rpms/selinux-policy/F-8 policy-20070703.patch, 1.227, 1.228 selinux-policy.spec, 1.648, 1.649
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Oct 20 19:54:53 UTC 2008
- Previous message: rpms/selinux-policy/F-9 policy-20071130.patch, 1.228, 1.229 selinux-policy.spec, 1.719, 1.720
- Next message: rpms/ekiga/devel .cvsignore, 1.14, 1.15 ekiga.spec, 1.58, 1.59 sources, 1.16, 1.17
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11219
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Wed Oct 15 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-121
- Allow wine to mmap_zero
- Fix mapping for google/picasa/wine
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.227
retrieving revision 1.228
diff -u -r1.227 -r1.228
--- policy-20070703.patch 14 Oct 2008 16:07:57 -0000 1.227
+++ policy-20070703.patch 20 Oct 2008 19:54:21 -0000 1.228
@@ -1185,6 +1185,201 @@
kudzu_domtrans(anaconda_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/avahi.if serefpolicy-3.0.8/policy/modules/admin/avahi.if
+--- nsaserefpolicy/policy/modules/admin/avahi.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/admin/avahi.if 2008-10-16 14:54:07.000000000 -0400
+@@ -0,0 +1,191 @@
++## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
++
++########################################
++## <summary>
++## Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_domtrans',`
++ gen_require(`
++ type avahi_exec_t;
++ type avahi_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, avahi_exec_t, avahi_t)
++')
++
++########################################
++## <summary>
++## Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_initrc_domtrans',`
++ gen_require(`
++ type avahi_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Send avahi a sigkill
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_sigkill',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ allow $1 avahi_t:process sigkill;
++')
++
++########################################
++## <summary>
++## Send avahi a signal
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_signal',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ allow $1 avahi_t:process signal;
++')
++
++########################################
++## <summary>
++## Send avahi a signull
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_signull',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ allow $1 avahi_t:process signull;
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## avahi over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`avahi_dbus_chat',`
++ gen_require(`
++ type avahi_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 avahi_t:dbus send_msg;
++ allow avahi_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++## Connect to avahi using a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`avahi_stream_connect',`
++ gen_require(`
++ type avahi_t, avahi_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search the avahi pid directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`avahi_dontaudit_search_pid',`
++ gen_require(`
++ type avahi_var_run_t;
++ ')
++
++ dontaudit $1 avahi_var_run_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an avahi environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the avahi domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`avahi_admin',`
++ gen_require(`
++ type avahi_t, avahi_var_run_t;
++ type avahi_initrc_exec_t;
++ ')
++
++ allow $1 avahi_t:process { ptrace signal_perms };
++ ps_process_pattern($1, avahi_t)
++
++ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 avahi_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_pids($1)
++ admin_pattern($1, avahi_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.8/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te 2008-10-14 12:05:29.000000000 -0400
@@ -4390,14 +4585,16 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.0.8/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-06-12 23:37:56.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/wine.fc 2008-10-14 12:05:29.000000000 -0400
-@@ -1,4 +1,5 @@
++++ serefpolicy-3.0.8/policy/modules/apps/wine.fc 2008-10-15 13:39:12.000000000 -0400
+@@ -1,4 +1,7 @@
/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++
+HOME_DIR/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2008-06-12 23:37:56.000000000 -0400
@@ -4489,7 +4686,14 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2008-06-12 23:37:56.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2008-10-15 14:49:17.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(wine,1.3.1)
++policy_module(wine,1.5.0)
+
+ ########################################
+ #
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
@@ -8119,14 +8323,240 @@
seutil_sigchld_newrole(automount_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.0.8/policy/modules/services/avahi.fc
+--- nsaserefpolicy/policy/modules/services/avahi.fc 2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/avahi.fc 2008-10-15 13:45:05.000000000 -0400
+@@ -1,5 +1,9 @@
++/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+
+ /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
++/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+
+ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
++
++/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.0.8/policy/modules/services/avahi.if
+--- nsaserefpolicy/policy/modules/services/avahi.if 2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/avahi.if 2008-10-16 14:52:08.000000000 -0400
+@@ -2,6 +2,103 @@
+
+ ########################################
+ ## <summary>
++## Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_domtrans',`
++ gen_require(`
++ type avahi_exec_t;
++ type avahi_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, avahi_exec_t, avahi_t)
++')
++
++########################################
++## <summary>
++## Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_initrc_domtrans',`
++ gen_require(`
++ type avahi_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Send avahi a sigkill
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_sigkill',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ allow $1 avahi_t:process sigkill;
++')
++
++########################################
++## <summary>
++## Send avahi a signal
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_signal',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ allow $1 avahi_t:process signal;
++')
++
++########################################
++## <summary>
++## Send avahi a signull
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`avahi_signull',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ allow $1 avahi_t:process signull;
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## avahi over dbus.
