rpms/selinux-policy/devel policy-20090105.patch, 1.21, 1.22 selinux-policy.spec, 1.776, 1.777
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Jan 28 17:23:47 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3524
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Tue Jan 27 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-10
- Fixes for wicd daemon
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- policy-20090105.patch 26 Jan 2009 16:21:58 -0000 1.21
+++ policy-20090105.patch 28 Jan 2009 17:23:16 -0000 1.22
@@ -372,7 +372,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.3/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/admin/certwatch.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/admin/certwatch.te 2009-01-26 12:59:40.000000000 -0500
@@ -27,6 +27,9 @@
fs_list_inotifyfs(certwatch_t)
@@ -383,6 +383,14 @@
logging_send_syslog_msg(certwatch_t)
miscfiles_read_certs(certwatch_t)
+@@ -36,6 +39,7 @@
+
+ optional_policy(`
+ apache_exec_modules(certwatch_t)
++ apache_read_config(certwatch_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.3/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-01-05 15:39:44.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/admin/consoletype.te 2009-01-19 13:10:02.000000000 -0500
@@ -1036,7 +1044,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/admin/rpm.te 2009-01-26 09:14:27.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/admin/rpm.te 2009-01-28 09:38:38.000000000 -0500
@@ -31,6 +31,9 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1081,16 +1089,24 @@
corecmd_exec_all_executables(rpm_t)
-@@ -115,6 +125,8 @@
+@@ -108,13 +118,16 @@
+ dev_list_sysfs(rpm_t)
+ dev_list_usbfs(rpm_t)
+ dev_read_urand(rpm_t)
++dev_read_raw_memory(rpm_t)
+ #devices_manage_all_device_types(rpm_t)
+
+ fs_manage_nfs_dirs(rpm_t)
+ fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
++fs_getattr_all_dirs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
+fs_list_inotifyfs(rpm_t)
-+fs_getattr_all_fs(rpm_t)
mls_file_read_all_levels(rpm_t)
mls_file_write_all_levels(rpm_t)
-@@ -132,6 +144,8 @@
+@@ -132,6 +145,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -1099,7 +1115,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +169,7 @@
+@@ -155,6 +170,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -1107,7 +1123,7 @@
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,10 +189,20 @@
+@@ -174,10 +190,20 @@
')
optional_policy(`
@@ -1128,7 +1144,7 @@
prelink_domtrans(rpm_t)
')
-@@ -185,6 +210,7 @@
+@@ -185,6 +211,7 @@
unconfined_domain(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
@@ -1136,18 +1152,18 @@
')
ifdef(`TODO',`
-@@ -210,8 +236,8 @@
+@@ -210,8 +237,8 @@
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_nice mknod kill net_admin };
++allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +248,15 @@
+@@ -222,12 +249,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -1163,16 +1179,17 @@
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +268,8 @@
+@@ -239,6 +269,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
+kernel_read_network_state(rpm_script_t)
+kernel_list_all_proc(rpm_script_t)
++kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
-@@ -255,6 +286,7 @@
+@@ -255,6 +288,7 @@
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
@@ -1180,7 +1197,7 @@
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +304,19 @@
+@@ -272,14 +306,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -1200,7 +1217,7 @@
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +328,7 @@
+@@ -291,6 +330,7 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -1208,7 +1225,7 @@
init_domtrans_script(rpm_script_t)
-@@ -308,8 +346,10 @@
+@@ -308,8 +348,10 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1219,7 +1236,7 @@
ifdef(`distro_redhat',`
optional_policy(`
-@@ -326,6 +366,10 @@
+@@ -326,6 +368,10 @@
')
optional_policy(`
@@ -1230,7 +1247,7 @@
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -333,6 +377,7 @@
+@@ -333,6 +379,7 @@
optional_policy(`
unconfined_domain(rpm_script_t)
unconfined_domtrans(rpm_script_t)
@@ -1655,7 +1672,7 @@
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.3/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/gnome.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/gnome.if 2009-01-28 10:35:22.000000000 -0500
@@ -89,5 +89,154 @@
allow $1 gnome_home_t:dir manage_dir_perms;
@@ -2022,8 +2039,16 @@
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.3/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/java.if 2009-01-19 13:10:02.000000000 -0500
-@@ -68,3 +68,121 @@
++++ serefpolicy-3.6.3/policy/modules/apps/java.if 2009-01-28 09:40:26.000000000 -0500
+@@ -30,6 +30,7 @@
+
+ allow java_t $2:unix_stream_socket connectto;
+ allow java_t $2:unix_stream_socket { read write };
++ allow java_t $2:tcp_socket { read write };
+ ')
+
+ ########################################
