rpms/selinux-policy/F-12 policy-F12.patch, 1.142, 1.143 selinux-policy.spec, 1.972, 1.973
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Dec 1 16:14:39 UTC 2009
- Previous message: rpms/drupal-cck/F-12 drupal-cck.spec,1.7,1.8 sources,1.5,1.6
- Next message: rpms/parole/F-11 .cvsignore, 1.5, 1.6 parole.spec, 1.4, 1.5 sources, 1.5, 1.6 parole-0.1.98-browser-plugin-xulrunner-1.9.2.patch, 1.1, NONE parole-0.1.98-fix-vbox-crash.patch, 1.1, NONE parole-0.1.98-interface.patch, 1.1, NONE parole-0.1.98-memleak.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30807
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Tue Dec 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-52
- Major fixup of ntop policy
- Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22
- Allow xdm to signal session bus
- Allow modemmanager to use generic ptys, and sys_tty_config capability
- Allow abrt_helper chown access, dontaudit leaks
- Allow logwatch to list cifs and nfs file systems
- Allow kismet to read network state
- Allow cupsd_config_t to connecto unconfined unix_stream
- Fix avahi labeling and allow avahi to manage /etc/resolv.conf
- Allow sshd to read usr_t files
- Allow login programs to manage pcscd_var_run_t files
- Allow tor to read usr_t files
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.fc | 2
policy/modules/admin/kismet.te | 13
policy/modules/admin/logrotate.te | 21
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 +
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 75
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 20
policy/modules/admin/rpm.if | 344 ++
policy/modules/admin/rpm.te | 98
policy/modules/admin/shorewall.fc | 6
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 9
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 35
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86
policy/modules/apps/chrome.te | 78
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 42
policy/modules/apps/execmem.if | 80
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 64
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +
policy/modules/apps/gnome.te | 99
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 24
policy/modules/apps/java.if | 114
policy/modules/apps/java.te | 19
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 67
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 27
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 68
policy/modules/apps/mozilla.te | 23
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 323 ++
policy/modules/apps/nsplugin.te | 295 +
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/ptchown.if | 25
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 13
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +
policy/modules/apps/qemu.te | 84
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 60
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 188 +
policy/modules/apps/sandbox.te | 331 ++
policy/modules/apps/screen.if | 7
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120
policy/modules/apps/selinux-policy-3.6.32-41.fc12.noarch.rpm |binary
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81
policy/modules/apps/seunshare.te | 43
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 42
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corecommands.pp |binary
policy/modules/kernel/corenetwork.te.in | 46
policy/modules/kernel/devices.fc | 13
policy/modules/kernel/devices.if | 273 +
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 170 -
policy/modules/kernel/domain.te | 89
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 379 ++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 256 +
policy/modules/kernel/filesystem.te | 16
policy/modules/kernel/kernel.if | 98
policy/modules/kernel/kernel.te | 32
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 2
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 44
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 126
policy/modules/roles/sysadm.te | 126
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 ++++
policy/modules/roles/unconfineduser.te | 448 ++
policy/modules/roles/unprivuser.te | 127
policy/modules/roles/xguest.te | 74
policy/modules/services/abrt.fc | 6
policy/modules/services/abrt.if | 102
policy/modules/services/abrt.te | 99
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 3
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106
policy/modules/services/aisexec.te | 112
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 50
policy/modules/services/apache.if | 410 +-
policy/modules/services/apache.te | 452 ++
policy/modules/services/apm.te | 6
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 21
policy/modules/services/asterisk.te | 20
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 10
policy/modules/services/bind.if | 40
policy/modules/services/bitlbee.te | 2
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 11
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105
policy/modules/services/chronyd.te | 67
policy/modules/services/clamav.te | 18
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98
policy/modules/services/clogd.te | 62
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 44
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 23
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108
policy/modules/services/corosync.te | 109
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74
policy/modules/services/cron.te | 82
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 49
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 60
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.te | 24
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 3
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 60
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +
policy/modules/services/git.te | 166 +
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 49
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 16
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.fc | 2
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 23
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 13
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 9
policy/modules/services/nagios.fc | 20
policy/modules/services/nagios.if | 89
policy/modules/services/nagios.te | 106
policy/modules/services/networkmanager.fc | 15
policy/modules/services/networkmanager.if | 65
