rpms/selinux-policy/devel policy-20090105.patch, 1.113, 1.114 selinux-policy.spec, 1.851, 1.852
Daniel J Walsh
dwalsh at fedoraproject.org
Tue May 12 18:10:30 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15723
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Mon May 11 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-35
- Add /usr/share/selinux/packages
- Turn on nsplugin boolean
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.113
retrieving revision 1.114
diff -u -p -r1.113 -r1.114
--- policy-20090105.patch 11 May 2009 13:11:03 -0000 1.113
+++ policy-20090105.patch 12 May 2009 18:10:29 -0000 1.114
@@ -2667,8 +2667,8 @@ diff -b -B --ignore-all-space --exclude-
+seutil_domtrans_setfiles_mac(livecd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.12/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/apps/mono.if 2009-04-23 09:44:57.000000000 -0400
-@@ -21,6 +21,104 @@
++++ serefpolicy-3.6.12/policy/modules/apps/mono.if 2009-05-12 13:53:34.000000000 -0400
+@@ -21,6 +21,105 @@
########################################
## <summary>
@@ -2751,6 +2751,7 @@ diff -b -B --ignore-all-space --exclude-
+ role $2 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
++ application_type($1_mono_t)
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+ userdom_manage_tmpfs_role($2, $1_mono_t)
@@ -2773,7 +2774,7 @@ diff -b -B --ignore-all-space --exclude-
## Execute the mono program in the caller domain.
## </summary>
## <param name="domain">
-@@ -31,7 +129,7 @@
+@@ -31,7 +130,7 @@
#
interface(`mono_exec',`
gen_require(`
@@ -2784,7 +2785,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_search_bin($1)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.12/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-05-12 13:53:03.000000000 -0400
@@ -15,7 +15,7 @@
# Local policy
#
@@ -2794,7 +2795,7 @@ diff -b -B --ignore-all-space --exclude-
init_dbus_chat_script(mono_t)
-@@ -42,7 +42,11 @@
+@@ -42,7 +42,12 @@
')
optional_policy(`
@@ -2802,11 +2803,12 @@ diff -b -B --ignore-all-space --exclude-
+ unconfined_domain(mono_t)
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
- ')
++ application_type(mono_t)
++')
+
+optional_policy(`
+ xserver_rw_shm(mono_t)
-+')
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.12/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-11-11 16:13:42.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.fc 2009-04-23 09:44:57.000000000 -0400
@@ -3185,8 +3187,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-05-08 12:52:11.000000000 -0400
-@@ -0,0 +1,293 @@
++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-05-12 13:51:52.000000000 -0400
+@@ -0,0 +1,288 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3464,12 +3466,7 @@ diff -b -B --ignore-all-space --exclude-
+ mozilla_read_user_home_files(nsplugin_config_t)
+')
+
-+optional_policy(`
-+ gen_require(`
-+ type unconfined_mono_t;
-+ ')
-+ allow nsplugin_t unconfined_mono_t:process signull;
-+')
++application_signull(nsplugin_t)
+
+optional_policy(`
+ pulseaudio_stream_connect(nsplugin_t)
@@ -4326,7 +4323,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-05-12 13:52:29.000000000 -0400
@@ -13,28 +13,96 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -4432,6 +4429,16 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# qemu_unconfined local policy
+@@ -44,6 +112,9 @@
+ type qemu_unconfined_t;
+ domain_type(qemu_unconfined_t)
+ unconfined_domain_noaudit(qemu_unconfined_t)
++ userdom_manage_tmpfs_role(unconfined_r, qemu_unconfined_t)
+
++ application_type(qemu_unconfined_t)
++ role unconfined_r types qemu_unconfined_t;
+ allow qemu_unconfined_t self:process { execstack execmem };
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.12/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/sambagui.fc 2009-04-23 09:44:57.000000000 -0400
@@ -5926,7 +5933,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.12/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-23 17:21:31.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-05-12 13:59:59.000000000 -0400
@@ -723,6 +723,24 @@
########################################
@@ -6347,7 +6354,7 @@ diff -b -B --ignore-all-space --exclude-
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-05-12 08:30:38.000000000 -0400
@@ -173,7 +173,7 @@
dev_list_all_dev_nodes($1)
@@ -6369,6 +6376,30 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
+@@ -451,6 +453,23 @@
+
+ ########################################
+ ## <summary>
++## dontaudit getattr of generic pty devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process to not audit.
++## </summary>
++## </param>
++#
++interface(`term_dontaudit_getattr_generic_ptys',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ dontaudit $1 devpts_t:chr_file getattr;
++')
++########################################
++## <summary>
+ ## ioctl of generic pty devices.