+ ## </summary>
+@@ -37,7 +134,7 @@
+ ')
+
+ files_search_pids($1)
+- stream_connect_pattern($1,avahi_var_run_t,avahi_var_run_t,avahi_t)
++ stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t)
+ ')
+
+ ########################################
+@@ -57,3 +154,38 @@
+
+ dontaudit $1 avahi_var_run_t:dir search_dir_perms;
+ ')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an avahi environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the avahi domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`avahi_admin',`
++ gen_require(`
++ type avahi_t, avahi_var_run_t;
++ type avahi_initrc_exec_t;
++ ')
++
++ allow $1 avahi_t:process { ptrace signal_perms };
++ ps_process_pattern($1, avahi_t)
++
++ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 avahi_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_pids($1)
++ admin_pattern($1, avahi_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.8/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/avahi.te 2008-10-14 12:05:29.000000000 -0400
-@@ -85,6 +85,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/avahi.te 2008-10-15 14:18:33.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(avahi,1.6.1)
++policy_module(avahi, 1.9.0)
+
+ ########################################
+ #
+@@ -8,7 +8,13 @@
+
+ type avahi_t;
+ type avahi_exec_t;
+-init_daemon_domain(avahi_t,avahi_exec_t)
++init_daemon_domain(avahi_t, avahi_exec_t)
++
++type avahi_initrc_exec_t;
++init_script_file(avahi_initrc_exec_t)
++
++type avahi_var_lib_t;
++files_pid_file(avahi_var_lib_t)
+
+ type avahi_var_run_t;
+ files_pid_file(avahi_var_run_t)
+@@ -20,15 +26,20 @@
+
+ allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
+ dontaudit avahi_t self:capability sys_tty_config;
+-allow avahi_t self:process { setrlimit signal_perms setcap };
++allow avahi_t self:process { setrlimit signal_perms getcap setcap };
+ allow avahi_t self:fifo_file { read write };
+ allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow avahi_t self:unix_dgram_socket create_socket_perms;
+ allow avahi_t self:tcp_socket create_stream_socket_perms;
+ allow avahi_t self:udp_socket create_socket_perms;
+
+-manage_files_pattern(avahi_t,avahi_var_run_t,avahi_var_run_t)
+-manage_sock_files_pattern(avahi_t,avahi_var_run_t,avahi_var_run_t)
++files_search_var_lib(avahi_t)
++manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
++manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
++files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
++
++manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
++manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+ allow avahi_t avahi_var_run_t:dir setattr;
+ files_pid_filetrans(avahi_t,avahi_var_run_t,file)
+
+@@ -76,15 +87,18 @@
+ logging_send_syslog_msg(avahi_t)
+
+ miscfiles_read_localization(avahi_t)
++miscfiles_read_certs(avahi_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(avahi_t)
++
+ userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
+
+ optional_policy(`
+ dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t)
- dbus_send_system_bus(avahi_t)
+- dbus_send_system_bus(avahi_t)
++
init_dbus_chat_script(avahi_t)
-+ dbus_system_domain(avahi_t,avahi_exec_t)
++ dbus_system_domain(avahi_t, avahi_exec_t)
')
optional_policy(`
@@ -8141,6 +8571,208 @@
+/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
')
+/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.0.8/policy/modules/services/bind.if
+--- nsaserefpolicy/policy/modules/services/bind.if 2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/bind.if 2008-10-16 16:02:58.000000000 -0400
+@@ -15,7 +15,7 @@
+ type ndc_t, ndc_exec_t;
+ ')
+
+- domtrans_pattern($1,ndc_exec_t,ndc_t)
++ domtrans_pattern($1, ndc_exec_t, ndc_t)
+ ')
+
+ ########################################
