rpms/selinux-policy/F-11 policy-20090105.patch, 1.112, 1.113 selinux-policy.spec, 1.849, 1.850
Daniel J Walsh
dwalsh at fedoraproject.org
Mon May 4 18:20:52 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30878
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Fri May 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-27
- Fix /sbin/ip6tables-save context
- Allod udev to transition to mount
- Fix loading of mls policy file
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.112
retrieving revision 1.113
diff -u -p -r1.112 -r1.113
--- policy-20090105.patch 30 Apr 2009 22:21:52 -0000 1.112
+++ policy-20090105.patch 4 May 2009 18:20:20 -0000 1.113
@@ -655,7 +655,16 @@ diff -b -B --ignore-all-space --exclude-
corenet_udp_sendrecv_lo_if(mrtg_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.12/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-03-12 11:16:47.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/netutils.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/netutils.te 2009-05-04 11:25:11.000000000 -0400
+@@ -50,7 +50,7 @@
+ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+
+ kernel_search_proc(netutils_t)
+-kernel_read_sysctl(netutils_t)
++kernel_read_all_sysctls(netutils_t)
+
+ corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
@@ -152,6 +152,10 @@
')
@@ -4479,6 +4488,42 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+permissive sambagui_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc
+--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-02 07:46:25.000000000 -0400
+@@ -13,3 +13,4 @@
+ #
+ /var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0)
+ /var/run/screens?/S-[^/]+/.* <<none>>
++/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
+--- nsaserefpolicy/policy/modules/apps/screen.if 2009-01-19 11:03:28.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/screen.if 2009-05-04 11:30:29.000000000 -0400
+@@ -165,3 +165,24 @@
+ nscd_socket_use($1_screen_t)
+ ')
+ ')
++
++########################################
++## <summary>
++## Manage screen var_run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`screen_manage_var_run',`
++ gen_require(`
++ type screen_var_run_t;
++ ')
++
++ manage_dirs_pattern($1,screen_var_run_t,screen_var_run_t)
++ manage_files_pattern($1,screen_var_run_t,screen_var_run_t)
++ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
++ manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
--- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/uml.te 2009-04-28 11:42:33.000000000 -0400
@@ -5913,7 +5958,7 @@ diff -b -B --ignore-all-space --exclude-
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-04 11:25:35.000000000 -0400
@@ -1197,6 +1197,26 @@
')
@@ -6039,7 +6084,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-05-01 13:41:10.000000000 -0400
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -6056,7 +6101,15 @@ diff -b -B --ignore-all-space --exclude-
# kvmFS
#
-@@ -120,6 +129,10 @@
+@@ -100,6 +109,7 @@
+ genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
+
+ type proc_xen_t, proc_type;
++files_mountpoint(proc_xen_t)
+ genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
+
+ #
+@@ -120,6 +130,10 @@
type sysctl_rpc_t, sysctl_type;
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
@@ -6067,7 +6120,7 @@ diff -b -B --ignore-all-space --exclude-
# /proc/sys/fs directory and files
type sysctl_fs_t, sysctl_type;
files_mountpoint(sysctl_fs_t)
-@@ -160,6 +173,7 @@
+@@ -160,6 +174,7 @@
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -6075,7 +6128,7 @@ diff -b -B --ignore-all-space --exclude-
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -198,6 +212,8 @@
+@@ -198,6 +213,8 @@
allow kernel_t self:sock_file read_sock_file_perms;
