rpms/selinux-policy/devel policy-F13.patch, 1.13, 1.14 selinux-policy.spec, 1.942, 1.943
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Dec 16 23:01:01 UTC 2009
- Previous message: rpms/lxmusic/devel lxmusic.spec,1.6,1.7
- Next message: rpms/lxmusic/F-12 lxmusic-0.4.0-check-for-valid-playlist-positions.patch, NONE, 1.1 lxmusic-0.4.0-invalidate-cur_track_iter.patch, NONE, 1.1 lxmusic-0.4.0-remove-cur_track_iter.patch, NONE, 1.1 lxmusic.spec, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/pkgs/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2892
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
* Wed Dec 16 2009 Dan Walsh <dwalsh at redhat.com> 3.7.4-3
- Fixes for abrt calls
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 2
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.te | 23
policy/modules/admin/logrotate.te | 27
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 ++
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 78 +
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 344 ++++++
policy/modules/admin/rpm.te | 98 +
policy/modules/admin/shorewall.fc | 5
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 11
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 35
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86 +
policy/modules/apps/chrome.te | 79 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 42
policy/modules/apps/execmem.if | 104 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 64 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 13
policy/modules/apps/gnome.if | 179 +++
policy/modules/apps/gnome.te | 113 +-
policy/modules/apps/gpg.te | 3
policy/modules/apps/java.fc | 23
policy/modules/apps/java.if | 114 +-
policy/modules/apps/java.te | 19
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 67 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 27
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 27
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 323 +++++
policy/modules/apps/nsplugin.te | 296 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 2
policy/modules/apps/ptchown.if | 24
policy/modules/apps/pulseaudio.fc | 3
policy/modules/apps/pulseaudio.if | 42
policy/modules/apps/pulseaudio.te | 18
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +++
policy/modules/apps/qemu.te | 83 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 60 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 190 +++
policy/modules/apps/sandbox.te | 336 +++++
policy/modules/apps/screen.if | 1
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.if | 2
policy/modules/apps/seunshare.te | 3
policy/modules/apps/slocate.te | 1
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 32
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 46
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.if | 54
policy/modules/kernel/domain.if | 174 ++-
policy/modules/kernel/domain.te | 91 +
policy/modules/kernel/files.fc | 5
policy/modules/kernel/files.if | 333 +++++
policy/modules/kernel/files.te | 3
policy/modules/kernel/filesystem.if | 42
policy/modules/kernel/filesystem.te | 8
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 27
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 1
policy/modules/kernel/terminal.if | 27
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 124 --
policy/modules/roles/sysadm.te | 125 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 +++++++++++
policy/modules/roles/unconfineduser.te | 447 +++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 69 +
policy/modules/services/abrt.fc | 6
policy/modules/services/abrt.if | 139 ++
policy/modules/services/abrt.te | 117 +-
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 3
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 112 +
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 55
policy/modules/services/apache.if | 429 +++++--
policy/modules/services/apache.te | 453 ++++++--
policy/modules/services/apm.te | 6
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 39
policy/modules/services/asterisk.te | 36
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 13
policy/modules/services/bind.if | 40
policy/modules/services/bitlbee.te | 2
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 12
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.fc | 1
policy/modules/services/certmaster.te | 2
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 +++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 +
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 19
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 44