+ ## </summary>
+ ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.12/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/guest.te 2009-04-23 09:44:57.000000000 -0400
@@ -19851,7 +19882,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-05-12 08:59:00.000000000 -0400
@@ -77,6 +77,7 @@
files_read_usr_files(procmail_t)
@@ -19879,6 +19910,15 @@ diff -b -B --ignore-all-space --exclude-
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
+@@ -136,7 +142,7 @@
+ mta_read_config(procmail_t)
+ sendmail_domtrans(procmail_t)
+ sendmail_signal(procmail_t)
+- sendmail_rw_tcp_sockets(procmail_t)
++ sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+ sendmail_rw_unix_stream_sockets(procmail_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.12/policy/modules/services/psad.fc
--- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/psad.fc 2009-04-23 09:44:57.000000000 -0400
@@ -20688,7 +20728,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-11 09:09:05.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-12 14:00:28.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -20698,7 +20738,7 @@ diff -b -B --ignore-all-space --exclude-
rpc_domain_template(gssd)
-@@ -69,26 +69,37 @@
+@@ -69,15 +69,22 @@
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
@@ -20707,18 +20747,21 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(rpcd_t)
files_manage_mounttab(rpcd_t)
++files_getattr_all_dirs(rpcd_t)
+fs_list_inotifyfs(rpcd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
-
-+storage_getattr_fixed_disk_dev(rpcd_t)
++fs_get_all_fs_quotas(rpcd_t)
++fs_getattr_all_fs(rpcd_t)
+
++storage_getattr_fixed_disk_dev(rpcd_t)
+
selinux_dontaudit_read_fs(rpcd_t)
- miscfiles_read_certs(rpcd_t)
+@@ -85,10 +92,17 @@
seutil_dontaudit_search_config(rpcd_t)
@@ -20736,7 +20779,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# NFSD local policy
-@@ -116,8 +127,9 @@
+@@ -116,8 +130,9 @@
# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
@@ -20747,7 +20790,7 @@ diff -b -B --ignore-all-space --exclude-
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
-@@ -125,6 +137,7 @@
+@@ -125,6 +140,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -20755,7 +20798,7 @@ diff -b -B --ignore-all-space --exclude-
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -141,6 +154,7 @@
+@@ -141,6 +157,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -20763,7 +20806,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -175,6 +189,7 @@
+@@ -175,6 +192,7 @@
corecmd_exec_bin(gssd_t)
@@ -20771,7 +20814,7 @@ diff -b -B --ignore-all-space --exclude-
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-@@ -183,9 +198,12 @@
+@@ -183,9 +201,12 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@@ -20798,7 +20841,7 @@ diff -b -B --ignore-all-space --exclude-
auth_write_login_records(rshd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-04-29 13:19:21.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-05-11 20:42:00.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -21748,7 +21791,32 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-30 08:12:22.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-05-12 08:58:39.000000000 -0400
+@@ -59,20 +59,20 @@
+
+ ########################################
+ ## <summary>
+-## Read and write sendmail TCP sockets.
++## Dontaudit Read and write sendmail TCP sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain not allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`sendmail_rw_tcp_sockets',`
++interface(`sendmail_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+- allow $1 sendmail_t:tcp_socket { read write };
++ dontaudit $1 sendmail_t:tcp_socket { read write };
+ ')
+ ########################################
+ ## <summary>
@@ -89,7 +89,7 @@
type sendmail_t;
')
@@ -22737,7 +22805,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-05-08 07:53:09.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-05-12 09:01:37.000000000 -0400
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -22809,15 +22877,16 @@ diff -b -B --ignore-all-space --exclude-
sysnet_read_config(spamassassin_t)
')
-@@ -195,6 +234,7 @@
+@@ -195,6 +234,8 @@
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
+ sendmail_rw_unix_stream_sockets(spamassassin_t)
++ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
')
########################################
-@@ -216,16 +256,32 @@
+@@ -216,16 +257,32 @@
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -22850,7 +22919,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -239,6 +295,7 @@
+@@ -239,6 +296,7 @@
corenet_sendrecv_all_client_packets(spamc_t)
fs_search_auto_mountpoints(spamc_t)
@@ -22858,7 +22927,7 @@ diff -b -B --ignore-all-space --exclude-
# cjp: these should probably be removed:
corecmd_list_bin(spamc_t)
-@@ -255,9 +312,15 @@
+@@ -255,9 +313,15 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -22874,7 +22943,7 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -265,13 +328,16 @@
+@@ -265,13 +329,16 @@
sysnet_read_config(spamc_t)
@@ -22898,7 +22967,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -280,16 +346,21 @@
+@@ -280,16 +347,22 @@
')
optional_policy(`
@@ -22919,10 +22988,11 @@ diff -b -B --ignore-all-space --exclude-
+ mta_read_queue(spamc_t)
sendmail_stub(spamc_t)
+ sendmail_rw_pipes(spamc_t)
++ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
')
########################################