+@@ -38,6 +38,42 @@
+
+ ########################################
+ ## <summary>
++## Send signulls to BIND.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bind_signull',`
++ gen_require(`
++ type named_t;
++ ')
++
++ allow $1 named_t:process signull;
++')
++
++########################################
++## <summary>
++## Send sigkills to BIND.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bind_sigkill',`
++ gen_require(`
++ type named_t;
++ ')
++
++ allow $1 named_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Execute ndc in the ndc domain, and
+ ## allow the specified role the ndc domain.
+ ## </summary>
+@@ -83,7 +119,7 @@
+ type named_t, named_exec_t;
+ ')
+
+- domtrans_pattern($1,named_exec_t,named_t)
++ domtrans_pattern($1, named_exec_t, named_t)
+ ')
+
+ ########################################
+@@ -101,7 +137,7 @@
+ type named_conf_t, named_zone_t, dnssec_t;
+ ')
+
+- read_files_pattern($1,{ named_conf_t named_zone_t },dnssec_t)
++ read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t)
+ ')
+
+ ########################################
+@@ -119,7 +155,7 @@
+ type named_conf_t;
+ ')
+
+- read_files_pattern($1,named_conf_t,named_conf_t)
++ read_files_pattern($1, named_conf_t, named_conf_t)
+ ')
+
+ ########################################
+@@ -137,7 +173,7 @@
+ type named_conf_t;
+ ')
+
+- write_files_pattern($1,named_conf_t,named_conf_t)
++ write_files_pattern($1, named_conf_t, named_conf_t)
+ allow $1 named_conf_t:file setattr;
+ ')
+
+@@ -157,7 +193,7 @@
+ type named_conf_t;
+ ')
+
+- manage_dirs_pattern($1,named_conf_t,named_conf_t)
++ manage_dirs_pattern($1, named_conf_t, named_conf_t)
+ ')
+
+ ########################################
+@@ -199,8 +235,8 @@
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+- manage_files_pattern($1,named_cache_t,named_cache_t)
+- manage_lnk_files_pattern($1,named_cache_t,named_cache_t)
++ manage_files_pattern($1, named_cache_t, named_cache_t)
++ manage_lnk_files_pattern($1, named_cache_t, named_cache_t)
+ ')
+
+ ########################################
+@@ -238,7 +274,7 @@
+ ')
+
+ files_search_var($1)
+- read_files_pattern($1,named_zone_t,named_zone_t)
++ read_files_pattern($1, named_zone_t, named_zone_t)
+ ')
+
+ ########################################
+@@ -254,3 +290,81 @@
+ interface(`bind_udp_chat_named',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
++
++########################################
++## <summary>
++## Execute bind server in the bind domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`bind_script_domtrans',`
++ gen_require(`
++ type bind_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, bind_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an bind environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the bind domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`bind_admin',`
++ gen_require(`
++ type named_t, named_tmp_t, named_log_t;
++ type named_conf_t, named_var_lib_t, named_var_run_t;
++ type named_cache_t, named_zone_t;
++ type dnssec_t, ndc_t;
++ type named_initrc_exec_t;
++ ')
++
++ allow $1 named_t:process { ptrace signal_perms };
++ ps_process_pattern($1, named_t)
++
++ allow $1 ndc_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ndc_t)
++
++ bind_run_ndc($1, $2, $3)
++
++ bind_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 named_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_tmp($1)
++ admin_pattern($1, named_tmp_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, named_log_t)
++
++ files_list_etc($1)
++ admin_pattern($1, named_conf_t)
++
++ admin_pattern($1, named_cache_t)
++ admin_pattern($1, named_zone_t)
++ admin_pattern($1, dnssec_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, named_var_lib_t)