+@@ -68,3 +69,121 @@
domtrans_pattern($1, java_exec_t, unconfined_java_t)
corecmd_search_bin($1)
')
@@ -2442,7 +2467,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.3/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/mozilla.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/mozilla.te 2009-01-28 10:40:08.000000000 -0500
@@ -105,6 +105,7 @@
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
@@ -2459,11 +2484,21 @@
logging_send_syslog_msg(mozilla_t)
-@@ -263,5 +265,9 @@
+@@ -243,6 +245,8 @@
+
+ optional_policy(`
+ gnome_stream_connect_gconf(mozilla_t)
++ gnome_manage_config(mozilla_t)
++ gnome_manage_gconf_home_files(mozilla_t)
+ ')
+
+ optional_policy(`
+@@ -263,5 +267,10 @@
')
optional_policy(`
+ nsplugin_manage_rw(mozilla_t)
++ nsplugin_manage_home_files(mozilla_t)
+')
+
+optional_policy(`
@@ -2530,8 +2565,8 @@
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.3/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.if 2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,250 @@
++++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.if 2009-01-28 12:10:35.000000000 -0500
+@@ -0,0 +1,272 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -2615,6 +2650,8 @@
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
++ class x_drawable all_x_drawable_perms;
++ class x_resource all_x_resource_perms;
+ ')
+
+ role $1 types nsplugin_t;
@@ -2653,6 +2690,7 @@
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+ userdom_manage_tmpfs_role($1, nsplugin_t)
+
++ xserver_communicate(nsplugin_t, $2)
+')
+
+#######################################
@@ -2782,6 +2820,25 @@
+
+ can_exec($1, nsplugin_rw_t)
+')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## nsplugin home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsplugin_manage_home_files',`
++ gen_require(`
++ type nsplugin_home_t;
++ ')
++
++ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-01-19 13:10:02.000000000 -0500
@@ -3072,7 +3129,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.3/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/openoffice.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/openoffice.if 2009-01-28 09:49:45.000000000 -0500
@@ -0,0 +1,92 @@
+## <summary>Openoffice</summary>
+
@@ -3905,12 +3962,19 @@
files_read_etc_runtime_files(webalizer_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.3/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-08-07 11:15:02.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/apps/wine.fc 2009-01-19 13:10:02.000000000 -0500
-@@ -2,3 +2,4 @@
-
- /opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
++++ serefpolicy-3.6.3/policy/modules/apps/wine.fc 2009-01-26 12:05:17.000000000 -0500
+@@ -1,4 +1,8 @@
+-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
++/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++
++/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++
++HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.3/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2008-11-11 16:13:41.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/apps/wine.if 2009-01-19 13:10:02.000000000 -0500
@@ -4140,7 +4204,7 @@
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-23 15:08:37.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-27 10:39:15.000000000 -0500
@@ -58,6 +58,8 @@
/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -4185,7 +4249,7 @@
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-@@ -293,3 +299,10 @@
+@@ -293,3 +299,12 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4196,6 +4260,8 @@
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/pm-utils/sleep.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.3/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.if 2009-01-19 13:10:02.000000000 -0500
@@ -4360,7 +4426,7 @@
network_port(xfs, tcp,7100,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.3/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-08 21:42:58.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/kernel/devices.fc 2009-01-19 14:33:15.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/devices.fc 2009-01-27 10:37:38.000000000 -0500
@@ -1,7 +1,7 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
@@ -4448,7 +4514,7 @@
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -91,20 +108,32 @@
+@@ -91,20 +108,34 @@
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
@@ -4462,6 +4528,8 @@
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/input/.* -c gen_context(system_u:object_r:event_device_t,s0)
++/dev/input/m.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
@@ -4484,7 +4552,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.3/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/devices.if 2009-01-20 16:50:48.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/devices.if 2009-01-28 11:04:40.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -4562,6 +4630,15 @@
