rpms/selinux-policy/devel policy-20080710.patch, 1.67, 1.68 selinux-policy.spec, 1.727, 1.728
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Oct 20 19:54:01 UTC 2008
- Previous message: rpms/policycoreutils/devel policycoreutils-gui.patch, 1.77, 1.78 policycoreutils-po.patch, 1.41, 1.42 policycoreutils.spec, 1.561, 1.562
- Next message: rpms/selinux-policy/F-9 policy-20071130.patch, 1.228, 1.229 selinux-policy.spec, 1.719, 1.720
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10763
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Mon Oct 20 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-2
- Fix dovecot access
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -r1.67 -r1.68
--- policy-20080710.patch 17 Oct 2008 22:01:06 -0000 1.67
+++ policy-20080710.patch 20 Oct 2008 19:53:29 -0000 1.68
@@ -3883,8 +3883,8 @@
+typealias mozilla_tmp_t alias user_mozilla_tmp_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.13/policy/modules/apps/mplayer.fc
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2008-10-17 10:31:26.000000000 -0400
-@@ -1,13 +1,8 @@
++++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2008-10-20 14:00:46.000000000 -0400
+@@ -1,13 +1,9 @@
#
-# /etc
-#
@@ -3893,6 +3893,7 @@
-#
# /usr
#
++/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
@@ -4070,8 +4071,8 @@
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-17 16:15:42.000000000 -0400
-@@ -0,0 +1,295 @@
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-20 09:36:38.000000000 -0400
+@@ -0,0 +1,297 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -4172,10 +4173,12 @@
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
++ dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
++ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+
@@ -7417,7 +7420,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-20 11:19:32.000000000 -0400
@@ -535,6 +535,24 @@
########################################
@@ -7726,7 +7729,7 @@
')
########################################
-@@ -3644,3 +3823,123 @@
+@@ -3644,3 +3823,142 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -7813,6 +7816,25 @@
+
+########################################
+## <summary>
++## Read, a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_read_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ read_files_pattern($1,fusefs_t,fusefs_t)
++')
++
++########################################
++## <summary>
+## Read symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -7891,7 +7913,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-17 10:56:51.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-20 14:00:25.000000000 -0400
@@ -1198,6 +1198,7 @@
')
@@ -10477,7 +10499,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-20 15:37:58.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10571,17 +10593,18 @@
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -180,6 +220,9 @@
+@@ -180,6 +220,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -202,12 +245,16 @@
+@@ -202,12 +246,16 @@
prelink_object_file(httpd_modules_t)
')
@@ -10599,7 +10622,7 @@
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +296,7 @@
+@@ -249,6 +297,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -10607,7 +10630,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -260,9 +308,9 @@
+@@ -260,9 +309,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -10620,7 +10643,7 @@
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -289,6 +337,7 @@
+@@ -289,6 +338,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -10628,7 +10651,7 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -299,6 +348,7 @@
+@@ -299,6 +349,7 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_all_nodes(httpd_t)
@@ -10636,7 +10659,7 @@
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
-@@ -312,12 +362,11 @@
+@@ -312,12 +363,11 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -10651,7 +10674,7 @@
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +384,10 @@
+@@ -335,6 +385,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -10662,7 +10685,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,18 +404,33 @@
+@@ -351,18 +405,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -10700,7 +10723,7 @@
')
')
-@@ -370,20 +438,45 @@
+@@ -370,20 +439,45 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -10747,7 +10770,7 @@
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,11 +487,12 @@
+@@ -394,11 +488,12 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -10763,7 +10786,7 @@
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
-@@ -408,6 +502,11 @@
+@@ -408,6 +503,11 @@
fs_read_cifs_symlinks(httpd_t)
')
@@ -10775,7 +10798,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +540,13 @@
+@@ -441,8 +541,13 @@
')
optional_policy(`
@@ -10791,7 +10814,7 @@
')
optional_policy(`
-@@ -454,18 +558,13 @@
+@@ -454,18 +559,13 @@
')
optional_policy(`
@@ -10811,7 +10834,7 @@
')
optional_policy(`
-@@ -475,6 +574,12 @@
+@@ -475,6 +575,12 @@
openca_kill(httpd_t)
')
@@ -10824,7 +10847,7 @@
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -482,6 +587,7 @@
+@@ -482,6 +588,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -10832,7 +10855,7 @@
')
')
-@@ -490,6 +596,7 @@
+@@ -490,6 +597,7 @@
')
optional_policy(`
@@ -10840,7 +10863,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -519,9 +626,28 @@
+@@ -519,9 +627,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
@@ -10869,7 +10892,7 @@
########################################
#
# Apache PHP script local policy
-@@ -551,22 +677,27 @@
+@@ -551,22 +678,27 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -10903,7 +10926,7 @@
')
########################################
