinux-policy.spec, 1.685, 1.686
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jun 23 12:21:07 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25529
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-69
- Apply unconfined_execmem_exec_t to haskell programs
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.178
retrieving revision 1.179
diff -u -r1.178 -r1.179
--- policy-20071130.patch 23 Jun 2008 00:49:32 -0000 1.178
+++ policy-20071130.patch 23 Jun 2008 12:20:17 -0000 1.179
@@ -21090,8 +21090,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.3.1/policy/modules/services/prelude.fc
--- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-06-22 20:42:15.000000000 -0400
-@@ -0,0 +1,16 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-06-23 08:14:28.000000000 -0400
+@@ -0,0 +1,17 @@
+
+/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0)
+
@@ -21107,13 +21107,13 @@
+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
++
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,128 @@
-+
-+## <summary>policy for prelude</summary>
++++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-06-23 08:18:35.000000000 -0400
+@@ -0,0 +1,190 @@
++## <summary>Prelude hybrid intrusion detection system</summary>
+
+########################################
+## <summary>
@@ -21127,13 +21127,85 @@
+#
+interface(`prelude_domtrans',`
+ gen_require(`
-+ type prelude_t;
-+ type prelude_exec_t;
++ type prelude_t, prelude_exec_t;
++ ')
++
++ domtrans_pattern($1, prelude_exec_t, prelude_t)
++')
++
++########################################
++## <summary>
++## Execute a domain transition to run prelude_audisp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`prelude_domtrans_audisp',`
++ gen_require(`
++ type prelude_audisp_t, prelude_audisp_exec_t;
++ ')
++
++ domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
++')
++
++########################################
++## <summary>
++## Signal the prelude_audisp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`prelude_signal_audisp',`
++ gen_require(`
++ type prelude_audisp_t;
++ ')
++
++ allow $1 prelude_audisp_t:process signal;
++')
++
++########################################
++## <summary>
++## Read the prelude spool files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`prelude_read_spool',`
++ gen_require(`
++ type prelude_spool_t;
+ ')
+
-+ domtrans_pattern($1,prelude_exec_t,prelude_t)
++ files_search_spool($1)
++ read_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
++########################################
++## <summary>
++## Read/Write to prelude-manager spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`prelude_rw_spool',`
++ gen_require(`
++ type prelude_spool_t;
++ ')
++
++ files_search_spool($1)
++ rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
++')
+
+########################################
+## <summary>
@@ -21155,6 +21227,24 @@
+
+########################################
+## <summary>
++## Execute prelude lml server in the prelude lml domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`prelude_lml_script_domtrans',`
++ gen_require(`
++ type prelude_lml_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,prelude_lml_script_exec_t)
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an prelude environment
+## </summary>
@@ -21177,74 +21267,48 @@
+#
+interface(`prelude_admin',`
+ gen_require(`
-+ type prelude_t;
-+ type prelude_spool_t;
-+ type prelude_var_run_t;
-+ type prelude_var_lib_t;
++ type prelude_t, prelude_spool_t;
++ type prelude_var_run_t, prelude_var_lib_t;
++ type prelude_audisp_t, prelude_audisp_var_run_t;
+ type prelude_script_exec_t;
-+ type audisp_prelude_t;
-+ type audisp_prelude_var_run_t;
++
++ type prelude_lml_t, prelude_lml_tmp_t;
++ type prelude_lml_var_run_t;
++ type prelude_lml_script_exec_t;
+ ')
+
-+ allow $1 prelude_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, prelude_t, prelude_t)
-+
-+ allow $1 audisp_prelude_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, audisp_prelude_t, audisp_prelude_t)
-+
++ allow $1 prelude_t:process { ptrace signal_perms };
++ ps_process_pattern($1, prelude_t)
++
++ allow $1 prelude_audisp_t:process { ptrace signal_perms };
++ ps_process_pattern($1, prelude_audisp_t)
++
++ allow $1 prelude_lml_t:process { ptrace signal_perms };
++ ps_process_pattern($1, prelude_lml_t)
++
+ # Allow prelude_t to restart the apache service
+ prelude_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 prelude_script_exec_t system_r;
+ allow $2 system_r;
+
++ # Allow prelude_t to restart the apache service
++ prelude_lml_script_domtrans($1)
++ role_transition $2 prelude_lml_script_exec_t system_r;
++
+ manage_all_pattern($1, prelude_spool_t)
+ manage_all_pattern($1, prelude_var_lib_t)
+ manage_all_pattern($1, prelude_var_run_t)
-+ manage_all_pattern($1, audisp_prelude_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run audisp_prelude.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`audisp_prelude_domtrans',`
