rpms/selinux-policy/devel policy-20090105.patch, 1.110, 1.111 selinux-policy.spec, 1.848, 1.849
Daniel J Walsh
dwalsh at fedoraproject.org
Thu May 7 19:09:40 UTC 2009
- Previous message: rpms/selinux-policy/F-11 policy-20090105.patch, 1.115, 1.116 selinux-policy.spec, 1.853, 1.854
- Next message: rpms/geronimo-specs/devel geronimo-specs-1.2-pom_xml.patch, NONE, 1.1 geronimo-specs-corba-2.3-pom_xml.patch, NONE, 1.1 geronimo-specs-j2ee-1.4-pom_xml.patch, NONE, 1.1 geronimo-specs-j2ee-connector-1.5-pom_xml.patch, NONE, 1.1 geronimo-specs-jpp-depmap.xml, NONE, 1.1 geronimo-specs-jta-1.0.1B-pom_xml.patch, NONE, 1.1 geronimo-specs-pom-version.patch, NONE, 1.1 geronimo-specs-servlet-2.4-pom_xml.patch, NONE, 1.1 geronimo-specs-settings.xml, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.4, 1.5 geronimo-specs.spec, 1.23, 1.24 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16227
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Thu May 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-31
- Add policy for /var/lib/fprint
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.110
retrieving revision 1.111
diff -u -p -r1.110 -r1.111
--- policy-20090105.patch 6 May 2009 12:51:58 -0000 1.110
+++ policy-20090105.patch 7 May 2009 19:09:40 -0000 1.111
@@ -475,7 +475,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-05-07 14:53:23.000000000 -0400
@@ -9,6 +9,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -484,7 +484,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
-@@ -20,12 +21,14 @@
+@@ -20,12 +21,16 @@
allow dmesg_t self:process signal_perms;
@@ -496,10 +496,12 @@ diff -b -B --ignore-all-space --exclude-
kernel_list_proc(dmesg_t)
kernel_read_proc_symlinks(dmesg_t)
+dev_read_kmsg(dmesg_t)
++
++mls_process_read_all_levels(dmesg_t)
dev_read_sysfs(dmesg_t)
-@@ -35,7 +38,7 @@
+@@ -35,7 +40,7 @@
domain_use_interactive_fds(dmesg_t)
@@ -1246,7 +1248,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-05-07 14:59:51.000000000 -0400
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -1293,20 +1295,21 @@ diff -b -B --ignore-all-space --exclude-
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -87,8 +96,12 @@
+@@ -87,8 +96,13 @@
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+
++kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
+kernel_read_network_state_symlinks(rpm_t)
corecmd_exec_all_executables(rpm_t)
-@@ -108,13 +121,16 @@
+@@ -108,13 +122,16 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -1323,7 +1326,7 @@ diff -b -B --ignore-all-space --exclude-
mls_file_read_all_levels(rpm_t)
mls_file_write_all_levels(rpm_t)
-@@ -132,6 +148,8 @@
+@@ -132,6 +149,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -1332,7 +1335,7 @@ diff -b -B --ignore-all-space --exclude-
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +173,7 @@
+@@ -155,6 +174,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -1340,7 +1343,7 @@ diff -b -B --ignore-all-space --exclude-
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,17 +193,28 @@
+@@ -174,17 +194,28 @@
')
optional_policy(`
@@ -1370,7 +1373,7 @@ diff -b -B --ignore-all-space --exclude-
')
ifdef(`TODO',`
-@@ -210,8 +240,8 @@
+@@ -210,8 +241,8 @@
# rpm-script Local policy
#
@@ -1381,7 +1384,7 @@ diff -b -B --ignore-all-space --exclude-
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +252,15 @@
+@@ -222,12 +253,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -1397,7 +1400,7 @@ diff -b -B --ignore-all-space --exclude-
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +272,9 @@
+@@ -239,6 +273,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -1407,7 +1410,7 @@ diff -b -B --ignore-all-space --exclude-
dev_list_sysfs(rpm_script_t)
-@@ -255,6 +291,7 @@
+@@ -255,6 +292,7 @@
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
@@ -1415,7 +1418,7 @@ diff -b -B --ignore-all-space --exclude-
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +309,19 @@
+@@ -272,14 +310,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -1435,7 +1438,7 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +333,7 @@