allow kernel_t self:fd use;
@@ -6084,7 +6137,7 @@ diff -b -B --ignore-all-space --exclude-
allow kernel_t proc_t:dir list_dir_perms;
allow kernel_t proc_t:file read_file_perms;
allow kernel_t proc_t:lnk_file read_lnk_file_perms;
-@@ -248,7 +264,8 @@
+@@ -248,7 +265,8 @@
selinux_load_policy(kernel_t)
@@ -6094,7 +6147,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -262,6 +279,8 @@
+@@ -262,6 +280,8 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -6103,7 +6156,7 @@ diff -b -B --ignore-all-space --exclude-
mcs_process_set_categories(kernel_t)
-@@ -269,12 +288,18 @@
+@@ -269,12 +289,18 @@
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -6122,7 +6175,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
-@@ -356,7 +381,11 @@
+@@ -356,7 +382,11 @@
')
optional_policy(`
@@ -6135,7 +6188,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -388,3 +417,7 @@
+@@ -388,3 +418,7 @@
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
@@ -6257,48 +6310,46 @@ diff -b -B --ignore-all-space --exclude-
+gen_user(guest_u, user, guest_r, s0, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-04-23 09:44:57.000000000 -0400
-@@ -15,156 +15,90 @@
++++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-05-02 07:50:07.000000000 -0400
+@@ -15,156 +15,95 @@
# Local policy
#
-optional_policy(`
- apache_role(staff_r, staff_t)
-')
--
--optional_policy(`
-- auth_role(staff_r, staff_t)
--')
--
--optional_policy(`
-- auditadm_role_change(staff_r)
--')
+kernel_read_ring_buffer(staff_t)
+kernel_getattr_core_if(staff_t)
+kernel_getattr_message_if(staff_t)
+kernel_read_software_raid_state(staff_t)
-optional_policy(`
-- bluetooth_role(staff_r, staff_t)
+- auth_role(staff_r, staff_t)
-')
+auth_domtrans_pam_console(staff_t)
-optional_policy(`
-- cdrecord_role(staff_r, staff_t)
+- auditadm_role_change(staff_r)
-')
+libs_manage_shared_libs(staff_t)
-optional_policy(`
+- bluetooth_role(staff_r, staff_t)
+-')
+-
+-optional_policy(`
+- cdrecord_role(staff_r, staff_t)
+-')
+-
+-optional_policy(`
- cron_role(staff_r, staff_t)
-')
-
-optional_policy(`
- dbus_role_template(staff, staff_r, staff_t)
-')
-+seutil_run_newrole(staff_t, staff_r)
-+netutils_run_ping(staff_t, staff_r)
-
- optional_policy(`
+-
+-optional_policy(`
- ethereal_role(staff_r, staff_t)
-')
-
@@ -6317,8 +6368,10 @@ diff -b -B --ignore-all-space --exclude-
-optional_policy(`
- gnome_role(staff_r, staff_t)
-')
--
--optional_policy(`
++seutil_run_newrole(staff_t, staff_r)
++netutils_run_ping(staff_t, staff_r)
+
+ optional_policy(`
- gpg_role(staff_r, staff_t)
-')
-
@@ -6332,122 +6385,123 @@ diff -b -B --ignore-all-space --exclude-
-
-optional_policy(`
- lockdev_role(staff_r, staff_t)
--')
--
--optional_policy(`
-- lpd_role(staff_r, staff_t)
--')
--
--optional_policy(`
-- mozilla_role(staff_r, staff_t)
+ sudo_role_template(staff, staff_r, staff_t)
')
optional_policy(`
-- mplayer_role(staff_r, staff_t)
+- lpd_role(staff_r, staff_t)
+ auditadm_role_change(staff_r)
')
optional_policy(`
-- mta_role(staff_r, staff_t)
+- mozilla_role(staff_r, staff_t)
+ kerneloops_manage_tmp_files(staff_t)
')
optional_policy(`
-- oident_manage_user_content(staff_t)
-- oident_relabel_user_content(staff_t)
+- mplayer_role(staff_r, staff_t)
+ logadm_role_change(staff_r)
')
optional_policy(`
-- pyzor_role(staff_r, staff_t)
+- mta_role(staff_r, staff_t)
+ secadm_role_change(staff_r)
')
optional_policy(`
-- razor_role(staff_r, staff_t)
+- oident_manage_user_content(staff_t)
+- oident_relabel_user_content(staff_t)
+ ssh_role_template(staff, staff_r, staff_t)
')
optional_policy(`
-- rssh_role(staff_r, staff_t)
+- pyzor_role(staff_r, staff_t)
+ sysadm_role_change(staff_r)
')
optional_policy(`