## Read the CPU identity.
## </summary>
## <param name="domain">
+@@ -1281,7 +1321,7 @@
+ type dri_device_t;
+ ')
+
+- dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
++ dontaudit $1 dri_device_t:chr_file rw_file_perms;
+ ')
+
+ ########################################
@@ -1957,6 +1997,42 @@
########################################
@@ -5554,7 +5631,7 @@
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-26 08:55:48.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-28 09:38:28.000000000 -0500
@@ -534,6 +534,24 @@
########################################
@@ -5998,7 +6075,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.3/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-26 08:54:44.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-28 09:33:46.000000000 -0500
@@ -1197,6 +1197,26 @@
')
@@ -7996,7 +8073,7 @@
+permissive afs_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.3/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/apache.fc 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/apache.fc 2009-01-26 14:01:07.000000000 -0500
@@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -8056,7 +8133,7 @@
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -64,11 +71,22 @@
+@@ -64,11 +71,24 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -8079,6 +8156,8 @@
+#viewvc file context
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++
++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.3/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/apache.if 2009-01-19 13:10:02.000000000 -0500
@@ -8615,7 +8694,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-23 15:14:19.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-28 09:24:50.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -9317,9 +9396,21 @@
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.3/policy/modules/services/apm.te
+--- nsaserefpolicy/policy/modules/services/apm.te 2009-01-05 15:39:43.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/apm.te 2009-01-28 09:26:27.000000000 -0500
+@@ -181,7 +181,7 @@
+ ')
+
+ optional_policy(`
+- dbus_stub(apmd_t)
++ dbus_system_bus_client(apmd_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(apmd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.3/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/automount.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/automount.te 2009-01-27 15:10:22.000000000 -0500
@@ -71,6 +71,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -9344,7 +9435,15 @@
storage_rw_fuse(automount_t)
-@@ -155,7 +158,7 @@
+@@ -142,6 +145,7 @@
+
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
++mount_signal(automount_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(automount_t)
+ userdom_dontaudit_search_user_home_dirs(automount_t)
+@@ -155,7 +159,7 @@
')
optional_policy(`
@@ -9606,8 +9705,16 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.3/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/bluetooth.te 2009-01-19 13:10:02.000000000 -0500
-@@ -147,10 +147,10 @@
++++ serefpolicy-3.6.3/policy/modules/services/bluetooth.te 2009-01-26 13:54:13.000000000 -0500
+@@ -93,6 +93,7 @@
+
+ kernel_read_kernel_sysctls(bluetooth_t)
+ kernel_read_system_state(bluetooth_t)
++kernel_read_network_state(bluetooth_t)
+
+ corenet_all_recvfrom_unlabeled(bluetooth_t)
+ corenet_all_recvfrom_netlabel(bluetooth_t)
+@@ -147,10 +148,10 @@
optional_policy(`
cups_dbus_chat(bluetooth_t)
')
@@ -10234,6 +10341,34 @@
+ fs_dontaudit_rw_cifs_files(consolekit_t)
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.3/policy/modules/services/courier.if
+--- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/courier.if 2009-01-26 15:06:13.000000000 -0500
+@@ -179,6 +179,24 @@
+
+ ########################################
+ ## <summary>
++## Read courier spool files.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`courier_read_spool',`
++ gen_require(`
++ type courier_spool_t;
++ ')
++
++ read_files_pattern($1, courier_spool_t, courier_spool_t)
++')
++
++########################################
++## <summary>
+ ## Read and write to courier spool pipes.
+ ## </summary>
+ ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.3/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/courier.te 2009-01-19 13:10:02.000000000 -0500
@@ -10540,7 +10675,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-26 09:29:38.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-28 09:27:46.000000000 -0500
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10626,7 +10761,15 @@
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
selinux_validate_context(crond_t)
-@@ -183,6 +200,8 @@
+@@ -174,6 +191,7 @@
+
+ fs_getattr_all_fs(crond_t)
+ fs_search_auto_mountpoints(crond_t)
++fs_list_inotifyfs(crond_t)
+
+ # need auth_chkpwd to check for locked accounts.