+@@ -291,6 +334,7 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -1443,7 +1446,7 @@ diff -b -B --ignore-all-space --exclude-
init_domtrans_script(rpm_script_t)
-@@ -308,12 +351,15 @@
+@@ -308,12 +352,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1459,7 +1462,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -326,13 +372,18 @@
+@@ -326,13 +373,18 @@
')
optional_policy(`
@@ -4490,10 +4493,12 @@ diff -b -B --ignore-all-space --exclude-
+permissive sambagui_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-02 07:46:25.000000000 -0400
-@@ -13,3 +13,4 @@
++++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-07 10:29:37.000000000 -0400
+@@ -11,5 +11,5 @@
+ #
+ # /var
#
- /var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0)
+-/var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0)
/var/run/screens?/S-[^/]+/.* <<none>>
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
@@ -4524,6 +4529,28 @@ diff -b -B --ignore-all-space --exclude-
+ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
+ manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.6.12/policy/modules/apps/screen.te
+--- nsaserefpolicy/policy/modules/apps/screen.te 2009-01-19 11:03:28.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/screen.te 2009-05-07 10:30:00.000000000 -0400
+@@ -6,9 +6,6 @@
+ # Declarations
+ #
+
+-type screen_dir_t;
+-files_pid_file(screen_dir_t)
+-
+ type screen_exec_t;
+ application_executable_file(screen_exec_t)
+
+@@ -24,7 +21,7 @@
+ ubac_constrained(screen_tmp_t)
+
+ type screen_var_run_t;
+-typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
++typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t screen_dir_t };
+ typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t };
+ files_pid_file(screen_var_run_t)
+ ubac_constrained(screen_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
--- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/uml.te 2009-04-28 11:42:33.000000000 -0400
@@ -4897,7 +4924,7 @@ diff -b -B --ignore-all-space --exclude-
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-05 18:05:12.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-07 15:02:13.000000000 -0400
@@ -32,6 +32,8 @@
#
# /etc
@@ -4917,15 +4944,18 @@ diff -b -B --ignore-all-space --exclude-
#
# /usr
#
-@@ -210,6 +215,7 @@
+@@ -209,7 +214,10 @@
+ /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-@@ -299,3 +305,20 @@
+@@ -299,3 +307,20 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5211,7 +5241,13 @@ diff -b -B --ignore-all-space --exclude-
type urandom_device_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-05-07 10:28:45.000000000 -0400
+@@ -1,4 +1,4 @@
+-## <summary>Core policy for domains.</summary>
++# <summary>Core policy for domains.</summary>
+ ## <required val="true">
+ ## Contains the concept of a domain.
+ ## </required>
@@ -525,7 +525,7 @@
')
@@ -5447,7 +5483,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-30 14:18:05.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-07 10:31:31.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5599,7 +5635,15 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3390,6 +3495,24 @@
+@@ -2820,6 +2925,7 @@
+ ')
+
+ allow $1 modules_object_t:dir search_dir_perms;
++ read_link_file_pattern($1, modules_object_t, modules_object_t)
+ ')
+
+ ########################################
+@@ -3390,6 +3496,24 @@
########################################
## <summary>
@@ -5624,7 +5668,7 @@ diff -b -B --ignore-all-space --exclude-
## Read all tmp files.
## </summary>
## <param name="domain">
-@@ -3456,6 +3579,8 @@
+@@ -3456,6 +3580,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -5633,7 +5677,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3546,7 +3671,7 @@
+@@ -3546,7 +3672,7 @@
type usr_t;
')
@@ -5642,7 +5686,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3564,7 +3689,12 @@
+@@ -3564,7 +3690,12 @@
type usr_t;
')
@@ -5656,7 +5700,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -4413,6 +4543,28 @@