-- screen_role_template(staff, staff_r, staff_t)
+- razor_role(staff_r, staff_t)
+ usernetctl_run(staff_t, staff_r)
')
optional_policy(`
-- secadm_role_change(staff_r)
+- rssh_role(staff_r, staff_t)
+ unconfined_role_change(staff_r)
')
optional_policy(`
-- spamassassin_role(staff_r, staff_t)
+- screen_role_template(staff, staff_r, staff_t)
+ webadm_role_change(staff_r)
')
-optional_policy(`
-- ssh_role_template(staff, staff_r, staff_t)
+- secadm_role_change(staff_r)
-')
+domain_read_all_domains_state(staff_t)
+domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t)
-optional_policy(`
-- su_role_template(staff, staff_r, staff_t)
+- spamassassin_role(staff_r, staff_t)
-')
+files_read_kernel_modules(staff_t)
-optional_policy(`
-- sudo_role_template(staff, staff_r, staff_t)
+- ssh_role_template(staff, staff_r, staff_t)
-')
+kernel_read_fs_sysctls(staff_t)
-optional_policy(`
-- sysadm_role_change(staff_r)
-- userdom_dontaudit_use_user_terminals(staff_t)
+- su_role_template(staff, staff_r, staff_t)
-')
+modutils_read_module_config(staff_t)
+modutils_read_module_deps(staff_t)
-optional_policy(`
-- thunderbird_role(staff_r, staff_t)
+- sudo_role_template(staff, staff_r, staff_t)
-')
+miscfiles_read_hwdata(staff_t)
-optional_policy(`
-- tvtime_role(staff_r, staff_t)
+- sysadm_role_change(staff_r)
+- userdom_dontaudit_use_user_terminals(staff_t)
-')
+term_use_unallocated_ttys(staff_t)
optional_policy(`
-- uml_role(staff_r, staff_t)
+- thunderbird_role(staff_r, staff_t)
+ gnomeclock_dbus_chat(staff_t)
')
optional_policy(`
-- userhelper_role_template(staff, staff_r, staff_t)
+- tvtime_role(staff_r, staff_t)
+ kerneloops_dbus_chat(staff_t)
')
optional_policy(`
-- vmware_role(staff_r, staff_t)
+- uml_role(staff_r, staff_t)
+ rpm_dbus_chat(staff_usertype)
')
optional_policy(`
-- wireshark_role(staff_r, staff_t)
+- userhelper_role_template(staff, staff_r, staff_t)
++ screen_manage_var_run(staff_t)
+ ')
+
+ optional_policy(`
+- vmware_role(staff_r, staff_t)
+ setroubleshoot_stream_connect(staff_t)
+ setroubleshoot_dbus_chat(staff_t)
')
optional_policy(`
-- xserver_role(staff_r, staff_t)
+- wireshark_role(staff_r, staff_t)
+ virt_stream_connect(staff_t)
')
+
+-optional_policy(`
+- xserver_role(staff_r, staff_t)
+-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if 2009-04-23 09:44:57.000000000 -0400
@@ -12280,7 +12334,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-05-02 07:48:49.000000000 -0400
@@ -0,0 +1,197 @@
+
+## <summary>policy for devicekit</summary>
@@ -13432,8 +13486,8 @@ diff -b -B --ignore-all-space --exclude-
+/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if
--- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-04-28 15:26:38.000000000 -0400
-@@ -0,0 +1,22 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-01 09:45:48.000000000 -0400
+@@ -0,0 +1,42 @@
+
+## <summary>policy for fprintd</summary>
+
@@ -13456,6 +13510,26 @@ diff -b -B --ignore-all-space --exclude-
+ domtrans_pattern($1,fprintd_exec_t,fprintd_t)
+')
+
++########################################
++## <summary>
++## Send and receive messages from
++## fprintd over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fprintd_dbus_chat',`
++ gen_require(`
++ type fprintd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 fprintd_t:dbus send_msg;
++ allow fprintd_t $1:dbus send_msg;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-29 10:10:42.000000000 -0400
@@ -14625,7 +14699,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.12/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te 2009-05-01 13:21:26.000000000 -0400
@@ -13,6 +13,9 @@
type kerneloops_initrc_exec_t;
init_script_file(kerneloops_initrc_exec_t)