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 24
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 110 +
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74 +
policy/modules/services/cron.te | 84 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 51
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 54
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 60 -
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.te | 31
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.if | 20
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 3
policy/modules/services/fprintd.te | 5
policy/modules/services/ftp.te | 60 -
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 ++
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 49
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 16
policy/modules/services/kerneloops.te | 2
policy/modules/services/ksmtuned.fc | 5
policy/modules/services/ksmtuned.if | 76 +
policy/modules/services/ksmtuned.te | 46
policy/modules/services/ktalk.te | 1
policy/modules/services/ldap.fc | 2
policy/modules/services/lircd.fc | 2
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 24
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 4
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 31
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 23
policy/modules/services/nagios.fc | 46
policy/modules/services/nagios.if | 126 ++
policy/modules/services/nagios.te | 192 ++-
policy/modules/services/networkmanager.fc | 16
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 118 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 23
policy/modules/services/nslcd.if | 8
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 20
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 16
policy/modules/services/nut.if | 58 +
policy/modules/services/nut.te | 188 +++
policy/modules/services/nx.fc | 10
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/openvpn.te | 6
policy/modules/services/pcscd.if | 41
policy/modules/services/pcscd.te | 4
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 304 +++++
policy/modules/services/plymouth.te | 102 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 66 -
policy/modules/services/portreserve.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 142 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 3
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 83 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 ++++++
policy/modules/services/rhcs.te | 398 +++++++
policy/modules/services/ricci.te | 31
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 19
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 +
policy/modules/services/samba.te | 91 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 83 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 1
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 139 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 207 +++
policy/modules/services/ssh.te | 155 ++
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 62 +
policy/modules/services/sssd.te | 17
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/tgtd.if | 17
policy/modules/services/tor.te | 13
policy/modules/services/tuned.te | 4
policy/modules/services/u | 6
policy/modules/services/udisks.fc | 5
policy/modules/services/udisks.if | 192 +++
policy/modules/services/udisks.te | 66 +
policy/modules/services/uucp.te | 10
policy/modules/services/vhostmd.fc | 6
policy/modules/services/vhostmd.if | 228 ++++
policy/modules/services/vhostmd.te | 86 +
policy/modules/services/virt.fc | 13
policy/modules/services/virt.if | 211 +++
policy/modules/services/virt.te | 281 ++++-
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 44
policy/modules/services/xserver.if | 735 +++++++++++--
policy/modules/services/xserver.te | 643 +++++++----
policy/modules/services/zebra.if | 20
policy/modules/system/application.te | 7
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 210 +++
policy/modules/system/authlogin.te | 11
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 5
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 163 ++
policy/modules/system/init.te | 292 ++++-
policy/modules/system/ipsec.fc | 4
policy/modules/system/ipsec.if | 65 -
policy/modules/system/ipsec.te | 27
policy/modules/system/iptables.fc | 8
policy/modules/system/iptables.te | 7
policy/modules/system/iscsi.te | 7
policy/modules/system/kdump.te | 2
policy/modules/system/libraries.fc | 187 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 20
policy/modules/system/logging.te | 38
policy/modules/system/lvm.te | 10
policy/modules/system/miscfiles.fc | 1