policy/modules/services/networkmanager.te | 117
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 21
policy/modules/services/nslcd.if | 8
policy/modules/services/ntop.te | 14
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 15
policy/modules/services/nut.if | 82
policy/modules/services/nut.te | 138
policy/modules/services/nx.fc | 7
policy/modules/services/nx.if | 67
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.if | 22
policy/modules/services/pcscd.te | 4
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 286 +
policy/modules/services/plymouth.te | 101
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 64
policy/modules/services/portreserve.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150
policy/modules/services/postfix.te | 142
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 3
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59
policy/modules/services/rgmanager.te | 83
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 ++
policy/modules/services/rhcs.te | 394 ++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 17
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104
policy/modules/services/samba.te | 89
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137
policy/modules/services/sendmail.te | 87
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 123
policy/modules/services/setroubleshoot.te | 82
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 1
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89
policy/modules/services/spamassassin.te | 139
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 207 +
policy/modules/services/ssh.te | 155 -
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 62
policy/modules/services/sssd.te | 14
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/tor.te | 1
policy/modules/services/tuned.fc | 6
policy/modules/services/tuned.if | 140
policy/modules/services/tuned.te | 58
policy/modules/services/uucp.te | 10
policy/modules/services/virt.fc | 14
policy/modules/services/virt.if | 210 +
policy/modules/services/virt.te | 276 +
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 45
policy/modules/services/xserver.if | 633 +++-
policy/modules/services/xserver.te | 363 +-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 12
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 209 +
policy/modules/system/authlogin.te | 10
policy/modules/system/fstools.fc | 3
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 163 +
policy/modules/system/init.te | 290 +
policy/modules/system/ipsec.fc | 7
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 66
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97
policy/modules/system/iptables.te | 20
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/kdump.te | 5
policy/modules/system/libraries.fc | 182 -
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 31
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 60
policy/modules/system/miscfiles.te | 2
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 56
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 83
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 ++
policy/modules/system/selinuxutil.te | 229 -
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117
policy/modules/system/sysnetwork.te | 77
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 39
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 --
policy/modules/system/unconfined.te | 224 -
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 1665 ++++++++---
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137
policy/support/obj_perm_sets.spt | 28
policy/users | 13
394 files changed, 19652 insertions(+), 2812 deletions(-)
View full diff with command:
/usr/bin/cvs -n -f diff -kk -u -p -N -r 1.142 -r 1.143 policy-F12.patchIndex: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.142
retrieving revision 1.143
diff -u -p -r1.142 -r1.143
--- policy-F12.patch 25 Nov 2009 20:29:59 -0000 1.142
+++ policy-F12.patch 1 Dec 2009 16:14:38 -0000 1.143
@@ -250,7 +250,7 @@ diff -b -B --ignore-all-space --exclude-
/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.32/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/kismet.te 2009-11-09 13:10:35.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/kismet.te 2009-12-01 08:03:22.000000000 -0500
@@ -26,6 +26,9 @@
type kismet_var_run_t;
files_pid_file(kismet_var_run_t)
@@ -261,7 +261,17 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# kismet local policy
-@@ -59,6 +62,12 @@
+@@ -45,7 +48,8 @@
+
+ manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+ manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+-files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
++manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
++files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file })
+
+ manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+ manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+@@ -59,8 +63,15 @@
allow kismet_t kismet_var_run_t:dir manage_dir_perms;
files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
@@ -273,6 +283,9 @@ diff -b -B --ignore-all-space --exclude-
+
kernel_search_debugfs(kismet_t)
kernel_read_system_state(kismet_t)
++kernel_read_network_state(kismet_t)
+
+ corecmd_exec_bin(kismet_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-09-16 10:01:19.000000000 -0400
@@ -336,8 +349,22 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2009-09-30 16:12:48.000000000 -0400
-@@ -136,4 +136,5 @@
++++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2009-12-01 10:47:58.000000000 -0500
+@@ -93,6 +93,13 @@
+ sysnet_exec_ifconfig(logwatch_t)
+
+ userdom_dontaudit_search_user_home_dirs(logwatch_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs(logwatch_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs(logwatch_t)
++')
+
+ mta_send_mail(logwatch_t)
+
+@@ -136,4 +143,5 @@
optional_policy(`
samba_read_log(logwatch_t)
@@ -627,7 +654,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-11-18 10:29:18.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-11-30 11:31:33.000000000 -0500
@@ -21,8 +21,23 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -693,7 +720,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -99,5 +119,53 @@
+@@ -99,5 +119,54 @@
')
optional_policy(`
@@ -721,7 +748,8 @@ diff -b -B --ignore-all-space --exclude-
+# This sucks: can it not just append?