+ auth_domtrans_chk_passwd(crond_t)
+@@ -183,6 +201,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -10635,7 +10778,7 @@
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
-@@ -192,10 +211,13 @@
+@@ -192,10 +212,13 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
@@ -10649,7 +10792,7 @@
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -208,6 +230,7 @@
+@@ -208,6 +231,7 @@
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
@@ -10657,7 +10800,7 @@
ifdef(`distro_debian',`
# pam_limits is used
-@@ -227,21 +250,45 @@
+@@ -227,21 +251,45 @@
')
')
@@ -10704,7 +10847,7 @@
')
optional_policy(`
-@@ -283,7 +330,14 @@
+@@ -283,7 +331,14 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -10719,7 +10862,7 @@
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -314,9 +368,13 @@
+@@ -314,9 +369,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -10734,7 +10877,7 @@
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +428,8 @@
+@@ -370,7 +429,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -10744,7 +10887,7 @@
auth_use_nsswitch(system_cronjob_t)
-@@ -378,6 +437,7 @@
+@@ -378,6 +438,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -10752,7 +10895,18 @@
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -428,11 +488,20 @@
+@@ -418,6 +479,10 @@
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(system_cronjob_t)
++')
++
++optional_policy(`
+ ftp_read_log(system_cronjob_t)
+ ')
+
+@@ -428,11 +493,20 @@
')
optional_policy(`
@@ -10773,7 +10927,7 @@
')
optional_policy(`
-@@ -447,6 +516,7 @@
+@@ -447,6 +521,7 @@
prelink_read_cache(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
@@ -10781,7 +10935,7 @@
')
optional_policy(`
-@@ -460,8 +530,7 @@
+@@ -460,8 +535,7 @@
')
optional_policy(`
@@ -10791,7 +10945,7 @@
')
optional_policy(`
-@@ -469,24 +538,17 @@
+@@ -469,24 +543,17 @@
')
optional_policy(`
@@ -10819,7 +10973,7 @@
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +632,9 @@
+@@ -570,6 +637,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@@ -11034,7 +11188,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.3/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cups.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/cups.te 2009-01-28 09:26:44.000000000 -0500
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -11651,7 +11805,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.3/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/dbus.te 2009-01-21 14:05:46.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/dbus.te 2009-01-28 09:29:46.000000000 -0500
@@ -9,14 +9,15 @@
#
# Delcarations
@@ -11670,7 +11824,7 @@
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
-@@ -31,11 +32,24 @@
+@@ -31,11 +32,25 @@
files_tmp_file(system_dbusd_tmp_t)
type system_dbusd_var_lib_t;
@@ -11691,21 +11845,22 @@
+ mls_file_read_all_levels(system_dbusd_t)
+ mls_socket_write_all_levels(system_dbusd_t)
+ mls_socket_read_to_clearance(system_dbusd_t)
++ mls_dbus_recv_all_levels(system_dbusd_t)
+')
+
##############################
#
# System bus local policy
-@@ -45,7 +59,7 @@
+@@ -45,7 +60,7 @@
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms setcap };
-+allow system_dbusd_t self:process { getattr signal_perms setpgid getcap setcap };
++allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -53,6 +67,8 @@
+@@ -53,6 +68,8 @@
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@@ -11714,7 +11869,7 @@
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-@@ -75,6 +91,8 @@
+@@ -75,6 +92,8 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
@@ -11723,7 +11878,7 @@
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
-@@ -91,9 +109,9 @@
+@@ -91,9 +110,9 @@
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -11734,7 +11889,7 @@
files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t)
-@@ -101,6 +119,8 @@
+@@ -101,6 +120,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -11743,7 +11898,7 @@
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -128,9 +148,34 @@
+@@ -128,9 +149,34 @@
')
optional_policy(`
@@ -13073,7 +13228,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.3/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-20 11:41:48.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-28 09:55:29.000000000 -0500
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -13663,7 +13818,7 @@
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.3/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/mailman.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/mailman.if 2009-01-26 13:51:36.000000000 -0500
@@ -31,6 +31,12 @@
allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
allow mailman_$1_t self:udp_socket create_socket_perms;
@@ -13677,7 +13832,15 @@
manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
-@@ -209,6 +215,7 @@
+@@ -64,6 +70,7 @@
+ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+
+ fs_getattr_xattr_fs(mailman_$1_t)
++ fs_list_inotifyfs(mailman_$1_t)
+
+ corecmd_exec_all_executables(mailman_$1_t)
+
+@@ -209,6 +216,7 @@
type mailman_data_t;
')
@@ -13685,7 +13848,7 @@
manage_files_pattern($1, mailman_data_t, mailman_data_t)
')
-@@ -250,6 +257,25 @@
+@@ -250,6 +258,25 @@
#######################################
## <summary>
@@ -13713,7 +13876,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.3/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/mailman.te 2009-01-19 15:30:18.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/mailman.te 2009-01-26 15:06:29.000000000 -0500
@@ -53,10 +53,8 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -13727,7 +13890,7 @@
')
########################################
-@@ -65,15 +63,27 @@
+@@ -65,15 +63,31 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@@ -13751,15 +13914,19 @@
- allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
- # do we really need this?