-+ gen_require(`
-+ type audisp_prelude_t;
-+ type audisp_prelude_exec_t;
-+ ')
-+
-+ domtrans_pattern($1,audisp_prelude_exec_t,audisp_prelude_t)
-+')
-+
-+########################################
-+## <summary>
-+## Signal the audisp_prelude domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`audisp_prelude_signal',`
-+ gen_require(`
-+ type audisp_prelude_t;
-+ ')
-+
-+ allow $1 audisp_prelude_t:process signal;
++ manage_all_pattern($1, prelude_audisp_var_run_t)
++ manage_all_pattern($1, prelude_lml_tmp_t)
++ manage_all_pattern($1, prelude_lml_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-22 07:53:37.000000000 -0400
-@@ -0,0 +1,246 @@
-+policy_module(prelude,1.0.0)
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-23 08:14:23.000000000 -0400
+@@ -0,0 +1,244 @@
++
++policy_module(prelude, 1.0.0)
+
+########################################
+#
@@ -21253,7 +21317,6 @@
+
+type prelude_t;
+type prelude_exec_t;
-+domain_type(prelude_t)
+init_daemon_domain(prelude_t, prelude_exec_t)
+
+type prelude_spool_t;
@@ -21268,13 +21331,15 @@
+type prelude_script_exec_t;
+init_script_type(prelude_script_exec_t)
+
-+type audisp_prelude_t;
-+type audisp_prelude_exec_t;
-+domain_type(audisp_prelude_t)
-+init_daemon_domain(audisp_prelude_t, audisp_prelude_exec_t)
-+
-+type audisp_prelude_var_run_t;
-+files_pid_file(audisp_prelude_var_run_t)
++type prelude_audisp_t;
++type prelude_audisp_exec_t;
++init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
++typealias prelude_audisp_t alias audisp_prelude_t;
++typealias prelude_audisp_exec_t alias audisp_prelude_exec_t;
++
++type prelude_audisp_var_run_t;
++files_pid_file(prelude_audisp_var_run_t)
++typealias prelude_audisp_var_run_t alias audisp_prelude_var_run_t;
+
+type prelude_lml_t;
+type prelude_lml_exec_t;
@@ -21294,37 +21359,44 @@
+# prelude local policy
+#
+
-+# Init script handling
-+domain_use_interactive_fds(prelude_t)
-+
+allow prelude_t self:capability sys_tty_config;
-+
-+# internal communication is often done using fifo and unix sockets.
+allow prelude_t self:fifo_file rw_file_perms;
+allow prelude_t self:unix_stream_socket create_stream_socket_perms;
-+
+allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_t self:tcp_socket create_stream_socket_perms;
+
-+dev_read_rand(prelude_t)
-+dev_read_urand(prelude_t)
++manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
++manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
++files_search_spool(prelude_t)
+
-+fs_rw_anon_inodefs_files(prelude_t)
++manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
++manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
++files_search_var_lib(prelude_t)
+
+manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+files_pid_filetrans(prelude_t, prelude_var_run_t, file)
+
++corecmd_search_bin(prelude_t)
++
++corenet_all_recvfrom_unlabeled(prelude_t)
++corenet_all_recvfrom_netlabel(prelude_t)
++corenet_tcp_sendrecv_all_if(prelude_t)
++corenet_tcp_sendrecv_all_nodes(prelude_t)
++corenet_tcp_bind_all_nodes(prelude_t)
++corenet_tcp_bind_prelude_port(prelude_t)
++corenet_tcp_connect_prelude_port(prelude_t)
++
++dev_read_rand(prelude_t)
++dev_read_urand(prelude_t)
++
++# Init script handling
++domain_use_interactive_fds(prelude_t)
++
+files_read_etc_files(prelude_t)
+files_read_usr_files(prelude_t)
+
-+files_search_var_lib(prelude_t)
-+manage_dirs_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
-+manage_files_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
-+
-+files_search_spool(prelude_t)
-+manage_dirs_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
-+manage_files_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
++fs_rw_anon_inodefs_files(prelude_t)
+
+auth_use_nsswitch(prelude_t)
+
@@ -21336,16 +21408,6 @@
+
+miscfiles_read_localization(prelude_t)
+
-+corenet_all_recvfrom_unlabeled(prelude_t)
-+corenet_all_recvfrom_netlabel(prelude_t)
-+corenet_tcp_sendrecv_all_if(prelude_t)
-+corenet_tcp_sendrecv_all_nodes(prelude_t)
-+corenet_tcp_bind_all_nodes(prelude_t)
-+corenet_tcp_bind_prelude_port(prelude_t)
-+corenet_tcp_connect_prelude_port(prelude_t)
-+
-+corecmd_search_bin(prelude_t)
-+
+optional_policy(`
+ mysql_search_db(prelude_t)
+ mysql_stream_connect(prelude_t)
@@ -21357,48 +21419,47 @@
+
+########################################
+#
-+# audisp_prelude local policy
++# prelude_audisp local policy
+#
+
-+# Init script handling
-+domain_use_interactive_fds(audisp_prelude_t)
++allow prelude_audisp_t self:fifo_file rw_file_perms;
++allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
++allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
++allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms;
++allow prelude_audisp_t self:tcp_socket create_socket_perms;
+
-+# internal communication is often done using fifo and unix sockets.
