rpms/selinux-policy/F-9 policy-20071130.patch, 1.228, 1.229 selinux-policy.spec, 1.719, 1.720
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Oct 20 19:54:20 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10976
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Oct 20 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-103
- More fixes for new netoworkmanager
- Fixes for MLS initrc scripts
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.228
retrieving revision 1.229
diff -u -r1.228 -r1.229
--- policy-20071130.patch 15 Oct 2008 21:50:25 -0000 1.228
+++ policy-20071130.patch 20 Oct 2008 19:53:49 -0000 1.229
@@ -3475,7 +3475,7 @@
/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.3.1/policy/modules/admin/vpn.if
--- nsaserefpolicy/policy/modules/admin/vpn.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/vpn.if 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/vpn.if 2008-10-16 14:46:20.000000000 -0400
@@ -15,7 +15,7 @@
type vpnc_t, vpnc_exec_t;
')
@@ -3493,6 +3493,51 @@
')
########################################
+@@ -70,6 +71,44 @@
+
+ ########################################
+ ## <summary>
++## Send signull to VPN clients.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vpn_signull',`
++ gen_require(`
++ type vpnc_t;
++ ')
++
++ allow $1 vpnc_t:process signull;
++')
++
++########################################
++## <summary>
++## Send sigkill to VPN clients.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vpn_sigkill',`
++ gen_require(`
++ type vpnc_t;
++ ')
++
++ allow $1 vpnc_t:process sigkill;
++')
++
++
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## Vpnc over dbus.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.3.1/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/vpn.te 2008-10-14 11:43:20.000000000 -0400
@@ -8896,7 +8941,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-10-20 11:21:09.000000000 -0400
@@ -310,6 +310,25 @@
########################################
@@ -9153,7 +9198,7 @@
')
########################################
-@@ -3551,3 +3728,123 @@
+@@ -3551,3 +3728,142 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
@@ -9220,6 +9265,25 @@
+
+########################################
+## <summary>
++## Read, a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_read_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ read_files_pattern($1,fusefs_t,fusefs_t)
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
+## </summary>
@@ -10305,7 +10369,7 @@
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.3.1/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-10-16 14:22:04.000000000 -0400
@@ -13,6 +13,7 @@
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -10314,6 +10378,15 @@
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -34,7 +35,7 @@
+ /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+-/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ ifdef(`distro_redhat', `
+ /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -48,6 +49,7 @@
/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
@@ -12472,8 +12545,8 @@
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.3.1/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/avahi.if 2008-10-14 11:43:20.000000000 -0400
-@@ -2,6 +2,84 @@
++++ serefpolicy-3.3.1/policy/modules/services/avahi.if 2008-10-16 14:48:24.000000000 -0400
+@@ -2,6 +2,122 @@
########################################
## <summary>
@@ -12517,6 +12590,44 @@
+
+########################################
+## <summary>
++## Send avahi a signull
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_signull',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ allow $1 avahi_t:process signull;
++')
++
++########################################
++## <summary>
++## Send avahi a sigkill
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_sigkill',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ allow $1 avahi_t:process sigkill;
++')
++
++########################################
++## <summary>
+## Send avahi a signal
+## </summary>
+## <param name="domain">
@@ -12558,7 +12669,7 @@
## Send and receive messages from
## avahi over dbus.
## </summary>
-@@ -57,3 +135,45 @@
+@@ -57,3 +173,45 @@
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
')
@@ -12667,8 +12778,51 @@
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.3.1/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/bind.if 2008-10-14 11:43:20.000000000 -0400
-@@ -254,3 +254,94 @@
++++ serefpolicy-3.3.1/policy/modules/services/bind.if 2008-10-16 14:45:03.000000000 -0400
+@@ -38,6 +38,42 @@
+
+ ########################################
+ ## <summary>
++## Send signulls to BIND.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bind_signull',`
++ gen_require(`
++ type named_t;
++ ')
++
++ allow $1 named_t:process signull;
++')
++
++########################################
++## <summary>
++## Send sigkills to BIND.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bind_sigkill',`
++ gen_require(`
++ type named_t;
++ ')
++
++ allow $1 named_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Execute ndc in the ndc domain, and
+ ## allow the specified role the ndc domain.