-@@ -584,12 +715,14 @@
+@@ -584,12 +716,14 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -10919,7 +10942,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +731,7 @@
+@@ -598,9 +732,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -10930,7 +10953,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +764,25 @@
+@@ -633,12 +765,25 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -10959,7 +10982,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +791,12 @@
+@@ -647,6 +792,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -10972,7 +10995,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,10 +814,6 @@
+@@ -664,10 +815,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -10983,7 +11006,7 @@
########################################
#
# Apache system script local policy
-@@ -677,7 +823,8 @@
+@@ -677,7 +824,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -10993,7 +11016,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +838,15 @@
+@@ -691,12 +839,15 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11011,7 +11034,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +854,30 @@
+@@ -704,6 +855,30 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -11042,7 +11065,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +890,10 @@
+@@ -716,10 +891,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11057,7 +11080,7 @@
')
########################################
-@@ -727,6 +901,8 @@
+@@ -727,6 +902,8 @@
# httpd_rotatelogs local policy
#
@@ -11066,7 +11089,7 @@
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +917,56 @@
+@@ -741,3 +918,56 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -14677,7 +14700,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.13/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2008-10-20 13:04:49.000000000 -0400
@@ -15,12 +15,21 @@
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -14754,7 +14777,7 @@
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
-+allow dovecot_auth_t dovecot_t:unix_stream_socket rw_socket_perms;
++allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
@@ -20387,9 +20410,20 @@
type roundup_var_run_t;
files_pid_file(roundup_var_run_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.5.13/policy/modules/services/rpc.fc
+--- nsaserefpolicy/policy/modules/services/rpc.fc 2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/rpc.fc 2008-10-20 14:39:31.000000000 -0400
+@@ -13,6 +13,7 @@
+ # /usr
+ #
+ /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
++/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+ /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+ /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.13/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/rpc.if 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/rpc.if 2008-10-20 14:35:39.000000000 -0400
@@ -88,8 +88,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
@@ -20428,6 +20462,29 @@
## Read NFS exported content.
## </summary>
## <param name="domain">
+@@ -338,3 +359,22 @@
+ files_search_var_lib($1)
+ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ ')
++
++########################################
++## <summary>
++## Manage NFS state data in /var/lib/nfs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpc_manage_nfs_state_data',`
++ gen_require(`
++ type var_lib_nfs_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2008-10-17 10:31:27.000000000 -0400
@@ -26256,7 +26313,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-20 14:36:54.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -26368,6 +26425,15 @@
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
+@@ -330,7 +359,7 @@
+ domain_sigchld_all_domains(initrc_t)
+ domain_read_all_domains_state(initrc_t)
+ domain_getattr_all_domains(initrc_t)
+-domain_dontaudit_ptrace_all_domains(initrc_t)
++domain_ptrace_all_domains(initrc_t)
+ domain_getsession_all_domains(initrc_t)
+ domain_use_interactive_fds(initrc_t)
+ # for lsof which is used by alsa shutdown:
@@ -371,6 +400,7 @@
libs_use_shared_libs(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -26376,7 +26442,15 @@
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -521,6 +551,31 @@
+@@ -503,6 +533,7 @@
+ optional_policy(`
+ #for /etc/rc.d/init.d/nfs to create /etc/exports
+ rpc_write_exports(initrc_t)
++ rpc_manage_nfs_state_data(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -521,6 +552,31 @@
')
')
@@ -26408,7 +26482,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -536,6 +591,10 @@
+@@ -536,6 +592,10 @@
')
optional_policy(`
@@ -26419,7 +26493,7 @@
bind_read_config(initrc_t)
# for chmod in start script
-@@ -575,6 +634,10 @@
+@@ -575,6 +635,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -26430,7 +26504,7 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -660,12 +723,6 @@
+@@ -660,12 +724,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -26443,7 +26517,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -726,6 +783,9 @@
+@@ -726,6 +784,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -26453,7 +26527,7 @@
')
optional_policy(`
-@@ -738,10 +798,12 @@
+@@ -738,10 +799,12 @@
squid_manage_logs(initrc_t)
')
@@ -26466,7 +26540,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -759,6 +821,11 @@
+@@ -759,6 +822,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -26478,7 +26552,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -773,6 +840,10 @@
+@@ -773,6 +841,10 @@
')
optional_policy(`
@@ -26489,7 +26563,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -795,3 +866,11 @@