policy/modules/system/modutils.te | 20
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 56
policy/modules/system/mount.te | 86 +
policy/modules/system/raid.te | 2
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 +++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/sysnetwork.fc | 10
policy/modules/system/sysnetwork.if | 114 +-
policy/modules/system/sysnetwork.te | 79 +
policy/modules/system/udev.if | 1
policy/modules/system/udev.te | 12
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 -------
policy/modules/system/unconfined.te | 224 ---
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 1683 +++++++++++++++++++++++-------
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.if | 19
policy/modules/system/xen.te | 10
policy/support/obj_perm_sets.spt | 20
policy/users | 13
391 files changed, 19999 insertions(+), 2980 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/policy-F13.patch,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -p -r1.13 -r1.14
--- policy-F13.patch 16 Dec 2009 13:30:38 -0000 1.13
+++ policy-F13.patch 16 Dec 2009 23:01:00 -0000 1.14
@@ -2767,7 +2767,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.4/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.4/policy/modules/apps/gnome.te 2009-12-15 14:56:49.000000000 -0500
++++ serefpolicy-3.7.4/policy/modules/apps/gnome.te 2009-12-16 16:57:25.000000000 -0500
@@ -7,18 +7,30 @@
#
@@ -2801,8 +2801,12 @@ diff -b -B --ignore-all-space --exclude-
files_tmp_file(gconf_tmp_t)
ubac_constrained(gconf_tmp_t)
-@@ -32,8 +44,17 @@
- type gnome_home_t;
+@@ -29,11 +41,20 @@
+ application_domain(gconfd_t, gconfd_exec_t)
+ ubac_constrained(gconfd_t)
+
+-type gnome_home_t;
++type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+typealias gnome_home_t alias unconfined_gnome_home_t;
@@ -4969,8 +4973,8 @@ diff -b -B --ignore-all-space --exclude-
+# No types are sandbox_exec_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.4/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.4/policy/modules/apps/sandbox.if 2009-12-15 14:56:49.000000000 -0500
-@@ -0,0 +1,188 @@
++++ serefpolicy-3.7.4/policy/modules/apps/sandbox.if 2009-12-16 16:50:01.000000000 -0500
+@@ -0,0 +1,190 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -5018,9 +5022,10 @@ diff -b -B --ignore-all-space --exclude-
+ allow sandbox_x_domain $1:process { sigchld signal };
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
-+ dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
++ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
++ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+
+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -5104,6 +5109,7 @@ diff -b -B --ignore-all-space --exclude-
+ type $1_client_tmpfs_t;
+ files_tmpfs_file($1_client_tmpfs_t)
+
++ term_search_ptys($1_t)
+ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
+ term_create_pty($1_client_t,sandbox_devpts_t)
+
@@ -5161,8 +5167,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.4/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.4/policy/modules/apps/sandbox.te 2009-12-15 14:56:49.000000000 -0500
-@@ -0,0 +1,331 @@
++++ serefpolicy-3.7.4/policy/modules/apps/sandbox.te 2009-12-16 17:45:36.000000000 -0500
+@@ -0,0 +1,336 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5195,6 +5201,7 @@ diff -b -B --ignore-all-space --exclude-
+#
+# sandbox xserver policy
+#
++allow sandbox_xserver_t self:process execmem;
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
@@ -5222,6 +5229,8 @@ diff -b -B --ignore-all-space --exclude-
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
++dev_rwx_zero(sandbox_xserver_t)
++
+files_read_etc_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
@@ -5242,6 +5251,7 @@ diff -b -B --ignore-all-space --exclude-
+logging_send_syslog_msg(sandbox_xserver_t)
+logging_send_audit_msgs(sandbox_xserver_t)
+
++userdom_read_user_home_content_symlinks(sandbox_xserver_t)
+userdom_use_user_terminals(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
@@ -5322,7 +5332,7 @@ diff -b -B --ignore-all-space --exclude-
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
-+auth_use_nsswitch(sandbox_x_domain)
++#auth_use_nsswitch(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
@@ -5349,6 +5359,7 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
++userdom_read_user_home_content_symlinks(sandbox_x_domain)
+
+#============= sandbox_x_t ==============
+files_search_home(sandbox_x_t)
@@ -5367,7 +5378,7 @@ diff -b -B --ignore-all-space --exclude-
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