+rw_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
+
-+write_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
++manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
++files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
+
+corecmd_exec_bin(prelink_cron_system_t)
+corecmd_exec_shell(prelink_cron_system_t)
@@ -812,7 +840,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-24 07:36:02.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-30 16:00:40.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -860,7 +888,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +174,42 @@
+@@ -146,6 +174,41 @@
########################################
## <summary>
@@ -874,11 +902,9 @@ diff -b -B --ignore-all-space --exclude-
+#
+interface(`rpm_dontaudit_leaks',`
+ gen_require(`
-+ type rpm_t;
-+ type rpm_script_t;
-+ type rpm_var_run_t;
-+ type rpm_tmp_t;
-+ type rpm_tmpfs_t;
++ type rpm_t, rpm_var_cache_t;
++ type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
++ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
@@ -896,6 +922,7 @@ diff -b -B --ignore-all-space --exclude-
+ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
+ dontaudit $1 rpm_script_tmp_t:file write_file_perms;
+ dontaudit $1 rpm_var_lib_t:file { read write };
++ dontaudit $1 rpm_var_cache_t:file { read write };
+')
+
+########################################
@@ -903,7 +930,7 @@ diff -b -B --ignore-all-space --exclude-
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -167,6 +231,68 @@
+@@ -167,6 +230,68 @@
########################################
## <summary>
@@ -972,7 +999,7 @@ diff -b -B --ignore-all-space --exclude-
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
-@@ -186,6 +312,24 @@
+@@ -186,6 +311,24 @@
########################################
## <summary>
@@ -997,7 +1024,7 @@ diff -b -B --ignore-all-space --exclude-
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
-@@ -219,7 +363,51 @@
+@@ -219,7 +362,51 @@
')
files_search_tmp($1)
@@ -1049,7 +1076,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -241,6 +429,25 @@
+@@ -241,6 +428,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -1075,7 +1102,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -265,6 +472,48 @@
+@@ -265,6 +471,48 @@
########################################
## <summary>
@@ -1124,7 +1151,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
-@@ -283,3 +532,99 @@
+@@ -283,3 +531,99 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1503,8 +1530,8 @@ diff -b -B --ignore-all-space --exclude-
java_domtrans_unconfined(rpm_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.32/policy/modules/admin/shorewall.fc
--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/shorewall.fc 2009-10-27 09:33:16.000000000 -0400
-@@ -4,8 +4,9 @@
[...1901 lines suppressed...]
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-
+HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
+/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -28635,7 +29050,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -185,15 +199,10 @@
+@@ -185,15 +201,10 @@
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -28652,7 +29067,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -228,31 +237,17 @@
+@@ -228,31 +239,17 @@
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -28688,7 +29103,7 @@ diff -b -B --ignore-all-space --exclude-
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,9 +262,10 @@
+@@ -267,9 +264,10 @@
/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -28701,7 +29116,7 @@ diff -b -B --ignore-all-space --exclude-
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -295,6 +291,8 @@
+@@ -295,6 +293,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -28710,7 +29125,7 @@ diff -b -B --ignore-all-space --exclude-
') dnl end distro_redhat
#
-@@ -307,10 +305,108 @@
+@@ -307,10 +307,106 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -28812,8 +29227,6 @@ diff -b -B --ignore-all-space --exclude-
+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -30843,7 +31256,7 @@ diff -b -B --ignore-all-space --exclude-
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-12-01 09:38:51.000000000 -0500
@@ -43,6 +43,39 @@
sysnet_domtrans_dhcpc($1)
@@ -32186,7 +32599,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-25 12:24:26.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-01 07:56:40.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -33884,7 +34297,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3396,619 @@
+@@ -3064,3 +3396,638 @@
allow $1 userdomain:dbus send_msg;
')
@@ -34182,10 +34595,10 @@ diff -b -B --ignore-all-space --exclude-
+#
+interface(`userdom_execmod_user_home_files',`
+ gen_require(`
-+ type user_home_t;
++ attribute user_home_type;
+ ')
+
-+ allow $1 user_home_t:file execmod;
++ allow $1 user_home_type:file execmod;
+')
+
+########################################
@@ -34312,6 +34725,25 @@ diff -b -B --ignore-all-space --exclude-
+
+########################################
+## <summary>
++## Append files inherited
++## in the /root directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_inherit_append_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:file { getattr append };
++')
++
++########################################
++## <summary>
+## Send signull to unprivileged user domains.