++
++ files_list_pids($1)
++ admin_pattern($1, named_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.8/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-10-14 12:05:29.000000000 -0400
@@ -10205,9 +10837,139 @@
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.0.8/policy/modules/services/dnsmasq.if
+--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.if 2008-10-15 14:20:09.000000000 -0400
+@@ -1 +1,117 @@
+ ## <summary>dnsmasq DNS forwarder and DHCP server</summary>
++
++########################################
++## <summary>
++## Execute dnsmasq server in the dnsmasq domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`dnsmasq_domtrans',`
++ gen_require(`
++ type dnsmasq_exec_t;
++ type dnsmasq_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
++')
++
++########################################
++## <summary>
++## Execute dnsmasq server in the dnsmasq domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`dnsmasq_initrc_domtrans',`
++ gen_require(`
++ type dnsmasq_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Send dnsmasq a signal
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`dnsmasq_signal',`
++ gen_require(`
++ type dnsmasq_t;
++ ')
++
++ allow $1 dnsmasq_t:process signal;
++')
++
++########################################
++## <summary>
++## Send dnsmasq a sigkill
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`dnsmasq_sigkill',`
++ gen_require(`
++ type dnsmasq_t;
++ ')
++
++ allow $1 dnsmasq_t:process sigkill;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an dnsmasq environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the dnsmasq domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`dnsmasq_admin',`
++ gen_require(`
++ type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
++ type dnsmasq_initrc_exec_t;
++ ')
++
++ allow $1 dnsmasq_t:process { ptrace signal_perms };
++ ps_process_pattern($1, dnsmasq_t)
++
++ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 dnsmasq_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_var_lib($1)
++ admin_pattern($1, dnsmasq_lease_t)
++
++ files_list_pids($1)
++ admin_pattern($1, dnsmasq_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2008-10-15 14:22:15.000000000 -0400
+@@ -8,7 +8,7 @@
+
+ type dnsmasq_t;
+ type dnsmasq_exec_t;
+-init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)
++init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
+
+ type dnsmasq_lease_t;
+ files_type(dnsmasq_lease_t)
@@ -16,6 +16,9 @@
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
@@ -10218,6 +10980,15 @@
########################################
#
# Local policy
+@@ -23,7 +26,7 @@
+
+ allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
+ dontaudit dnsmasq_t self:capability sys_tty_config;
+-allow dnsmasq_t self:process { setcap signal_perms };
++allow dnsmasq_t self:process { getcap setcap signal_perms };
+ allow dnsmasq_t self:fifo_file { read write };
+ allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
+ allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
@@ -32,7 +35,7 @@
allow dnsmasq_t self:rawip_socket create_socket_perms;
@@ -10227,16 +10998,17 @@
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
-@@ -55,7 +58,7 @@
+@@ -55,8 +58,7 @@
corenet_tcp_bind_all_nodes(dnsmasq_t)
corenet_udp_bind_all_nodes(dnsmasq_t)
corenet_tcp_bind_dns_port(dnsmasq_t)
-corenet_udp_bind_dns_port(dnsmasq_t)
+-corenet_udp_bind_dhcpd_port(dnsmasq_t)
+corenet_udp_bind_all_ports(dnsmasq_t)
- corenet_udp_bind_dhcpd_port(dnsmasq_t)
corenet_sendrecv_dns_server_packets(dnsmasq_t)
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
-@@ -94,3 +97,7 @@
+
+@@ -94,3 +96,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
')