@@ -14636,13 +14710,15 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# kerneloops local policy
-@@ -23,8 +26,13 @@
+@@ -21,10 +24,14 @@
+ allow kerneloops_t self:capability sys_nice;
+ allow kerneloops_t self:process { setsched getsched signal };
allow kerneloops_t self:fifo_file rw_file_perms;
- allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
-
+-allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
++
+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
+files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file)
-+
+
kernel_read_ring_buffer(kerneloops_t)
+fs_list_inotifyfs(kerneloops_t)
@@ -14650,9 +14726,19 @@ diff -b -B --ignore-all-space --exclude-
# Init script handling
domain_use_interactive_fds(kerneloops_t)
-@@ -46,6 +54,5 @@
- sysnet_dns_name_resolve(kerneloops_t)
+@@ -38,14 +45,13 @@
+
+ files_read_etc_files(kerneloops_t)
+
++auth_use_nsswitch(kerneloops_t)
++
+ logging_send_syslog_msg(kerneloops_t)
+ logging_read_generic_logs(kerneloops_t)
+
+ miscfiles_read_localization(kerneloops_t)
+-sysnet_dns_name_resolve(kerneloops_t)
+-
optional_policy(`
- dbus_system_bus_client(kerneloops_t)
- dbus_connect_system_bus(kerneloops_t)
@@ -20431,7 +20517,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-04 12:28:35.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -20441,7 +20527,7 @@ diff -b -B --ignore-all-space --exclude-
rpc_domain_template(gssd)
-@@ -74,21 +74,31 @@
+@@ -74,21 +74,33 @@
files_manage_mounttab(rpcd_t)
@@ -20451,6 +20537,8 @@ diff -b -B --ignore-all-space --exclude-
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
++storage_getattr_fixed_disk_dev(rpcd_t)
++
+kernel_signal(rpcd_t)
+
selinux_dontaudit_read_fs(rpcd_t)
@@ -20473,7 +20561,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# NFSD local policy
-@@ -116,8 +126,9 @@
+@@ -116,8 +128,9 @@
# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
@@ -20484,7 +20572,7 @@ diff -b -B --ignore-all-space --exclude-
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
-@@ -125,6 +136,7 @@
+@@ -125,6 +138,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -20492,7 +20580,7 @@ diff -b -B --ignore-all-space --exclude-
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -141,6 +153,7 @@
+@@ -141,6 +155,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -20500,7 +20588,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -175,6 +188,7 @@
+@@ -175,6 +190,7 @@
corecmd_exec_bin(gssd_t)
@@ -20508,7 +20596,7 @@ diff -b -B --ignore-all-space --exclude-
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-@@ -183,9 +197,12 @@
+@@ -183,9 +199,12 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@@ -25914,7 +26002,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-05-01 09:46:46.000000000 -0400
@@ -43,20 +43,38 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -25962,7 +26050,7 @@ diff -b -B --ignore-all-space --exclude-
init_rw_utmp($1)
-@@ -100,11 +119,40 @@
+@@ -100,9 +119,42 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -25975,16 +26063,16 @@ diff -b -B --ignore-all-space --exclude-
+
+ optional_policy(`
+ afs_rw_udp_sockets($1)
-+ ')
+ ')
+
+ optional_policy(`
+ dbus_system_bus_client($1)
+ optional_policy(`
+ oddjob_dbus_chat($1)
+ oddjob_domtrans_mkhomedir($1)
- ')
- ')
-
++ ')
++')
++
+ optional_policy(`
+ corecmd_exec_bin($1)
+ storage_getattr_fixed_disk_dev($1)
@@ -25992,6 +26080,10 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ optional_policy(`
++ fprintd_dbus_chat($1)
++ ')
++
++ optional_policy(`
+ nis_authenticate($1)
+ ')
+
@@ -26000,12 +26092,10 @@ diff -b -B --ignore-all-space --exclude-
+ userdom_read_user_home_content_files($1)
+ ')
+
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Use the login program as an entry point program.
