rpms/selinux-policy/devel policy-20090105.patch,1.96,1.97
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Apr 24 13:16:14 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7207
Modified Files:
policy-20090105.patch
Log Message:
* Fri Apr 24 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-16
- Update to latest milter code from Paul Howarth
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.96
retrieving revision 1.97
diff -u -r1.96 -r1.97
--- policy-20090105.patch 24 Apr 2009 11:42:41 -0000 1.96
+++ policy-20090105.patch 24 Apr 2009 13:16:13 -0000 1.97
@@ -779,7 +779,7 @@
+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-23 17:21:40.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-24 09:02:26.000000000 -0400
@@ -24,7 +24,7 @@
allow readahead_t self:capability { fowner dac_override dac_read_search };
@@ -801,7 +801,7 @@
init_getattr_initctl(readahead_t)
logging_send_syslog_msg(readahead_t)
-+logging_send_audit_msgs(readahead_t)
++logging_set_audit_parameters(readahead_t)
logging_dontaudit_search_audit_config(readahead_t)
miscfiles_read_localization(readahead_t)
@@ -5035,6 +5035,35 @@
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-03-05 12:28:56.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-04-24 09:05:52.000000000 -0400
+@@ -2268,6 +2268,25 @@
+
+ ########################################
+ ## <summary>
++## Delete the null device (/dev/null).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_delete_null',`
++ gen_require(`
++ type device_t, null_device_t;
++ ')
++
++ allow $1 device_t:dir del_entry_dir_perms;
++ allow $1 null_device_t:chr_file unlink;
++')
++
++########################################
++## <summary>
+ ## Read and write to the null device (/dev/null).
+ ## </summary>
+ ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-03-05 12:28:57.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-04-23 09:44:57.000000000 -0400
@@ -14835,7 +14864,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.6.12/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-24 07:22:01.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-24 08:31:02.000000000 -0400
@@ -14,6 +14,12 @@
milter_template(regex)
milter_template(spamass)
@@ -14849,18 +14878,7 @@
########################################
#
# milter-regex local policy
-@@ -21,6 +27,10 @@
- # http://www.benzedrine.cx/milter-regex.html
- #
-
-+# The milter runs from /var/lib/spamass-milter
-+files_search_var_lib(spamass_milter_t);
-+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
-+
- # It removes any existing socket (not owned by root) whilst running as root
- # and then calls setgid() and setuid() to drop privileges
- allow regex_milter_t self:capability { setuid setgid dac_override };
-@@ -41,6 +51,10 @@
+@@ -41,6 +47,10 @@
# http://savannah.nongnu.org/projects/spamass-milt/
#
@@ -19956,7 +19974,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.12/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/razor.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/razor.te 2009-04-24 08:32:37.000000000 -0400
@@ -6,6 +6,32 @@
# Declarations
#
@@ -19990,12 +20008,24 @@
type razor_exec_t;
corecmd_executable_file(razor_exec_t)
-@@ -122,3 +148,5 @@
- optional_policy(`
- nscd_socket_use(razor_t)
- ')
+@@ -102,6 +128,8 @@
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
++auth_use_nsswitch(razor_t)
+
+ logging_send_syslog_msg(razor_t)
+
+ userdom_search_user_home_dirs(razor_t)
+@@ -120,5 +148,7 @@
+ ')
+
+ optional_policy(`
+- nscd_socket_use(razor_t)
++ milter_manage_spamass_state(razor_t)
+')
++
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.12/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/ricci.te 2009-04-23 09:44:57.000000000 -0400
@@ -21822,7 +21852,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-24 07:23:40.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-24 08:31:39.000000000 -0400
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -21935,7 +21965,7 @@
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -265,31 +324,35 @@
+@@ -265,13 +324,16 @@
sysnet_read_config(spamc_t)
@@ -21950,11 +21980,8 @@
+ fs_manage_nfs_dirs(spamc_t)
+ fs_manage_nfs_files(spamc_t)
+ fs_manage_nfs_symlinks(spamc_t)
- ')
-
--optional_policy(`
-- # Allow connection to spamd socket above
-- evolution_stream_connect(spamc_t)
++')
++
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamc_t)
+ fs_manage_cifs_files(spamc_t)
@@ -21962,9 +21989,12 @@
')
optional_policy(`
+@@ -280,16 +342,21 @@
+ ')
+
+ optional_policy(`