@@ -13165,7 +13937,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-10-16 14:53:36.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.7.1)
@@ -13173,7 +13945,7 @@
########################################
#
-@@ -8,7 +8,16 @@
+@@ -8,11 +8,24 @@
type NetworkManager_t;
type NetworkManager_exec_t;
@@ -13191,7 +13963,15 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
-@@ -20,9 +29,9 @@
+
++type wpa_cli_t;
++type wpa_cli_exec_t;
++init_system_domain(wpa_cli_t, wpa_cli_exec_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -20,9 +33,9 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -13203,8 +13983,12 @@
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-@@ -33,15 +42,22 @@
+@@ -31,17 +44,27 @@
+ allow NetworkManager_t self:udp_socket create_socket_perms;
+ allow NetworkManager_t self:packet_socket create_socket_perms;
++allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
++
can_exec(NetworkManager_t, NetworkManager_exec_t)
-manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
@@ -13226,10 +14010,11 @@
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
++kernel_search_network_sysctl(NetworkManager_t)
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -64,9 +80,11 @@
+@@ -64,9 +87,11 @@
dev_read_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
@@ -13241,7 +14026,7 @@
mls_file_read_all_levels(NetworkManager_t)
-@@ -83,9 +101,14 @@
+@@ -83,9 +108,14 @@
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
@@ -13256,11 +14041,26 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -107,12 +130,17 @@
- # in /etc created by NetworkManager will be labelled net_conf_t.
- sysnet_manage_config(NetworkManager_t)
- sysnet_etc_filetrans_config(NetworkManager_t)
+@@ -98,26 +128,40 @@
+
+ seutil_read_config(NetworkManager_t)
+
+-sysnet_domtrans_ifconfig(NetworkManager_t)
++sysnet_etc_filetrans_config(NetworkManager_t)
++sysnet_delete_dhcpc_pid(NetworkManager_t)
+ sysnet_domtrans_dhcpc(NetworkManager_t)
+-sysnet_signal_dhcpc(NetworkManager_t)
++sysnet_domtrans_ifconfig(NetworkManager_t)
++sysnet_kill_dhcpc(NetworkManager_t)
++sysnet_manage_config(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
+ sysnet_read_dhcpc_pid(NetworkManager_t)
+-sysnet_delete_dhcpc_pid(NetworkManager_t)
+ sysnet_search_dhcp_state(NetworkManager_t)
+-# in /etc created by NetworkManager will be labelled net_conf_t.
+-sysnet_manage_config(NetworkManager_t)
+-sysnet_etc_filetrans_config(NetworkManager_t)
++sysnet_signal_dhcpc(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
-userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
@@ -13272,10 +14072,24 @@
+userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
+
+cron_read_system_job_lib_files(NetworkManager_t)
++
++optional_policy(`
++ avahi_domtrans(NetworkManager_t)
++ avahi_sigkill(NetworkManager_t)
++ avahi_signal(NetworkManager_t)
++ avahi_signull(NetworkManager_t)
++')
optional_policy(`
bind_domtrans(NetworkManager_t)
-@@ -129,28 +157,26 @@
+ bind_manage_cache(NetworkManager_t)
+ bind_signal(NetworkManager_t)
++ bind_signull(NetworkManager_t)
++ bind_sigkill(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -129,15 +173,18 @@
')
optional_policy(`
@@ -13289,22 +14103,34 @@
- dbus_connect_system_bus(NetworkManager_t)
- dbus_send_system_bus(NetworkManager_t)
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
++')
++
++optional_policy(`
++ dnsmasq_script_domtrans(NetworkManager_t)
++ dnsmasq_signal(NetworkManager_t)
++ dnsmasq_sigkill(NetworkManager_t)
++ dnsmasq_signull(NetworkManager_t)
++')
++
++optional_policy(`
++ hal_write_log(NetworkManager_t)
')
optional_policy(`
-- howl_signal(NetworkManager_t)
-+ hal_write_log(NetworkManager_t)
+@@ -145,39 +192,86 @@
')
optional_policy(`
- nis_use_ypbind(NetworkManager_t)
-+ howl_signal(NetworkManager_t)