+@@ -795,3 +867,11 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -26647,7 +26721,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-10-17 17:21:31.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-10-20 14:06:44.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -26674,16 +26748,24 @@
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -118,6 +122,8 @@
+@@ -115,9 +119,16 @@
+
+ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -133,6 +139,7 @@
+@@ -133,6 +144,7 @@
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26691,7 +26773,7 @@
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -168,7 +175,8 @@
+@@ -168,7 +180,8 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26701,7 +26783,7 @@
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -187,6 +195,7 @@
+@@ -187,6 +200,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26709,7 +26791,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,7 +255,7 @@
+@@ -246,7 +260,7 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26718,7 +26800,7 @@
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +276,8 @@
+@@ -267,6 +281,8 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26727,7 +26809,7 @@
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +302,8 @@
+@@ -291,6 +307,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26736,7 +26818,7 @@
') dnl end distro_redhat
#
-@@ -310,3 +323,15 @@
+@@ -310,3 +328,15 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -27331,7 +27413,7 @@
samba_run_smbmount($1, $2, $3)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-20 11:20:42.000000000 -0400
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -27382,7 +27464,7 @@
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +69,18 @@
+@@ -62,16 +69,19 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -27400,11 +27482,12 @@
fs_rw_tmpfs_chr_files(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
++fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
term_use_all_terms(mount_t)
-@@ -79,6 +88,7 @@
+@@ -79,6 +89,7 @@
corecmd_exec_bin(mount_t)
domain_use_interactive_fds(mount_t)
@@ -27412,7 +27495,7 @@
files_search_all(mount_t)
files_read_etc_files(mount_t)
-@@ -100,6 +110,8 @@
+@@ -100,6 +111,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -27421,7 +27504,7 @@
auth_use_nsswitch(mount_t)
-@@ -119,6 +131,8 @@
+@@ -119,6 +132,8 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -27430,7 +27513,7 @@
ifdef(`distro_redhat',`
optional_policy(`
-@@ -167,6 +181,8 @@
+@@ -167,6 +182,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -27439,7 +27522,7 @@
')
optional_policy(`
-@@ -181,6 +197,11 @@
+@@ -181,6 +198,11 @@
')
')
@@ -27451,7 +27534,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -188,6 +209,7 @@
+@@ -188,6 +210,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -27459,7 +27542,7 @@
')
########################################
-@@ -198,4 +220,26 @@
+@@ -198,4 +221,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -28624,6 +28707,17 @@
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.5.13/policy/modules/system/udev.fc
+--- nsaserefpolicy/policy/modules/system/udev.fc 2008-08-07 11:15:12.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-10-20 11:58:43.000000000 -0400
+@@ -13,6 +13,7 @@
+ /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.13/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-10-17 10:31:27.000000000 -0400
@@ -28730,8 +28824,8 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.13/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-10-17 10:31:27.000000000 -0400
-@@ -2,15 +2,27 @@
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-10-20 09:52:45.000000000 -0400
+@@ -2,15 +2,28 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
@@ -28766,6 +28860,7 @@
+/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.13/policy/modules/system/unconfined.if
@@ -32313,7 +32408,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-10-20 09:29:14.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -32478,7 +32573,7 @@
# var/lib files for xenstored
manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
-@@ -321,6 +352,7 @@
+@@ -321,18 +352,21 @@
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
@@ -32486,7 +32581,14 @@
files_search_var_lib(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
-@@ -333,6 +365,7 @@
+ allow xm_t xen_image_t:file read_file_perms;
+ allow xm_t xen_image_t:blk_file read_blk_file_perms;
+
+-kernel_read_system_state(xm_t)
+ kernel_read_kernel_sysctls(xm_t)
++kernel_read_sysctl(xm_t)
++kernel_read_system_state(xm_t)
+ kernel_read_xen_state(xm_t)
kernel_write_xen_state(xm_t)
corecmd_exec_bin(xm_t)
@@ -32494,7 +32596,7 @@
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -348,8 +381,11 @@
+@@ -348,8 +382,11 @@
storage_raw_read_fixed_disk(xm_t)
@@ -32506,7 +32608,7 @@
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
-@@ -360,6 +396,23 @@
+@@ -360,6 +397,23 @@
sysnet_read_config(xm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.727
retrieving revision 1.728
diff -u -r1.727 -r1.728
--- selinux-policy.spec 17 Oct 2008 22:01:06 -0000 1.727
+++ selinux-policy.spec 20 Oct 2008 19:53:30 -0000 1.728
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -461,6 +461,9 @@
%endif
%changelog
+* Mon Oct 20 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-2
+- Fix dovecot access
+
* Fri Oct 17 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-1
- Policy cleanup
- Previous message: rpms/policycoreutils/devel policycoreutils-gui.patch, 1.77, 1.78 policycoreutils-po.patch, 1.41, 1.42 policycoreutils.spec, 1.561, 1.562
- Next message: rpms/selinux-policy/F-9 policy-20071130.patch, 1.228, 1.229 selinux-policy.spec, 1.719, 1.720
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list