+@@ -4413,6 +4544,28 @@
########################################
## <summary>
@@ -5685,7 +5729,7 @@ diff -b -B --ignore-all-space --exclude-
## Create an object in the locks directory, with a private
## type using a type transition.
## </summary>
-@@ -4532,7 +4684,8 @@
+@@ -4532,7 +4685,8 @@
type var_t, var_run_t;
')
@@ -5695,7 +5739,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -4873,7 +5026,7 @@
+@@ -4873,7 +5027,7 @@
selinux_compute_member($1)
# Need sys_admin capability for mounting
@@ -5704,7 +5748,7 @@ diff -b -B --ignore-all-space --exclude-
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4895,12 +5048,15 @@
+@@ -4895,12 +5049,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -5721,7 +5765,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -4921,3 +5077,114 @@
+@@ -4921,3 +5078,114 @@
typeattribute $1 files_unconfined_type;
')
@@ -6257,6 +6301,18 @@ diff -b -B --ignore-all-space --exclude-
+ fs_type($1)
+ mls_trusted_object($1)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.12/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-03-05 12:28:57.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/kernel/storage.fc 2009-05-07 14:55:19.000000000 -0400
+@@ -57,7 +57,7 @@
+
+ /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+-/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
++/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
+ /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+ /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.12/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.fc 2009-04-23 09:44:57.000000000 -0400
@@ -9661,6 +9717,17 @@ diff -b -B --ignore-all-space --exclude-
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.12/policy/modules/services/apm.te
+--- nsaserefpolicy/policy/modules/services/apm.te 2009-02-16 08:44:12.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/apm.te 2009-05-07 14:35:37.000000000 -0400
+@@ -123,6 +123,7 @@
+ libs_exec_lib_files(apmd_t)
+
+ logging_send_syslog_msg(apmd_t)
++logging_send_audit_msgs(apmd_t)
+
+ miscfiles_read_localization(apmd_t)
+ miscfiles_read_hwdata(apmd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.6.12/policy/modules/services/audioentropy.te
--- nsaserefpolicy/policy/modules/services/audioentropy.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/audioentropy.te 2009-04-23 09:44:57.000000000 -0400
@@ -10598,7 +10665,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.12/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-05-07 15:06:38.000000000 -0400
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
@@ -10617,7 +10684,7 @@ diff -b -B --ignore-all-space --exclude-
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-@@ -41,7 +42,11 @@
+@@ -41,7 +42,12 @@
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
@@ -10630,6 +10697,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
++/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-04-23 09:44:57.000000000 -0400
@@ -10940,7 +11008,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-05-07 15:05:29.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10974,7 +11042,15 @@ diff -b -B --ignore-all-space --exclude-
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-@@ -98,11 +108,18 @@
+@@ -82,6 +92,7 @@
+ init_daemon_domain(system_cronjob_t, anacron_exec_t)
+ corecmd_shell_entry_type(system_cronjob_t)
+ role system_r types system_cronjob_t;
++domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+
+ type system_cronjob_lock_t alias system_crond_lock_t;
+ files_lock_file(system_cronjob_lock_t)
+@@ -98,11 +109,18 @@
# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
@@ -10994,7 +11070,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Admin crontab local policy
-@@ -130,7 +147,7 @@
+@@ -130,7 +148,7 @@
# Cron daemon local policy
#
@@ -11003,11 +11079,14 @@ diff -b -B --ignore-all-space --exclude-
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
-@@ -146,20 +163,20 @@
+@@ -146,20 +164,23 @@
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
-allow crond_t crond_var_run_t:file manage_file_perms;
++manage_files_pattern(crond_t, cron_log_t, cron_log_t)
++logging_log_filetrans(crond_t, cron_log_t, file)
++
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
files_pid_filetrans(crond_t,crond_var_run_t,file)
@@ -11029,7 +11108,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_key(crond_t)
dev_read_sysfs(crond_t)
-@@ -174,6 +191,7 @@
+@@ -174,6 +195,7 @@
fs_getattr_all_fs(crond_t)
fs_search_auto_mountpoints(crond_t)
@@ -11037,7 +11116,7 @@ diff -b -B --ignore-all-space --exclude-
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
-@@ -183,7 +201,11 @@
+@@ -183,7 +205,11 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -11049,7 +11128,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
-@@ -192,10 +214,15 @@
+@@ -192,10 +218,15 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
@@ -11065,7 +11144,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -208,6 +235,7 @@
+@@ -208,6 +239,7 @@
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