- allow mailman_mail_t qmail_lspawn_t:fifo_file write;
-+ postfix_search_spool(mailman_mail_t)
++ courier_read_spool(mailman_mail_t)
')
+
+optional_policy(`
++ postfix_search_spool(mailman_mail_t)
++')
++
++optional_policy(`
+ cron_read_pipes(mailman_mail_t)
')
########################################
-@@ -99,11 +109,15 @@
+@@ -99,11 +113,15 @@
# for su
seutil_dontaudit_search_config(mailman_queue_t)
@@ -14585,8 +14752,9 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.3/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/services/networkmanager.fc 2009-01-21 12:55:52.000000000 -0500
-@@ -1,8 +1,13 @@
++++ serefpolicy-3.6.3/policy/modules/services/networkmanager.fc 2009-01-27 10:38:58.000000000 -0500
+@@ -1,12 +1,24 @@
++/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
@@ -14594,17 +14762,22 @@
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t, s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++
++/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-@@ -10,3 +15,4 @@
+ /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.3/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400
+++ serefpolicy-3.6.3/policy/modules/services/networkmanager.if 2009-01-19 13:10:02.000000000 -0500
@@ -14635,8 +14808,18 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.3/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/networkmanager.te 2009-01-19 14:46:55.000000000 -0500
-@@ -33,9 +33,9 @@
++++ serefpolicy-3.6.3/policy/modules/services/networkmanager.te 2009-01-26 13:38:45.000000000 -0500
+@@ -19,6 +19,9 @@
+ type NetworkManager_tmp_t;
+ files_tmp_file(NetworkManager_tmp_t)
+
++type NetworkManager_var_lib_t;
++files_type(NetworkManager_var_lib_t)
++
+ type NetworkManager_var_run_t;
+ files_pid_file(NetworkManager_var_run_t)
+
+@@ -33,9 +36,9 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -14648,7 +14831,7 @@
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-@@ -51,8 +51,8 @@
+@@ -51,8 +54,10 @@
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -14656,10 +14839,12 @@
-files_search_tmp(NetworkManager_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
++
++manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -63,6 +63,8 @@
+@@ -63,6 +68,8 @@
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
@@ -14668,7 +14853,7 @@
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +83,18 @@
+@@ -81,13 +88,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
@@ -14687,7 +14872,7 @@
mls_file_read_all_levels(NetworkManager_t)
-@@ -104,9 +111,14 @@
+@@ -104,9 +116,14 @@
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
@@ -14702,7 +14887,7 @@
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +128,40 @@
+@@ -116,25 +133,40 @@
seutil_read_config(NetworkManager_t)
@@ -14750,7 +14935,7 @@
')
optional_policy(`
-@@ -146,8 +173,25 @@
+@@ -146,8 +178,25 @@
')
optional_policy(`
@@ -14778,7 +14963,7 @@
')
optional_policy(`
-@@ -155,23 +199,49 @@
+@@ -155,23 +204,49 @@
')
optional_policy(`
@@ -14805,15 +14990,15 @@
+ openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
+ openvpn_signull(NetworkManager_t)
-+')
-+
-+optional_policy(`
-+ polkit_domtrans_auth(NetworkManager_t)
-+ polkit_read_lib(NetworkManager_t)
-+ polkit_read_reload(NetworkManager_t)
')
optional_policy(`
++ polkit_domtrans_auth(NetworkManager_t)
++ polkit_read_lib(NetworkManager_t)
++ polkit_read_reload(NetworkManager_t)
++')
++
++optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
@@ -14830,7 +15015,7 @@
')
optional_policy(`
-@@ -184,7 +254,9 @@
+@@ -184,7 +259,9 @@
optional_policy(`
vpn_domtrans(NetworkManager_t)
@@ -15351,7 +15536,7 @@
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.3/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/ntp.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/ntp.te 2009-01-26 13:23:48.000000000 -0500
@@ -38,10 +38,11 @@
# sys_resource and setrlimit is for locking memory
@@ -15373,12 +15558,13 @@
allow ntpd_t ntpd_log_t:dir setattr;
manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
-@@ -90,6 +92,8 @@
+@@ -90,6 +92,9 @@
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
++fs_list_inotifyfs(ntpd_t)
term_use_ptmx(ntpd_t)
@@ -21114,7 +21300,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.3/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/spamassassin.fc 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/spamassassin.fc 2009-01-26 11:56:43.000000000 -0500