-+allow audisp_prelude_t self:fifo_file rw_file_perms;
-+allow audisp_prelude_t self:unix_stream_socket create_stream_socket_perms;
-+allow audisp_prelude_t self:netlink_route_socket r_netlink_socket_perms;
-+allow audisp_prelude_t self:tcp_socket create_socket_perms;
++manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
++manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
++files_search_spool(prelude_audisp_t)
+
-+manage_sock_files_pattern(audisp_prelude_t, audisp_prelude_var_run_t, audisp_prelude_var_run_t)
-+files_pid_filetrans(audisp_prelude_t, audisp_prelude_var_run_t, sock_file)
++manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
++files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file)
+
-+dev_read_rand(audisp_prelude_t)
-+dev_read_urand(audisp_prelude_t)
++corecmd_search_bin(prelude_audisp_t)
+
-+files_read_etc_files(audisp_prelude_t)
++corenet_all_recvfrom_unlabeled(prelude_audisp_t)
++corenet_all_recvfrom_netlabel(prelude_audisp_t)
++corenet_tcp_sendrecv_all_if(prelude_audisp_t)
++corenet_tcp_sendrecv_all_nodes(prelude_audisp_t)
++corenet_tcp_bind_all_nodes(prelude_audisp_t)
++corenet_tcp_connect_prelude_port(prelude_audisp_t)
+
-+libs_use_ld_so(audisp_prelude_t)
-+libs_use_shared_libs(audisp_prelude_t)
++dev_read_rand(prelude_audisp_t)
++dev_read_urand(prelude_audisp_t)
+
-+logging_send_syslog_msg(audisp_prelude_t)
++# Init script handling
++domain_use_interactive_fds(prelude_audisp_t)
+
-+miscfiles_read_localization(audisp_prelude_t)
++files_read_etc_files(prelude_audisp_t)
+
-+corecmd_search_bin(audisp_prelude_t)
-+allow audisp_prelude_t self:unix_dgram_socket create_socket_perms;
++libs_use_ld_so(prelude_audisp_t)
++libs_use_shared_libs(prelude_audisp_t)
+
-+logging_audisp_system_domain(audisp_prelude_t, audisp_prelude_exec_t)
++logging_send_syslog_msg(prelude_audisp_t)
+
-+files_search_spool(audisp_prelude_t)
-+manage_dirs_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
-+manage_files_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
++miscfiles_read_localization(prelude_audisp_t)
+
-+corenet_all_recvfrom_unlabeled(audisp_prelude_t)
-+corenet_all_recvfrom_netlabel(audisp_prelude_t)
-+corenet_tcp_sendrecv_all_if(audisp_prelude_t)
-+corenet_tcp_sendrecv_all_nodes(audisp_prelude_t)
-+corenet_tcp_bind_all_nodes(audisp_prelude_t)
-+corenet_tcp_connect_prelude_port(audisp_prelude_t)
++logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t)
+
+########################################
+#
@@ -24518,11 +24579,135 @@
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.3.1/policy/modules/services/snort.fc
+--- nsaserefpolicy/policy/modules/services/snort.fc 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/snort.fc 2008-06-23 08:04:51.000000000 -0400
+@@ -1,6 +1,10 @@
++/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
++/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
+
+-/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
++/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
+
+-/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
++/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)
+
+-/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
++/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
++
++/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.3.1/policy/modules/services/snort.if
+--- nsaserefpolicy/policy/modules/services/snort.if 2008-06-12 23:38:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/snort.if 2008-06-23 08:04:54.000000000 -0400
+@@ -1 +1,95 @@
+-## <summary>Snort network intrusion detection system</summary>
++## <summary>SELinux policy for Snort IDS</summary>
++## <desc>
++## <p>
++## Applies SELinux security to Snort IDS
++## </p>
++## </desc>
++
++########################################
++## <summary>
++## Execute a domain transition to run snort.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`snort_domtrans',`
++ gen_require(`