+ ## </summary>
+@@ -254,3 +290,94 @@
interface(`bind_udp_chat_named',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -15449,7 +15603,7 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-10-17 17:30:31.000000000 -0400
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -16442,8 +16596,8 @@
+/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.3.1/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.if 2008-10-14 11:43:20.000000000 -0400
-@@ -1 +1,125 @@
++++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.if 2008-10-16 14:44:34.000000000 -0400
+@@ -1 +1,144 @@
## <summary>dnsmasq DNS forwarder and DHCP server</summary>
+
+########################################
@@ -16507,6 +16661,25 @@
+
+########################################
+## <summary>
++## Send dnsmasq a signull
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`dnsmasq_signull',`
++ gen_require(`
++ type dnsmasq_t;
++ ')
++
++ allow $1 dnsmasq_t:process signull;
++')
++
++########################################
++## <summary>
+## Send dnsmasq a sigkill
+## </summary>
+## <param name="domain">
@@ -20614,7 +20787,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-10-16 14:35:00.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.9.0)
@@ -20660,7 +20833,7 @@
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-@@ -31,17 +44,26 @@
+@@ -31,17 +44,27 @@
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
@@ -20687,10 +20860,11 @@
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
++kernel_search_network_sysctl(NetworkManager_t)
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -64,9 +86,11 @@
+@@ -64,9 +87,11 @@
dev_read_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
@@ -20702,7 +20876,7 @@
mls_file_read_all_levels(NetworkManager_t)
-@@ -83,9 +107,14 @@
+@@ -83,9 +108,14 @@
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
@@ -20717,7 +20891,7 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -98,21 +127,32 @@
+@@ -98,26 +128,40 @@
seutil_read_config(NetworkManager_t)
@@ -20751,13 +20925,21 @@
+
+optional_policy(`
+ avahi_domtrans(NetworkManager_t)
-+ avahi_signal(NetworkManager_t)
+ avahi_sigkill(NetworkManager_t)
++ avahi_signal(NetworkManager_t)
++ avahi_signull(NetworkManager_t)
+')
optional_policy(`
bind_domtrans(NetworkManager_t)
-@@ -129,8 +169,17 @@
+ bind_manage_cache(NetworkManager_t)
+ bind_signal(NetworkManager_t)
++ bind_signull(NetworkManager_t)
++ bind_sigkill(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -129,8 +173,18 @@
')
optional_policy(`
@@ -20770,6 +20952,7 @@
+ dnsmasq_script_domtrans(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_sigkill(NetworkManager_t)
++ dnsmasq_signull(NetworkManager_t)
+')
+
+optional_policy(`
@@ -20777,7 +20960,7 @@
')
optional_policy(`
-@@ -138,12 +187,18 @@
+@@ -138,39 +192,86 @@
')
optional_policy(`
@@ -20789,6 +20972,8 @@
- nscd_socket_use(NetworkManager_t)
+ nscd_domtrans(NetworkManager_t)
nscd_signal(NetworkManager_t)
++ nscd_signull(NetworkManager_t)
++ nscd_sigkill(NetworkManager_t)
+ nscd_script_domtrans(NetworkManager_t)
+')
+
@@ -20798,15 +20983,18 @@
')
optional_policy(`
-@@ -152,25 +207,60 @@
- ')
-
- optional_policy(`
-+ polkit_domtrans_auth(NetworkManager_t)
-+ polkit_read_lib(NetworkManager_t)
+ openvpn_domtrans(NetworkManager_t)
+ openvpn_signal(NetworkManager_t)
++ openvpn_signull(NetworkManager_t)
++ openvpn_sigkill(NetworkManager_t)
+')
+
+optional_policy(`
++ polkit_domtrans_auth(NetworkManager_t)
++ polkit_read_lib(NetworkManager_t)
+ ')
+
+ optional_policy(`
+ ppp_script_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
@@ -20836,7 +21024,9 @@
optional_policy(`
vpn_domtrans(NetworkManager_t)
++ vpn_sigkill(NetworkManager_t)
vpn_signal(NetworkManager_t)
++ vpn_signull(NetworkManager_t)
')
+
+########################################
@@ -21640,8 +21830,52 @@
+/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.3.1/policy/modules/services/openvpn.if
--- nsaserefpolicy/policy/modules/services/openvpn.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/openvpn.if 2008-10-14 11:43:20.000000000 -0400
-@@ -90,3 +90,74 @@
++++ serefpolicy-3.3.1/policy/modules/services/openvpn.if 2008-10-16 14:45:48.000000000 -0400