@@ -11073,7 +11152,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_debian',`
# pam_limits is used
-@@ -227,21 +255,44 @@
+@@ -227,21 +259,45 @@
')
')
@@ -11092,6 +11171,7 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ # these should probably be unconfined_crond_t
++ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+')
+
@@ -11119,7 +11199,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -268,8 +319,8 @@
+@@ -268,8 +324,8 @@
# System cron process domain
#
@@ -11130,7 +11210,7 @@ diff -b -B --ignore-all-space --exclude-
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -283,7 +334,14 @@
+@@ -283,7 +339,14 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -11145,7 +11225,7 @@ diff -b -B --ignore-all-space --exclude-
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -303,6 +361,7 @@
+@@ -303,6 +366,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -11153,7 +11233,7 @@ diff -b -B --ignore-all-space --exclude-
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -314,9 +373,13 @@
+@@ -314,9 +378,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -11168,7 +11248,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -345,6 +408,7 @@
+@@ -345,6 +413,7 @@
fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -11176,7 +11256,7 @@ diff -b -B --ignore-all-space --exclude-
# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_cronjob_t)
-@@ -370,7 +434,8 @@
+@@ -370,7 +439,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -11186,7 +11266,7 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(system_cronjob_t)
-@@ -378,6 +443,7 @@
+@@ -378,6 +448,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -11194,7 +11274,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -418,6 +484,10 @@
+@@ -418,6 +489,10 @@
')
optional_policy(`
@@ -11205,7 +11285,7 @@ diff -b -B --ignore-all-space --exclude-
ftp_read_log(system_cronjob_t)
')
-@@ -428,11 +498,20 @@
+@@ -428,11 +503,20 @@
')
optional_policy(`
@@ -11226,7 +11306,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -447,6 +526,7 @@
+@@ -447,6 +531,7 @@
prelink_read_cache(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
@@ -11234,7 +11314,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -460,8 +540,7 @@
+@@ -460,8 +545,7 @@
')
optional_policy(`
@@ -11244,7 +11324,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -469,24 +548,17 @@
+@@ -469,24 +553,17 @@
')
optional_policy(`
@@ -11272,7 +11352,7 @@ diff -b -B --ignore-all-space --exclude-
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +642,9 @@
+@@ -570,6 +647,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@@ -13501,14 +13581,16 @@ diff -b -B --ignore-all-space --exclude-
files_pid_file(fetchmail_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc
--- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-04-28 15:26:41.000000000 -0400
-@@ -0,0 +1,2 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-05-07 10:07:34.000000000 -0400
+@@ -0,0 +1,4 @@
+
+/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
++
++/var/lib/fprint gen_context(system_u:object_r:fprintd_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if
--- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-01 09:45:48.000000000 -0400
-@@ -0,0 +1,42 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-07 10:09:49.000000000 -0400
+@@ -0,0 +1,43 @@
+
+## <summary>policy for fprintd</summary>
+
@@ -13551,10 +13633,11 @@ diff -b -B --ignore-all-space --exclude-
+ allow $1 fprintd_t:dbus send_msg;
+ allow fprintd_t $1:dbus send_msg;
+')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-29 10:10:42.000000000 -0400
-@@ -0,0 +1,41 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-05-07 10:09:32.000000000 -0400
+@@ -0,0 +1,48 @@
+policy_module(fprintd,1.0.0)
+
+########################################
@@ -13566,9 +13649,16 @@ diff -b -B --ignore-all-space --exclude-
+type fprintd_exec_t;
+dbus_system_domain(fprintd_t, fprintd_exec_t)
+
++type fprintd_var_lib_t;
++files_type(fprintd_var_lib_t)
++
+allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:process { getsched signal };
+
++manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
++manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
++files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
++
+corecmd_search_bin(fprintd_t)
+
+dev_rw_generic_usb_dev(fprintd_t)
@@ -15270,7 +15360,7 @@ diff -b -B --ignore-all-space --exclude-
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-30 08:19:03.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-05-07 14:39:20.000000000 -0400
@@ -130,6 +130,15 @@
sendmail_create_log($1_mail_t)
')
@@ -15309,7 +15399,33 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -591,8 +603,8 @@
+@@ -446,6 +458,25 @@
+
+ ########################################
+ ## <summary>
++## write mail server configuration.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mta_write_config',`
++ gen_require(`
++ type etc_mail_t;
++ ')
++
++ write_files_pattern($1, etc_mail_t, etc_mail_t)
++')
++
++########################################
++## <summary>
+ ## Read mail address aliases.