@@ -1,15 +1,24 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -22338,18 +22524,17 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.3/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-21 15:37:51.000000000 -0500
-@@ -90,7 +90,8 @@
++++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-28 12:11:39.000000000 -0500
+@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
- xserver_common_x_domain_template(user, $2)
+ xserver_common_app($2)
-+ xserver_use_xdm($2)
##############################
#
-@@ -116,6 +117,7 @@
+@@ -116,6 +116,7 @@
# setattr: gnome-settings-daemon X11:GrabKey
# manage: metacity X11:ChangeWindowAttributes
allow $2 rootwindow_t:x_drawable { read write manage setattr };
@@ -22357,7 +22542,7 @@
# setattr: metacity X11:InstallColormap
allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr };
-@@ -156,7 +158,7 @@
+@@ -156,7 +157,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -22366,7 +22551,7 @@
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -219,12 +221,12 @@
+@@ -219,12 +220,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -22382,7 +22567,7 @@
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -278,7 +280,6 @@
+@@ -278,7 +279,6 @@
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
@@ -22390,7 +22575,7 @@
attribute xproperty_type;
attribute xevent_type;
attribute input_xevent_type;
-@@ -287,6 +288,8 @@
+@@ -287,6 +287,8 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -22399,7 +22584,7 @@
')
##############################
-@@ -294,20 +297,11 @@
+@@ -294,20 +296,11 @@
# Local Policy
#
@@ -22420,7 +22605,7 @@
allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
-@@ -320,8 +315,10 @@
+@@ -320,8 +314,10 @@
type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
type_transition $2 xevent_t:x_event $1_default_xevent_t;
@@ -22432,7 +22617,7 @@
')
#######################################
-@@ -397,11 +394,12 @@
+@@ -397,11 +393,12 @@
gen_require(`
type xdm_t, xdm_tmp_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
@@ -22448,7 +22633,7 @@
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
-@@ -409,7 +407,7 @@
+@@ -409,7 +406,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -22457,7 +22642,7 @@
allow $2 xdm_tmp_t:dir search_dir_perms;
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
-@@ -437,6 +435,10 @@
+@@ -437,6 +434,10 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
@@ -22468,7 +22653,7 @@
')
########################################
-@@ -639,7 +641,7 @@
+@@ -639,7 +640,7 @@
type xdm_t;
')
@@ -22477,7 +22662,7 @@
')
########################################
-@@ -738,6 +740,7 @@
+@@ -738,6 +739,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -22485,7 +22670,7 @@
')
########################################
-@@ -756,7 +759,26 @@
+@@ -756,7 +758,26 @@
')
files_search_pids($1)
@@ -22513,7 +22698,7 @@
')
########################################
-@@ -779,6 +801,31 @@
+@@ -779,6 +800,31 @@
########################################
## <summary>
@@ -22545,7 +22730,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1018,10 +1065,11 @@
+@@ -1018,10 +1064,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -22558,7 +22743,7 @@
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1159,6 +1207,275 @@
+@@ -1159,6 +1206,275 @@
########################################
## <summary>
@@ -22834,7 +23019,7 @@
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1172,7 +1489,99 @@
+@@ -1172,7 +1488,99 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -22863,15 +23048,14 @@
+#
+interface(`xserver_communicate',`
+ gen_require(`
-+ type xdm_t, xdm_tmp_t;
-+ class x_client all_x_client_perms;
+ class x_drawable all_x_drawable_perms;
-+ class x_property all_x_property_perms;
+ class x_resource all_x_resource_perms;
')
+
+ allow $1 $2:x_drawable all_x_drawable_perms;
++ allow $2 $1:x_drawable all_x_drawable_perms;
+ allow $1 $2:x_resource all_x_resource_perms;
++ allow $2 $1:x_resource all_x_resource_perms;
+')
+
+#######################################
@@ -22900,7 +23084,7 @@
+ typeattribute $1 x_domain;
+
+ allow $1 xselection_t:x_selection setattr;
-+ allow $1 user_xproperty_t:x_property { write read };