+@@ -70,6 +70,43 @@
+
+ ########################################
+ ## <summary>
++## Send sigkills to OPENVPN clients.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvpn_sigkill',`
++ gen_require(`
++ type openvpn_t;
++ ')
++
++ allow $1 openvpn_t:process sigkill;
++')
++
++########################################
++## <summary>
++## Send signulls to OPENVPN clients.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvpn_signull',`
++ gen_require(`
++ type openvpn_t;
++ ')
++
++ allow $1 openvpn_t:process signull;
++')
++
++
++########################################
++## <summary>
+ ## Allow the specified domain to read
+ ## OpenVPN configuration files.
+ ## </summary>
+@@ -90,3 +127,74 @@
read_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
read_lnk_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
')
@@ -25661,9 +25895,20 @@
########################################
#
# Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.3.1/policy/modules/services/rpc.fc
+--- nsaserefpolicy/policy/modules/services/rpc.fc 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpc.fc 2008-10-20 14:39:51.000000000 -0400
+@@ -12,6 +12,7 @@
+ # /usr
+ #
+ /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
++/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+ /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+ /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2008-10-20 14:34:27.000000000 -0400
@@ -88,8 +88,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
@@ -25702,6 +25947,29 @@
## Read NFS exported content.
## </summary>
## <param name="domain">
+@@ -338,3 +359,22 @@
+ files_search_var_lib($1)
+ read_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t)
+ ')
++
++########################################
++## <summary>
++## Manage NFS state data in /var/lib/nfs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpc_manage_nfs_state_data',`
++ gen_require(`
++ type var_lib_nfs_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-10-14 11:43:20.000000000 -0400
@@ -33480,7 +33748,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-10-20 14:36:17.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -33659,6 +33927,15 @@
selinux_get_enforce_mode(initrc_t)
+@@ -311,7 +350,7 @@
+ domain_sigchld_all_domains(initrc_t)
+ domain_read_all_domains_state(initrc_t)
+ domain_getattr_all_domains(initrc_t)
+-domain_dontaudit_ptrace_all_domains(initrc_t)
++domain_ptrace_all_domains(initrc_t)
+ domain_getsession_all_domains(initrc_t)
+ domain_use_interactive_fds(initrc_t)
+ # for lsof which is used by alsa shutdown:
@@ -352,6 +391,7 @@
libs_use_shared_libs(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -33667,7 +33944,15 @@
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -496,6 +536,31 @@
+@@ -478,6 +518,7 @@
+ optional_policy(`
+ #for /etc/rc.d/init.d/nfs to create /etc/exports
+ rpc_write_exports(initrc_t)
++ rpc_manage_nfs_state_data(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -496,6 +537,31 @@
')
')
@@ -33699,7 +33984,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,16 +619,12 @@
+@@ -554,16 +620,12 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -33720,7 +34005,7 @@
')
optional_policy(`
-@@ -639,12 +700,6 @@
+@@ -639,12 +701,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -33733,7 +34018,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -705,6 +760,9 @@
+@@ -705,6 +761,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -33743,7 +34028,7 @@
')
optional_policy(`
-@@ -717,9 +775,11 @@
+@@ -717,9 +776,11 @@
squid_manage_logs(initrc_t)
')
@@ -33758,7 +34043,7 @@
')
optional_policy(`
-@@ -738,6 +798,11 @@
+@@ -738,6 +799,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -33770,7 +34055,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -752,6 +817,10 @@
+@@ -752,6 +818,10 @@
')
optional_policy(`
@@ -33781,7 +34066,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -774,3 +843,4 @@
+@@ -774,3 +844,4 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -33902,18 +34187,27 @@
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-10-17 08:47:36.000000000 -0400
@@ -28,8 +28,8 @@