+ ## </summary>
+ ## <param name="domain">
+@@ -591,8 +622,8 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -15320,7 +15436,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -612,7 +624,7 @@
+@@ -612,7 +643,7 @@
')
files_dontaudit_search_spool($1)
@@ -15329,7 +15445,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit $1 mail_spool_t:lnk_file read;
dontaudit $1 mail_spool_t:file getattr;
')
-@@ -665,7 +677,7 @@
+@@ -665,7 +696,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -15338,7 +15454,7 @@ diff -b -B --ignore-all-space --exclude-
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -806,6 +818,7 @@
+@@ -806,6 +837,7 @@
')
files_search_spool($1)
@@ -24189,7 +24305,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-05 16:45:39.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-07 13:00:34.000000000 -0400
@@ -8,19 +8,31 @@
## <desc>
@@ -24283,20 +24399,21 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -67,7 +106,11 @@
+@@ -67,7 +106,12 @@
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
-manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+virtual_manage_image(virtd_t)
+virtual_image_relabel(virtd_t)
++virtual_read_all_domains_state(virtd_t)
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +129,7 @@
+@@ -86,6 +130,7 @@
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
kernel_load_module(virtd_t)
@@ -24304,7 +24421,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -96,7 +140,7 @@
+@@ -96,7 +141,7 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -24313,7 +24430,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -104,21 +148,39 @@
+@@ -104,21 +149,40 @@
dev_read_sysfs(virtd_t)
dev_read_rand(virtd_t)
@@ -24325,6 +24442,7 @@ diff -b -B --ignore-all-space --exclude-
+domain_read_all_domains_state(virtd_t)
+domain_obj_id_change_exemption(virtd_t)
+domain_subj_id_change_exemption(virtd_t)
++domain_read_all_domains_state(virtd_t)
files_read_usr_files(virtd_t)
files_read_etc_files(virtd_t)
@@ -24354,7 +24472,7 @@ diff -b -B --ignore-all-space --exclude-
term_getattr_pty_fs(virtd_t)
term_use_ptmx(virtd_t)
-@@ -129,6 +191,13 @@
+@@ -129,6 +193,13 @@
logging_send_syslog_msg(virtd_t)
@@ -24368,7 +24486,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_read_all_users_state(virtd_t)
tunable_policy(`virt_use_nfs',`
-@@ -167,22 +236,34 @@
+@@ -167,22 +238,34 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -24408,7 +24526,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -195,8 +276,88 @@
+@@ -195,8 +278,88 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -24592,7 +24710,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-30 17:44:47.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-05-07 14:58:55.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -24732,7 +24850,15 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -738,6 +738,7 @@
+@@ -680,6 +680,7 @@
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
++ xserver_common_app($1)
+ ')
+
+ ########################################
+@@ -738,6 +739,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -24740,7 +24866,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -756,7 +757,26 @@
+@@ -756,7 +758,26 @@
')
files_search_pids($1)
@@ -24768,7 +24894,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -779,6 +799,50 @@
+@@ -779,6 +800,50 @@
########################################
## <summary>
@@ -24819,7 +24945,7 @@ diff -b -B --ignore-all-space --exclude-
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -872,6 +936,27 @@
+@@ -872,6 +937,27 @@
########################################
## <summary>
@@ -24847,7 +24973,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to write the X server