++ iptables_domtrans(NetworkManager_t)
')
optional_policy(`
- nscd_socket_use(NetworkManager_t)
+ nscd_domtrans(NetworkManager_t)
nscd_signal(NetworkManager_t)
++ nscd_signull(NetworkManager_t)
++ nscd_sigkill(NetworkManager_t)
+ nscd_script_domtrans(NetworkManager_t)
+')
+
@@ -13314,18 +14140,22 @@
')
optional_policy(`
-@@ -159,22 +185,30 @@
- ')
-
- optional_policy(`
-- ppp_domtrans(NetworkManager_t)
-+ polkit_domtrans_auth(NetworkManager_t)
-+ polkit_read_lib(NetworkManager_t)
+ openvpn_domtrans(NetworkManager_t)
+ openvpn_signal(NetworkManager_t)
++ openvpn_signull(NetworkManager_t)
++ openvpn_sigkill(NetworkManager_t)
+')
+
+optional_policy(`
++ polkit_domtrans_auth(NetworkManager_t)
++ polkit_read_lib(NetworkManager_t)
+ ')
+
+ optional_policy(`
+ ppp_script_domtrans(NetworkManager_t)
+ ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
++ ppp_sigkill(NetworkManager_t)
ppp_signal(NetworkManager_t)
+ ppp_signull(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
@@ -13350,6 +14180,36 @@
')
optional_policy(`
+ vpn_domtrans(NetworkManager_t)
++ vpn_sigkill(NetworkManager_t)
+ vpn_signal(NetworkManager_t)
++ vpn_signull(NetworkManager_t)
+ ')
++
++########################################
++#
++# wpa_cli local policy
++#
++allow wpa_cli_t self:capability dac_override;
++allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
++
++allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
++
++manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
++files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
++
++list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
++rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
++
++init_dontaudit_use_fds(wpa_cli_t)
++init_use_script_ptys(wpa_cli_t)
++
++libs_use_ld_so(wpa_cli_t)
++libs_use_shared_libs(wpa_cli_t)
++
++miscfiles_read_localization(wpa_cli_t)
++
++term_dontaudit_use_console(wpa_cli_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.8/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nis.fc 2008-10-14 12:05:29.000000000 -0400
@@ -15372,8 +16232,17 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.0.8/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.fc 2008-10-14 12:05:29.000000000 -0400
-@@ -25,7 +25,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/ppp.fc 2008-10-15 13:00:08.000000000 -0400
+@@ -1,6 +1,8 @@
+ #
+ # /etc
+ #
++/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
++
+ /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+ /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+ /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+@@ -25,7 +27,7 @@
#
# /var
#
@@ -15384,8 +16253,34 @@
# Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.0.8/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.if 2008-10-14 12:05:29.000000000 -0400
-@@ -76,6 +76,24 @@
++++ serefpolicy-3.0.8/policy/modules/services/ppp.if 2008-10-15 13:00:12.000000000 -0400
+@@ -39,6 +39,25 @@
+
+ ########################################
+ ## <summary>
++## Send ppp a sigkill
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`ppp_sigkill',`
++ gen_require(`
++ type pppd_t;
++ ')
++
++ allow $1 pppd_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Send a SIGCHLD signal to PPP.
+ ## </summary>
+ ## <param name="domain">
+@@ -76,6 +95,24 @@
########################################
## <summary>
@@ -15410,7 +16305,7 @@
## Execute domain in the ppp domain.
## </summary>
## <param name="domain">
-@@ -102,6 +120,16 @@
+@@ -102,6 +139,16 @@
## Domain allowed access.
## </summary>
## </param>
@@ -15427,24 +16322,7 @@
## <rolecap/>
#
interface(`ppp_run_cond',`
-@@ -126,6 +154,16 @@
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <param name="role">
-+## <summary>
-+## The role to allow the ppp domain.