-@@ -197,8 +245,11 @@
+@@ -197,8 +249,11 @@
interface(`auth_domtrans_chk_passwd',`
gen_require(`
type chkpwd_t, chkpwd_exec_t, shadow_t;
@@ -26017,7 +26107,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_search_bin($1)
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
-@@ -207,19 +258,16 @@
+@@ -207,19 +262,16 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -26042,7 +26132,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -230,6 +278,29 @@
+@@ -230,6 +282,29 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -26072,7 +26162,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -254,6 +325,7 @@
+@@ -254,6 +329,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -26080,7 +26170,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -650,7 +722,7 @@
+@@ -650,7 +726,7 @@
########################################
## <summary>
@@ -26089,7 +26179,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1031,6 +1103,32 @@
+@@ -1031,6 +1107,32 @@
########################################
## <summary>
@@ -26122,7 +26212,7 @@ diff -b -B --ignore-all-space --exclude-
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1297,6 +1395,14 @@
+@@ -1297,6 +1399,14 @@
')
optional_policy(`
@@ -26137,7 +26227,7 @@ diff -b -B --ignore-all-space --exclude-
nis_use_ypbind($1)
')
-@@ -1305,8 +1411,13 @@
+@@ -1305,8 +1415,13 @@
')
optional_policy(`
@@ -26151,7 +26241,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -1341,3 +1452,99 @@
+@@ -1341,3 +1456,99 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -27102,9 +27192,9 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(racoon_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.12/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-04-06 12:42:08.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-30 08:29:56.000000000 -0400
-@@ -1,9 +1,11 @@
- /sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-30 18:57:54.000000000 -0400
+@@ -1,9 +1,10 @@
+-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -29523,7 +29613,7 @@ diff -b -B --ignore-all-space --exclude-
xen_append_log(ifconfig_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-05-04 14:18:49.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29560,7 +29650,18 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -242,6 +250,10 @@
+@@ -228,6 +236,10 @@
+ ')
+
+ optional_policy(`
++ mount_domtrans(udev_t)
++')
++
++optional_policy(`
+ openct_read_pid_files(udev_t)
+ openct_domtrans(udev_t)
+ ')
+@@ -242,6 +254,10 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.849
retrieving revision 1.850
diff -u -p -r1.849 -r1.850
--- selinux-policy.spec 30 Apr 2009 22:21:53 -0000 1.849
+++ selinux-policy.spec 4 May 2009 18:20:22 -0000 1.850
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 26%{?dist}
+Release: 27%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -165,11 +165,6 @@ if [ -s /etc/selinux/config ]; then \
fi \
fi
-%define loadminpolicy() \
-( cd /usr/share/selinux/%1; \
-semodule -b base.pp.bz2 -i unconfined.pp.bz2 unconfineduser.pp.bz2 -s %1; \
-); \
-
%define loadpolicy() \
( cd /usr/share/selinux/%1; \
semodule -b base.pp.bz2 -i %{expand:%%moduleList %1} %2 -s %1; \
@@ -351,12 +346,12 @@ echo $packages
}
if [ $1 -eq 1 ]; then
- packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+ packages="%{expand:%%moduleList targeted} unconfined.pp.bz2 unconfineduser.pp.bz2"
%loadpolicy targeted $packages
restorecon -R /root /var/log /var/run 2> /dev/null
else
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
- packages=`get_unconfined $(semodule -l)`
+ packages="%{expand:%%moduleList targeted} `get_unconfined $(semodule -l)`"
%loadpolicy targeted $packages
%relabel targeted
fi
@@ -402,7 +397,8 @@ SELinux Reference policy minimum base mo
%post minimum
if [ $1 -eq 1 ]; then
-%loadminpolicy minimum
+packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy minimum $packages
semanage -S minimum -i - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
@@ -435,7 +431,8 @@ SELinux Reference policy olpc base modul
%saveFileContext olpc
%post olpc
-%loadpolicy olpc ""
+packages="%{expand:%%moduleList olpc} unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy olpc $packages
if [ $1 -ne 1 ]; then
%relabel olpc
@@ -466,7 +463,8 @@ SELinux Reference policy mls base module
%post mls
semodule -n -s mls -r mailscanner 2>/dev/null
-%loadpolicy mls ""
+packages="%{expand:%%moduleList mls}"
+%loadpolicy mls $packages
if [ $1 != 1 ]; then
%relabel mls
@@ -480,6 +478,11 @@ exit 0
%endif
%changelog
+* Fri May 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-27
+- Fix /sbin/ip6tables-save context
+- Allod udev to transition to mount
+- Fix loading of mls policy file
+
* Thu Apr 30 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-26
- Add shorewall policy
More information about the scm-commits
mailing list