-+auth_use_nsswitch(sandbox_x_client_t)
++#auth_use_nsswitch(sandbox_x_client_t)
+
+dbus_system_bus_client(sandbox_x_client_t)
+dbus_read_config(sandbox_x_client_t)
@@ -5425,7 +5436,7 @@ diff -b -B --ignore-all-space --exclude-
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
+corenet_tcp_connect_speech_port(sandbox_web_client_t)
+
-+auth_use_nsswitch(sandbox_web_client_t)
++#auth_use_nsswitch(sandbox_web_client_t)
+
+dbus_system_bus_client(sandbox_web_client_t)
+dbus_read_config(sandbox_web_client_t)
@@ -5468,7 +5479,7 @@ diff -b -B --ignore-all-space --exclude-
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
-+auth_use_nsswitch(sandbox_net_client_t)
++#auth_use_nsswitch(sandbox_net_client_t)
+
+dbus_system_bus_client(sandbox_net_client_t)
+dbus_read_config(sandbox_net_client_t)
@@ -6496,7 +6507,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.4/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.4/policy/modules/kernel/domain.te 2009-12-15 14:56:49.000000000 -0500
++++ serefpolicy-3.7.4/policy/modules/kernel/domain.te 2009-12-16 16:43:03.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -6567,7 +6578,7 @@ diff -b -B --ignore-all-space --exclude-
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,71 @@
+@@ -153,3 +174,73 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -6592,8 +6603,10 @@ diff -b -B --ignore-all-space --exclude-
+# these seem questionable:
+
+optional_policy(`
-+ abrt_signull(domain)
+ abrt_domtrans_helper(domain)
++ abrt_read_pid_files(domain)
++ abrt_read_state(domain)
++ abrt_signull(domain)
+')
+
+optional_policy(`
@@ -7518,7 +7531,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.4/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.4/policy/modules/kernel/terminal.if 2009-12-15 14:56:49.000000000 -0500
++++ serefpolicy-3.7.4/policy/modules/kernel/terminal.if 2009-12-16 11:17:07.000000000 -0500
@@ -273,9 +273,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -9530,7 +9543,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.4/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.4/policy/modules/services/abrt.if 2009-12-15 14:56:49.000000000 -0500
++++ serefpolicy-3.7.4/policy/modules/services/abrt.if 2009-12-16 16:47:43.000000000 -0500
@@ -19,6 +19,24 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
@@ -9589,10 +9602,47 @@ diff -b -B --ignore-all-space --exclude-
######################################
## <summary>
## Read abrt logs.
-@@ -75,6 +119,64 @@
+@@ -75,6 +119,101 @@
read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
')
++######################################
++## <summary>
++## Read abrt PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_read_pid_files',`
++ gen_require(`
++ type abrt_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
++')
++
++########################################
++## <summary>
++## Allow the domain to read abrt state files in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to allow access.
++## </summary>
++## </param>
++#
++interface(`abrt_read_state',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ ps_process_pattern($1, abrt_t)
++')
++
+########################################
+## <summary>
+## Send and receive messages from
@@ -11910,7 +11960,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.4/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.4/policy/modules/services/avahi.te 2009-12-15 14:56:49.000000000 -0500
++++ serefpolicy-3.7.4/policy/modules/services/avahi.te 2009-12-16 13:33:02.000000000 -0500
@@ -24,7 +24,7 @@
# Local policy
#
@@ -11928,8 +11978,14 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
-@@ -47,6 +48,9 @@
- kernel_read_proc_symlinks(avahi_t)
+@@ -42,11 +43,13 @@
+ allow avahi_t avahi_var_run_t:dir setattr;
+ files_pid_filetrans(avahi_t, avahi_var_run_t, file)
+
++kernel_read_system_state(avahi_t)
+ kernel_read_kernel_sysctls(avahi_t)
+-kernel_list_proc(avahi_t)
+-kernel_read_proc_symlinks(avahi_t)
kernel_read_network_state(avahi_t)
+corecmd_exec_bin(avahi_t)
@@ -11938,7 +11994,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(avahi_t)
corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_generic_if(avahi_t)
-@@ -85,6 +89,10 @@
+@@ -85,6 +88,10 @@
miscfiles_read_localization(avahi_t)
miscfiles_read_certs(avahi_t)
@@ -12058,7 +12114,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.4/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.4/policy/modules/services/bluetooth.te 2009-12-15 14:56:49.000000000 -0500
++++ serefpolicy-3.7.4/policy/modules/services/bluetooth.te 2009-12-16 17:05:48.000000000 -0500
@@ -54,9 +54,9 @@