++ type snort_t, snort_exec_t;
++ ')
++
++ domtrans_pattern($1, snort_exec_t, snort_t)
++')
++
++########################################
++## <summary>
++## Execute snort IDS in the snort domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`snort_script_domtrans',`
++ gen_require(`
++ type snort_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1, snort_script_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an snort environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`snort_admin',`
++ gen_require(`
++ type snort_t, snort_var_run_t, snort_script_exec_t, snort_etc_t, snort_log_t;
++ ')
++
++ allow $1 snort_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, snort_t, snort_t)
++
++ manage_all_pattern($1, snort_etc_t)
++ manage_all_pattern($1, snort_var_run_t)
++ manage_all_pattern($1, snort_log_t)
++')
++
++########################################
++## <summary>
++## Signal the snort domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`snort_signal',`
++ gen_require(`
++ type snort_t;
++ ')
++
++ allow $1 snort_t:process signal;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.3.1/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/snort.te 2008-06-12 23:38:03.000000000 -0400
-@@ -11,7 +11,7 @@
- init_daemon_domain(snort_t,snort_exec_t)
++++ serefpolicy-3.3.1/policy/modules/services/snort.te 2008-06-23 08:17:50.000000000 -0400
+@@ -8,10 +8,13 @@
+
+ type snort_t;
+ type snort_exec_t;
+-init_daemon_domain(snort_t,snort_exec_t)
++init_daemon_domain(snort_t, snort_exec_t)
++
++type snort_script_exec_t;
++init_script_type(snort_script_exec_t)
type snort_etc_t;
-files_type(snort_etc_t)
@@ -24530,6 +24715,38 @@
type snort_log_t;
logging_log_file(snort_log_t)
+@@ -65,8 +68,11 @@
+ corenet_raw_sendrecv_all_nodes(snort_t)
+ corenet_tcp_sendrecv_all_ports(snort_t)
+ corenet_udp_sendrecv_all_ports(snort_t)
++corenet_tcp_connect_prelude_port(snort_t)
+
+ dev_read_sysfs(snort_t)
++dev_read_rand(snort_t)
++dev_read_urand(snort_t)
+
+ domain_use_interactive_fds(snort_t)
+
+@@ -79,6 +85,8 @@
+ libs_use_ld_so(snort_t)
+ libs_use_shared_libs(snort_t)
+
++init_read_utmp(snort_t)
++
+ logging_send_syslog_msg(snort_t)
+
+ miscfiles_read_localization(snort_t)
+@@ -89,6 +97,10 @@
+ userdom_dontaudit_search_sysadm_home_dirs(snort_t)
+
+ optional_policy(`
++ prelude_rw_spool(snort_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(snort_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.3.1/policy/modules/services/soundserver.fc
--- nsaserefpolicy/policy/modules/services/soundserver.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/soundserver.fc 2008-06-12 23:38:03.000000000 -0400
@@ -33114,8 +33331,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-06-12 23:38:02.000000000 -0400
-@@ -1,16 +1,18 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-06-23 06:28:07.000000000 -0400
+@@ -1,16 +1,24 @@
# Add programs here which should not be confined by SELinux
# e.g.:
-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -33140,6 +33357,12 @@
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/haddock.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/hasktags -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/runghc -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-06-12 23:38:02.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.685
retrieving revision 1.686
diff -u -r1.685 -r1.686
--- selinux-policy.spec 23 Jun 2008 00:49:33 -0000 1.685
+++ selinux-policy.spec 23 Jun 2008 12:20:17 -0000 1.686
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 69%{?dist}
+Release: 70%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,9 @@
%endif
%changelog
+* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-69
+- Apply unconfined_execmem_exec_t to haskell programs
+
* Sun Jun 22 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-69
- Fix prelude file context
More information about the scm-commits
mailing list