- nis_use_ypbind(spamc_t)
-+ # Allow connection to spamd socket above
-+ evolution_stream_connect(spamc_t)
++ milter_manage_spamass_state(spamc_t)
')
optional_policy(`
@@ -21983,7 +22013,7 @@
')
########################################
-@@ -301,7 +364,7 @@
+@@ -301,7 +368,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -21992,7 +22022,7 @@
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -317,10 +380,13 @@
+@@ -317,10 +384,13 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -22007,7 +22037,7 @@
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +395,11 @@
+@@ -329,10 +399,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -22020,7 +22050,7 @@
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +449,27 @@
+@@ -382,22 +453,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -22052,7 +22082,7 @@
fs_manage_cifs_files(spamd_t)
')
-@@ -415,6 +487,7 @@
+@@ -415,6 +491,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -22060,7 +22090,7 @@
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -424,10 +497,6 @@
+@@ -424,10 +501,6 @@
')
optional_policy(`
@@ -22071,7 +22101,7 @@
postfix_read_config(spamd_t)
')
-@@ -442,6 +511,10 @@
+@@ -442,6 +515,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -22082,7 +22112,7 @@
')
optional_policy(`
-@@ -454,5 +527,9 @@
+@@ -454,5 +531,9 @@
')
optional_policy(`
@@ -25882,7 +25912,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-24 08:59:22.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -26020,7 +26050,7 @@
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -270,16 +308,19 @@
+@@ -270,16 +308,20 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -26032,6 +26062,7 @@
-dev_read_lvm_control(initrc_t)
+dev_rw_lvm_control(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
++dev_delete_null(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
# Wants to remove udev.tbl:
@@ -26041,7 +26072,7 @@
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -328,7 +369,7 @@
+@@ -328,7 +370,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -26050,7 +26081,7 @@
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -343,14 +384,14 @@
+@@ -343,14 +385,14 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -26067,7 +26098,7 @@
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -366,7 +407,9 @@
+@@ -366,7 +408,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -26077,7 +26108,7 @@
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -451,7 +494,7 @@
+@@ -451,7 +495,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -26086,7 +26117,7 @@
files_dontaudit_read_root_files(initrc_t)
selinux_set_enforce_mode(initrc_t)
-@@ -465,6 +508,7 @@
+@@ -465,6 +509,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -26094,7 +26125,7 @@
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -498,6 +542,7 @@
+@@ -498,6 +543,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -26102,7 +26133,7 @@
')
optional_policy(`
-@@ -516,6 +561,33 @@
+@@ -516,6 +562,33 @@
')
')
@@ -26136,7 +26167,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +642,10 @@
+@@ -570,6 +643,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -26147,7 +26178,7 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -591,6 +667,10 @@
+@@ -591,6 +668,10 @@
')
optional_policy(`
@@ -26158,7 +26189,7 @@
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,6 +727,11 @@
+@@ -647,6 +728,11 @@
')
optional_policy(`
@@ -26170,7 +26201,7 @@
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
-@@ -655,12 +740,6 @@
+@@ -655,12 +741,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -26183,7 +26214,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -719,8 +798,6 @@
+@@ -719,8 +799,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -26192,7 +26223,7 @@
')
optional_policy(`
-@@ -733,10 +810,12 @@
+@@ -733,10 +811,12 @@
squid_manage_logs(initrc_t)
')
@@ -26205,7 +26236,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +833,11 @@
+@@ -754,6 +834,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -26217,7 +26248,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -765,6 +849,13 @@
+@@ -765,6 +850,13 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -26231,7 +26262,7 @@
')
optional_policy(`
-@@ -790,3 +881,35 @@
+@@ -790,3 +882,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -26811,7 +26842,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.12/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-04-24 09:01:14.000000000 -0400
@@ -623,7 +623,7 @@
')
More information about the scm-commits
mailing list