+## </summary>
+## <param name="domain">
@@ -34980,17 +35412,35 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-09-30 16:12:48.000000000 -0400
-@@ -201,7 +201,7 @@
++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-11-30 15:49:46.000000000 -0500
+@@ -181,7 +181,7 @@
+ #
+ define(`getattr_dir_perms',`{ getattr }')
+ define(`setattr_dir_perms',`{ setattr }')
+-define(`search_dir_perms',`{ getattr search }')
++define(`search_dir_perms',`{ getattr search open }')
+ define(`list_dir_perms',`{ getattr search open read lock ioctl }')
+ define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
+ define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
+@@ -199,12 +199,14 @@
+ #
+ define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
- define(`read_file_perms',`{ getattr open read lock ioctl }')
+-define(`read_file_perms',`{ getattr open read lock ioctl }')
++define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
++define(`read_file_perms',`{ open read_inherited_file_perms }')
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
-define(`exec_file_perms',`{ getattr open read execute execute_no_trans }')
+define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
- define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
-@@ -225,7 +225,7 @@
+-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_file_perms',`{ open rw_inherited_file_perms }')
+ define(`create_file_perms',`{ getattr create open }')
+ define(`rename_file_perms',`{ getattr rename }')
+ define(`delete_file_perms',`{ getattr unlink }')
+@@ -225,7 +227,7 @@
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
@@ -34999,11 +35449,19 @@ diff -b -B --ignore-all-space --exclude-
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
-@@ -312,3 +312,13 @@
+@@ -312,3 +314,19 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
++#
++# Keys
++#
++define(`manage_key_perms', `{ create link read search setattr view write } ')
++
++#
++# All
++#
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
@@ -35011,8 +35469,6 @@ diff -b -B --ignore-all-space --exclude-
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
-+
-+define(`manage_key_perms', `{ create link read search setattr view write } ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/users 2009-09-30 16:12:48.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.972
retrieving revision 1.973
diff -u -p -r1.972 -r1.973
--- selinux-policy.spec 25 Nov 2009 20:30:00 -0000 1.972
+++ selinux-policy.spec 1 Dec 2009 16:14:39 -0000 1.973
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 51%{?dist}
+Release: 52%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,6 +445,20 @@ exit 0
%endif
%changelog
+* Tue Dec 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-52
+- Major fixup of ntop policy
+- Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22
+- Allow xdm to signal session bus
+- Allow modemmanager to use generic ptys, and sys_tty_config capability
+- Allow abrt_helper chown access, dontaudit leaks
+- Allow logwatch to list cifs and nfs file systems
+- Allow kismet to read network state
+- Allow cupsd_config_t to connecto unconfined unix_stream
+- Fix avahi labeling and allow avahi to manage /etc/resolv.conf
+- Allow sshd to read usr_t files
+- Allow login programs to manage pcscd_var_run_t files
+- Allow tor to read usr_t files
+
* Wed Nov 25 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-51
- Mark google shared libraries as requiring textrel_shlib
- Allow svirt to bind/connect to network ports
- Previous message: rpms/drupal-cck/F-12 drupal-cck.spec,1.7,1.8 sources,1.5,1.6
- Next message: rpms/parole/F-11 .cvsignore, 1.5, 1.6 parole.spec, 1.4, 1.5 sources, 1.5, 1.6 parole-0.1.98-browser-plugin-xulrunner-1.9.2.patch, 1.1, NONE parole-0.1.98-fix-vbox-crash.patch, 1.1, NONE parole-0.1.98-interface.patch, 1.1, NONE parole-0.1.98-memleak.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list