-+## </summary>
-+## </param>
-+## <param name="terminal">
-+## <summary>
-+## The type of the terminal allow the ppp domain to use.
-+## </summary>
-+## </param>
- ## <rolecap/>
- #
- interface(`ppp_run',`
-@@ -159,6 +197,25 @@
+@@ -159,6 +206,25 @@
########################################
## <summary>
@@ -15470,13 +16348,10 @@
## Read PPP-writable configuration files.
## </summary>
## <param name="domain">
-@@ -248,5 +305,23 @@
- type pppd_var_run_t;
- ')
+@@ -250,3 +316,95 @@
-- files_pid_filetrans($1,pppd_var_run_t,file)
-+ files_pid_filetrans($1, pppd_var_run_t, file)
-+')
+ files_pid_filetrans($1,pppd_var_run_t,file)
+ ')
+
+########################################
+## <summary>
@@ -15494,10 +16369,84 @@
+ ')
+
+ init_script_domtrans_spec($1, pppd_script_exec_t)
- ')
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an ppp environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the ppp domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ppp_admin',`
++ gen_require(`
++ type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
++ type pppd_etc_t, pppd_secret_t;
++ type pppd_etc_rw_t, pppd_var_run_t;
++
++ type pptp_t, pptp_log_t, pptp_var_run_t;
++ type pppd_script_exec_t;
++ ')
++
++ allow $1 pppd_t:process { ptrace signal_perms getattr };
++ ps_process_pattern($1, pppd_t)
++
++ allow $1 pptp_t:process { ptrace signal_perms getattr };
++ ps_process_pattern($1, pptp_t)
++
++ # Allow admin domain to restart the pppd_t service
++ ppp_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pppd_script_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_tmp($1)
++ manage_all_pattern($1,pppd_tmp_t)
++
++ logging_list_logs($1)
++ manage_all_pattern($1,pppd_log_t)
++
++ manage_all_pattern($1,pptp_log_t)
++
++ manage_all_pattern($1,pppd_lock_t)
++
++ files_list_etc($1)
++ manage_all_pattern($1,pppd_etc_t)
++
++ manage_all_pattern($1,pppd_etc_rw_t)
++
++ manage_all_pattern($1,pppd_secret_t)
++
++ manage_all_pattern($1,pppd_script_exec_t)
++
++ files_list_var_lib($1)
++ manage_all_pattern($1,pppd_var_lib_t)
++
++ files_list_pids($1)
++ manage_all_pattern($1,pppd_var_run_t)
++
++ manage_all_pattern($1,pptp_var_run_t)
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.0.8/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.te 2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ppp.te 2008-10-15 13:00:04.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(ppp,1.5.0)
@@ -15562,18 +16511,57 @@
')
optional_policy(`
-@@ -221,8 +220,9 @@
+@@ -221,13 +220,16 @@
# PPTP Local policy
#
--dontaudit pptp_t self:capability sys_tty_config;
- allow pptp_t self:capability net_raw;
-+dontaudit pptp_t self:capability sys_tty_config;
++allow pptp_t self:capability { net_raw net_admin };
+ dontaudit pptp_t self:capability sys_tty_config;
+-allow pptp_t self:capability net_raw;
+-allow pptp_t self:fifo_file { read write };
+allow pptp_t self:process signal;
- allow pptp_t self:fifo_file { read write };
++allow pptp_t self:fifo_file rw_fifo_file_perms;
allow pptp_t self:unix_dgram_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -292,6 +292,14 @@
+ allow pptp_t self:rawip_socket create_socket_perms;
+ allow pptp_t self:tcp_socket create_socket_perms;
++allow pptp_t self:udp_socket create_socket_perms;
++allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ allow pptp_t pppd_etc_t:dir { getattr read search };