++ allow $1 user_xproperty_t:x_property { write read destroy };
+ allow $1 xproperty_t:x_property all_x_property_perms;
+
+ # X Windows
@@ -22911,6 +23095,7 @@
+ # can receive own events
+ allow $1 xevent_type:{ x_event x_synthetic_event } { receive send };
+ xserver_communicate($1, $1)
++ xserver_use_xdm($1)
+')
+
+########################################
@@ -22936,7 +23121,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-26 09:17:40.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-28 12:09:22.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -23366,7 +23551,7 @@
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
-@@ -602,6 +707,7 @@
+@@ -602,9 +707,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23374,7 +23559,11 @@
# Device rules
allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
-@@ -622,7 +728,7 @@
++allow x_domain xserver_t:x_screen getattr;
+
+ allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
+
+@@ -622,7 +729,7 @@
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -23383,7 +23572,7 @@
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,6 +741,15 @@
+@@ -635,6 +742,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23399,7 +23588,7 @@
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -680,9 +795,14 @@
+@@ -680,9 +796,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -23414,7 +23603,7 @@
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +817,13 @@
+@@ -697,8 +818,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23428,7 +23617,7 @@
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -720,6 +845,7 @@
+@@ -720,6 +846,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -23436,7 +23625,7 @@
modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +868,7 @@
+@@ -742,7 +869,7 @@
')
ifdef(`enable_mls',`
@@ -23445,7 +23634,7 @@
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,6 +900,10 @@
+@@ -774,6 +901,10 @@
')
optional_policy(`
@@ -23456,7 +23645,7 @@
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
-@@ -806,7 +936,7 @@
+@@ -806,7 +937,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -23465,7 +23654,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +957,14 @@
+@@ -827,9 +958,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23480,7 +23669,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +979,14 @@
+@@ -844,11 +980,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -23496,7 +23685,7 @@
')
optional_policy(`
-@@ -856,6 +994,11 @@
+@@ -856,6 +995,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -23508,7 +23697,25 @@
########################################
#
# Rules common to all X window domains
-@@ -972,6 +1115,37 @@
+@@ -881,6 +1025,8 @@
+ # X Server
+ # can read server-owned resources
+ allow x_domain xserver_t:x_resource read;
++allow x_domain xserver_t:x_device { manage force_cursor };
++
+ # can mess with own clients
+ allow x_domain self:x_client { manage destroy };
+
+@@ -905,6 +1051,8 @@
+ # operations allowed on my windows
+ allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
+
++allow x_domain x_domain:x_drawable { get_property getattr list_child };
++
+ # X Colormaps
+ # can use the default colormap
+ allow x_domain rootwindow_t:x_colormap { read use add_color };
+@@ -972,6 +1120,37 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -23546,7 +23753,7 @@
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1160,13 @@
+@@ -986,3 +1165,12 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@@ -23559,7 +23766,6 @@
+tunable_policy(`allow_execstack',`
+ allow xdm_t self:process { execstack execmem };
+')
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.3/policy/modules/services/zosremote.fc
--- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/zosremote.fc 2009-01-19 13:10:02.000000000 -0500
@@ -23700,7 +23906,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.3/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/authlogin.if 2009-01-20 10:57:35.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/authlogin.if 2009-01-28 09:30:42.000000000 -0500
@@ -43,6 +43,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -23865,6 +24071,15 @@
')
########################################
+@@ -650,7 +727,7 @@
+
+ ########################################
+ ## <summary>
+-## Execute pam programs in the pam domain.