# Bluetooth services local policy
#
@@ -12079,15 +12135,16 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
-@@ -94,6 +95,7 @@
+@@ -94,6 +95,8 @@
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
+kernel_request_load_module(bluetooth_t)
++kernel_search_debugfs(bluetooth_t)
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
-@@ -111,6 +113,7 @@
+@@ -111,6 +114,7 @@
dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
@@ -12095,7 +12152,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
-@@ -154,6 +157,10 @@
+@@ -154,6 +158,10 @@
')
optional_policy(`
@@ -13291,8 +13348,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.4/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.4/policy/modules/services/corosync.te 2009-12-15 14:56:49.000000000 -0500
-@@ -0,0 +1,109 @@
++++ serefpolicy-3.7.4/policy/modules/services/corosync.te 2009-12-16 13:52:21.000000000 -0500
+@@ -0,0 +1,110 @@
+
+policy_module(corosync,1.0.0)
+
@@ -13380,6 +13437,7 @@ diff -b -B --ignore-all-space --exclude-
+
+miscfiles_read_localization(corosync_t)
+
++init_read_script_state(corosync_t)
+init_rw_script_tmp_files(corosync_t)
+
+logging_send_syslog_msg(corosync_t)
@@ -16444,7 +16502,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.4/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.4/policy/modules/services/mysql.te 2009-12-15 16:12:11.000000000 -0500
++++ serefpolicy-3.7.4/policy/modules/services/mysql.te 2009-12-16 14:02:23.000000000 -0500
@@ -1,6 +1,13 @@
policy_module(mysql, 1.11.0)
@@ -16471,7 +16529,13 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_redhat',`
# because Fedora has the sock_file in the database directory
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
-@@ -136,10 +148,17 @@
+@@ -131,15 +143,22 @@
+ # Local mysqld_safe policy
+ #
+
+-allow mysqld_safe_t self:capability { dac_override fowner chown };
++allow mysqld_safe_t self:capability { kill dac_override fowner chown };
+ allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -18309,7 +18373,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.4/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.4/policy/modules/services/openvpn.te 2009-12-15 14:56:49.000000000 -0500
++++ serefpolicy-3.7.4/policy/modules/services/openvpn.te 2009-12-16 14:04:12.000000000 -0500
@@ -41,7 +41,7 @@
# openvpn local policy
#
@@ -18328,6 +18392,15 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
+@@ -107,7 +109,7 @@
+
+ sysnet_dns_name_resolve(openvpn_t)
+ sysnet_exec_ifconfig(openvpn_t)
+-sysnet_write_config(openvpn_t)
++sysnet_manage_config(openvpn_t)
+ sysnet_etc_filetrans_config(openvpn_t)
+
+ userdom_use_user_terminals(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.4/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.4/policy/modules/services/pcscd.if 2009-12-15 14:56:49.000000000 -0500
@@ -24225,7 +24298,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.4/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.4/policy/modules/services/sssd.te 2009-12-15 14:56:49.000000000 -0500
++++ serefpolicy-3.7.4/policy/modules/services/sssd.te 2009-12-16 11:14:38.000000000 -0500
@@ -16,6 +16,9 @@
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
@@ -24236,15 +24309,17 @@ diff -b -B --ignore-all-space --exclude-
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
-@@ -23,7 +26,7 @@
+@@ -23,8 +26,8 @@
#
# sssd local policy
#
-allow sssd_t self:capability { sys_nice setuid };
-+allow sssd_t self:capability { sys_nice setgid setuid };
- allow sssd_t self:process { setsched signal getsched };
+-allow sssd_t self:process { setsched signal getsched };
++allow sssd_t self:capability { kill sys_nice setgid setuid };
++allow sssd_t self:process { setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
@@ -33,16 +36,24 @@
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.942
retrieving revision 1.943
diff -u -p -r1.942 -r1.943
--- selinux-policy.spec 16 Dec 2009 13:05:31 -0000 1.942
+++ selinux-policy.spec 16 Dec 2009 23:01:00 -0000 1.943
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.4
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Wed Dec 16 2009 Dan Walsh <dwalsh at redhat.com> 3.7.4-3
+- Fixes for abrt calls
+
* Fri Dec 11 2009 Dan Walsh <dwalsh at redhat.com> 3.7.4-2
- Add tgtd policy
- Previous message: rpms/lxmusic/devel lxmusic.spec,1.6,1.7
- Next message: rpms/lxmusic/F-12 lxmusic-0.4.0-check-for-valid-playlist-positions.patch, NONE, 1.1 lxmusic-0.4.0-invalidate-cur_track_iter.patch, NONE, 1.1 lxmusic-0.4.0-remove-cur_track_iter.patch, NONE, 1.1 lxmusic.spec, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list