# iscsid local policy
#
-allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process { setrlimit setsched };
-+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_nice sys_resource };
++allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file { read write };
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow iscsid_t self:unix_dgram_socket create_socket_perms;
+@@ -39,7 +39,7 @@
+ allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow iscsid_t self:tcp_socket create_stream_socket_perms;
+
+-allow iscsid_t iscsi_lock_t:file manage_file_perms;
++manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+ files_lock_filetrans(iscsid_t,iscsi_lock_t,file)
+
+ allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
@@ -63,6 +63,7 @@
corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t)
@@ -33924,7 +34218,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-10-17 17:22:27.000000000 -0400
@@ -69,8 +69,10 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -33949,7 +34243,15 @@
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -133,6 +137,7 @@
+@@ -118,6 +122,7 @@
+ /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -133,6 +138,7 @@
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -33957,7 +34259,7 @@
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -164,7 +169,8 @@
+@@ -164,7 +170,8 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -33967,7 +34269,7 @@
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -183,6 +189,7 @@
+@@ -183,6 +190,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -33975,7 +34277,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -242,7 +249,7 @@
+@@ -242,7 +250,7 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -33984,7 +34286,7 @@
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -263,6 +270,8 @@
+@@ -263,6 +271,8 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -33993,7 +34295,7 @@
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -287,11 +296,15 @@
+@@ -287,11 +297,15 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -34009,7 +34311,7 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -304,3 +317,13 @@
+@@ -304,3 +318,13 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -35218,7 +35520,7 @@
samba_run_smbmount($1, $2, $3)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-10-20 11:20:36.000000000 -0400
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -35271,7 +35573,7 @@
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +66,19 @@
+@@ -62,16 +66,20 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -35289,11 +35591,12 @@
fs_rw_tmpfs_chr_files(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
++fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
term_use_all_terms(mount_t)
-@@ -100,6 +107,8 @@
+@@ -100,6 +108,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -35302,7 +35605,7 @@
auth_use_nsswitch(mount_t)
-@@ -119,6 +128,8 @@
+@@ -119,6 +129,8 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -35311,7 +35614,7 @@
ifdef(`distro_redhat',`
optional_policy(`
-@@ -167,6 +178,8 @@
+@@ -167,6 +179,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -35320,7 +35623,7 @@
')
optional_policy(`
-@@ -181,6 +194,11 @@
+@@ -181,6 +195,11 @@
')
')
@@ -35332,7 +35635,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -188,6 +206,7 @@
+@@ -188,6 +207,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -35340,7 +35643,7 @@
')
########################################
-@@ -198,4 +217,26 @@
+@@ -198,4 +218,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.719
retrieving revision 1.720
diff -u -r1.719 -r1.720
--- selinux-policy.spec 15 Oct 2008 21:39:17 -0000 1.719
+++ selinux-policy.spec 20 Oct 2008 19:53:49 -0000 1.720
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 102%{?dist}
+Release: 103%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,10 @@
%endif
%changelog
+* Mon Oct 20 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-103
+- More fixes for new netoworkmanager
+- Fixes for MLS initrc scripts
+
* Wed Oct 15 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-102
- Fix gutenburg press, google apps using wine
More information about the scm-commits
mailing list