## log files.
## </summary>
-@@ -1018,10 +1103,11 @@
+@@ -1018,10 +1104,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -24860,7 +24986,15 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1159,6 +1245,275 @@
+@@ -1136,6 +1223,7 @@
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
++ xserver_common_app($1)
+ ')
+
+ ########################################
+@@ -1159,6 +1247,275 @@
########################################
## <summary>
@@ -25136,7 +25270,7 @@ diff -b -B --ignore-all-space --exclude-
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1172,7 +1527,102 @@
+@@ -1172,7 +1529,102 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -26753,7 +26887,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-24 08:59:22.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-05-07 14:39:32.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -27030,7 +27164,7 @@ diff -b -B --ignore-all-space --exclude-
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,6 +728,11 @@
+@@ -647,20 +728,20 @@
')
optional_policy(`
@@ -27042,8 +27176,10 @@ diff -b -B --ignore-all-space --exclude-
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
-@@ -655,12 +741,6 @@
+
+ optional_policy(`
mta_read_config(initrc_t)
++ mta_write_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-# cjp: require doesnt work in the else of optionals :\
@@ -27055,7 +27191,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
ifdef(`distro_redhat',`
-@@ -719,8 +799,6 @@
+@@ -719,8 +800,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -27064,7 +27200,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -733,10 +811,12 @@
+@@ -733,10 +812,12 @@
squid_manage_logs(initrc_t)
')
@@ -27077,7 +27213,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +834,11 @@
+@@ -754,6 +835,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -27089,7 +27225,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
unconfined_domain(initrc_t)
-@@ -765,6 +850,13 @@
+@@ -765,6 +851,13 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -27103,7 +27239,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -790,3 +882,35 @@
+@@ -790,3 +883,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -30479,7 +30615,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-06 08:49:37.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-07 10:23:04.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -32506,8 +32642,8 @@ diff -b -B --ignore-all-space --exclude-
+# No application file contexts.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.12/policy/modules/system/virtual.if
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-23 09:44:57.000000000 -0400
-@@ -0,0 +1,114 @@
++++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-05-07 10:24:35.000000000 -0400
+@@ -0,0 +1,135 @@
+## <summary>Virtual machine emulator and virtualizer</summary>
+
+########################################
@@ -32622,6 +32758,27 @@ diff -b -B --ignore-all-space --exclude-
+ allow $1 virtualdomain:process { setsched transition signal signull sigkill };
+')
+
++
++########################################
++## <summary>
++## Read the process state of all virtual domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virtual_read_all_domains_state',`
++ gen_require(`
++ attribute virtualdomain;
++ ')
++
++ read_files_pattern($1,virtualdomain,virtualdomain)
++ read_lnk_files_pattern($1,virtualdomain,virtualdomain)
++ kernel_search_proc($1)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-04-23 09:44:57.000000000 -0400
@@ -33122,7 +33279,16 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.12/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-03-12 11:16:47.000000000 -0400
-+++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-30 18:02:45.000000000 -0400
++++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-05-07 10:32:41.000000000 -0400
+@@ -201,7 +201,7 @@
+ define(`setattr_file_perms',`{ setattr }')
+ define(`read_file_perms',`{ getattr open read lock ioctl }')
+ define(`mmap_file_perms',`{ getattr open read execute ioctl }')
+-define(`exec_file_perms',`{ getattr open read execute execute_no_trans }')
++define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
+ define(`append_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_file_perms',`{ getattr open write append lock ioctl }')
+ define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
@@ -225,7 +225,7 @@
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.848
retrieving revision 1.849
diff -u -p -r1.848 -r1.849
--- selinux-policy.spec 6 May 2009 12:51:59 -0000 1.848
+++ selinux-policy.spec 7 May 2009 19:09:40 -0000 1.849
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 30%{?dist}
+Release: 31%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -477,6 +477,9 @@ exit 0
%endif
%changelog
+* Thu May 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-31
+- Add policy for /var/lib/fprint
+
* Tue May 5 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-30
-Remove duplicate line
- Previous message: rpms/selinux-policy/F-11 policy-20090105.patch, 1.115, 1.116 selinux-policy.spec, 1.853, 1.854
- Next message: rpms/geronimo-specs/devel geronimo-specs-1.2-pom_xml.patch, NONE, 1.1 geronimo-specs-corba-2.3-pom_xml.patch, NONE, 1.1 geronimo-specs-j2ee-1.4-pom_xml.patch, NONE, 1.1 geronimo-specs-j2ee-connector-1.5-pom_xml.patch, NONE, 1.1 geronimo-specs-jpp-depmap.xml, NONE, 1.1 geronimo-specs-jta-1.0.1B-pom_xml.patch, NONE, 1.1 geronimo-specs-pom-version.patch, NONE, 1.1 geronimo-specs-servlet-2.4-pom_xml.patch, NONE, 1.1 geronimo-specs-settings.xml, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.4, 1.5 geronimo-specs.spec, 1.23, 1.24 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list