++## Send signal to pam process
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -1031,6 +1108,32 @@
########################################
@@ -24377,7 +24592,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-21 17:45:29.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-28 09:55:56.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -24522,15 +24737,17 @@
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -367,6 +400,7 @@
+@@ -366,7 +399,9 @@
+
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
++libs_exec_ld_so(initrc_t)
+logging_send_audit_msgs(initrc_t)
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -451,7 +485,7 @@
+@@ -451,7 +486,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -24539,7 +24756,7 @@
files_dontaudit_read_root_files(initrc_t)
selinux_set_enforce_mode(initrc_t)
-@@ -498,6 +532,7 @@
+@@ -498,6 +533,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -24547,7 +24764,7 @@
')
optional_policy(`
-@@ -516,6 +551,31 @@
+@@ -516,6 +552,31 @@
')
')
@@ -24579,7 +24796,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +630,10 @@
+@@ -570,6 +631,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -24590,7 +24807,7 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -655,12 +719,6 @@
+@@ -655,12 +720,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -24603,7 +24820,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -721,6 +779,9 @@
+@@ -721,6 +780,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -24613,7 +24830,7 @@
')
optional_policy(`
-@@ -733,10 +794,12 @@
+@@ -733,10 +795,12 @@
squid_manage_logs(initrc_t)
')
@@ -24626,7 +24843,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +817,11 @@
+@@ -754,6 +818,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -24638,7 +24855,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -768,6 +836,10 @@
+@@ -768,6 +837,10 @@
')
optional_policy(`
@@ -24649,7 +24866,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +862,11 @@
+@@ -790,3 +863,11 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -24857,7 +25074,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-01-26 13:53:03.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -24938,7 +25155,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,7 +262,7 @@
+@@ -246,12 +262,13 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -24946,8 +25163,15 @@
+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +283,9 @@
+-HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Jai, Sun Microsystems (Jpackage SPRM)
+ /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -267,6 +284,9 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -24957,7 +25181,7 @@
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +310,8 @@
+@@ -291,6 +311,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -24966,7 +25190,16 @@
') dnl end distro_redhat
#
-@@ -310,3 +331,19 @@
+@@ -303,6 +325,8 @@
+
+ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
+
++/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
+ ')
+@@ -310,3 +334,20 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -24986,6 +25219,7 @@
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.3/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/libraries.te 2009-01-19 13:10:02.000000000 -0500
@@ -25273,7 +25507,7 @@
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.3/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/lvm.te 2009-01-26 11:20:23.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/lvm.te 2009-01-28 09:30:55.000000000 -0500
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t,clvmd_exec_t)
@@ -25430,7 +25664,7 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -239,12 +276,17 @@
+@@ -239,12 +276,18 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -25443,12 +25677,13 @@
corecmd_exec_shell(lvm_t)
domain_use_interactive_fds(lvm_t)
++domain_read_all_domains_state(lvm_t)
+files_read_usr_files(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
-@@ -253,6 +295,7 @@
+@@ -253,6 +296,7 @@
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
@@ -25456,7 +25691,7 @@
logging_send_syslog_msg(lvm_t)
-@@ -283,5 +326,22 @@
+@@ -283,5 +327,22 @@
')
optional_policy(`
@@ -25667,7 +25902,7 @@
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.3/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/mount.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/mount.if 2009-01-27 15:12:00.000000000 -0500
@@ -43,9 +43,11 @@
mount_domtrans($1)
@@ -25681,6 +25916,28 @@
')
')
+@@ -159,3 +161,21 @@
+ mount_domtrans_unconfined($1)
+ role $2 types unconfined_mount_t;
+ ')
++
++########################################
++## <summary>
++## Send signal to mount process
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`mount_signal',`
++ gen_require(`
++ type mount_t;
++ ')
++
++ allow $1 mount_t:process signal;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.3/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/mount.te 2009-01-21 17:47:52.000000000 -0500
@@ -26737,16 +26994,21 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.3/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/system/sysnetwork.fc 2009-01-19 13:10:02.000000000 -0500
-@@ -11,6 +11,7 @@
++++ serefpolicy-3.6.3/policy/modules/system/sysnetwork.fc 2009-01-26 13:37:49.000000000 -0500
+@@ -11,8 +11,12 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-
-@@ -20,6 +21,7 @@
++/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
++/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
++/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
+
+ /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+@@ -20,6 +24,7 @@
ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -26754,7 +27016,7 @@
')
#
-@@ -57,3 +59,5 @@
+@@ -57,3 +62,5 @@
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
@@ -27813,7 +28075,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-26 09:38:49.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-28 10:48:13.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -29279,7 +29541,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3235,284 @@
+@@ -2981,3 +3235,285 @@
allow $1 userdomain:dbus send_msg;
')
@@ -29394,6 +29656,7 @@
+
+ optional_policy(`
+ setroubleshoot_stream_connect($1_t)
++ setroubleshoot_dbus_chat($1_t)
+ ')
+')
+
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.776
retrieving revision 1.777
diff -u -r1.776 -r1.777
--- selinux-policy.spec 26 Jan 2009 16:21:59 -0000 1.776
+++ selinux-policy.spec 28 Jan 2009 17:23:17 -0000 1.777
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.3
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
%endif
%changelog
+* Tue Jan 27 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-10
+- Fixes for wicd daemon
+
* Mon Jan 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-9
- More mls/rpm fixes
More information about the scm-commits
mailing list