+ allow pptp_t pppd_etc_t:file { read getattr };
+@@ -251,9 +253,13 @@
+ kernel_list_proc(pptp_t)
+ kernel_read_kernel_sysctls(pptp_t)
+ kernel_read_proc_symlinks(pptp_t)
++kernel_read_system_state(pptp_t)
+
+ dev_read_sysfs(pptp_t)
+
++corecmd_exec_shell(pptp_t)
++corecmd_read_bin_symlinks(pptp_t)
++
+ corenet_all_recvfrom_unlabeled(pptp_t)
+ corenet_all_recvfrom_netlabel(pptp_t)
+ corenet_tcp_sendrecv_all_if(pptp_t)
+@@ -269,6 +275,8 @@
+ fs_getattr_all_fs(pptp_t)
+ fs_search_auto_mountpoints(pptp_t)
+
++files_read_etc_files(pptp_t)
++
+ term_ioctl_generic_ptys(pptp_t)
+ term_search_ptys(pptp_t)
+ term_use_ptmx(pptp_t)
+@@ -283,6 +291,7 @@
+ miscfiles_read_localization(pptp_t)
+
+ sysnet_read_config(pptp_t)
++sysnet_exec_ifconfig(pppd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+ userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
+@@ -292,6 +301,14 @@
')
optional_policy(`
@@ -17827,7 +18815,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-10-14 21:45:19.000000000 -0400
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -17854,17 +18842,15 @@
allow sendmail_t sendmail_log_t:dir setattr;
manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t)
-@@ -48,6 +51,9 @@
+@@ -48,6 +51,7 @@
kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
+kernel_read_network_state(sendmail_t)
-+
-+auth_use_nsswitch(sendmail_t)
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -66,14 +72,18 @@
+@@ -66,14 +70,18 @@
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
@@ -17883,15 +18869,17 @@
files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
-@@ -83,6 +93,7 @@
+@@ -83,6 +91,9 @@
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_read_utmp(sendmail_t)
init_dontaudit_write_utmp(sendmail_t)
+init_rw_script_tmp_files(sendmail_t)
++
++auth_use_nsswitch(sendmail_t)
libs_use_ld_so(sendmail_t)
libs_use_shared_libs(sendmail_t)
-@@ -90,34 +101,39 @@
+@@ -90,44 +101,55 @@
libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
@@ -17937,7 +18925,12 @@
')
optional_policy(`
-@@ -128,6 +144,11 @@
+- postfix_exec_master(sendmail_t)
++ postfix_domtrans_postdrop(sendmail_t)
++ postfix_domtrans_master(sendmail_t)
+ postfix_read_config(sendmail_t)
+ postfix_search_spool(sendmail_t)
+ ')
optional_policy(`
procmail_domtrans(sendmail_t)
@@ -17949,7 +18942,7 @@
')
optional_policy(`
-@@ -135,24 +156,25 @@
+@@ -135,24 +157,25 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.648
retrieving revision 1.649
diff -u -r1.648 -r1.649
--- selinux-policy.spec 15 Oct 2008 17:22:10 -0000 1.648
+++ selinux-policy.spec 20 Oct 2008 19:54:22 -0000 1.649
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 120%{?dist}
+Release: 121%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,10 @@
%endif
%changelog
+* Wed Oct 15 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-121
+- Allow wine to mmap_zero
+- Fix mapping for google/picasa/wine
+
* Tue Oct 14 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-120
- Backport networkmanager and ppp policy from f9
- Previous message: rpms/selinux-policy/F-9 policy-20071130.patch, 1.228, 1.229 selinux-policy.spec, 1.719, 1.720
- Next message: rpms/ekiga/devel .cvsignore, 1.14, 1.15 ekiga.spec, 1.58, 1.59 sources, 1.16, 1.17
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list