-@@ -301,7 +372,7 @@
+@@ -301,7 +374,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -22931,7 +23001,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -317,10 +388,13 @@
+@@ -317,10 +390,13 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -22946,7 +23016,7 @@ diff -b -B --ignore-all-space --exclude-
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +403,11 @@
+@@ -329,10 +405,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -22959,7 +23029,7 @@ diff -b -B --ignore-all-space --exclude-
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +457,27 @@
+@@ -382,22 +459,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -22991,7 +23061,7 @@ diff -b -B --ignore-all-space --exclude-
fs_manage_cifs_files(spamd_t)
')
-@@ -415,6 +495,7 @@
+@@ -415,6 +497,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -22999,7 +23069,7 @@ diff -b -B --ignore-all-space --exclude-
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -424,10 +505,6 @@
+@@ -424,10 +507,6 @@
')
optional_policy(`
@@ -23010,7 +23080,7 @@ diff -b -B --ignore-all-space --exclude-
postfix_read_config(spamd_t)
')
-@@ -442,6 +519,10 @@
+@@ -442,6 +521,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -23021,7 +23091,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -454,5 +535,9 @@
+@@ -454,5 +537,9 @@
')
optional_policy(`
@@ -25398,7 +25468,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-06 08:50:01.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-12 13:45:25.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -26140,6 +26210,40 @@ diff -b -B --ignore-all-space --exclude-
')
domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.12/policy/modules/system/application.if
+--- nsaserefpolicy/policy/modules/system/application.if 2008-08-07 11:15:12.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/application.if 2009-05-12 13:54:23.000000000 -0400
+@@ -2,7 +2,7 @@
+
+ ########################################
+ ## <summary>
+-## Make the specified type usable as an application domain.
++## Send signull to application domains
+ ## </summary>
+ ## <param name="type">
+ ## <summary>
+@@ -101,3 +101,21 @@
+ application_executable_file($2)
+ domain_entry_file($1,$2)
+ ')
++
++########################################
++## <summary>
++## Send signull to unprivileged user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`application_signull',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:process signull;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.12/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/application.te 2009-04-23 09:44:57.000000000 -0400
@@ -30638,7 +30742,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-08 13:06:19.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-12 13:51:30.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -30650,12 +30754,13 @@ diff -b -B --ignore-all-space --exclude-
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -41,71 +42,85 @@
+@@ -41,71 +42,87 @@
allow system_r $1_r;
term_user_pty($1_t, user_devpts_t)
-
term_user_tty($1_t, user_tty_device_t)
++ term_dontaudit_getattr_generic_ptys($1_t)
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
- allow $1_t self:fd use;
@@ -30742,6 +30847,7 @@ diff -b -B --ignore-all-space --exclude-
+ files_read_mnt_files($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
++ files_read_usr_src_files($1_usertype)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
- files_list_world_readable($1_t)
@@ -30787,7 +30893,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +131,12 @@
+@@ -116,6 +133,12 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -30800,7 +30906,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -147,6 +168,7 @@
+@@ -147,6 +170,7 @@
interface(`userdom_ro_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -30808,7 +30914,7 @@ diff -b -B --ignore-all-space --exclude-
')
role $1 types { user_home_t user_home_dir_t };
-@@ -157,6 +179,7 @@
+@@ -157,6 +181,7 @@
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
@@ -30816,7 +30922,7 @@ diff -b -B --ignore-all-space --exclude-
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
-@@ -168,27 +191,6 @@
+@@ -168,27 +193,6 @@
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -30844,7 +30950,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -220,9 +222,10 @@
+@@ -220,9 +224,10 @@
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -30856,7 +30962,7 @@ diff -b -B --ignore-all-space --exclude-
##############################
#
-@@ -232,17 +235,20 @@
+@@ -232,17 +237,20 @@
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -30887,7 +30993,7 @@ diff -b -B --ignore-all-space --exclude-
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -250,25 +256,23 @@
+@@ -250,25 +258,23 @@
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -30917,7 +31023,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -303,6 +307,7 @@
+@@ -303,6 +309,7 @@
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -30925,7 +31031,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -322,6 +327,7 @@
+@@ -322,6 +329,7 @@
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -30933,7 +31039,7 @@ diff -b -B --ignore-all-space --exclude-
files_search_tmp($1)
')
-@@ -368,46 +374,41 @@
+@@ -368,46 +376,41 @@
#######################################
## <summary>
@@ -31000,7 +31106,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -420,34 +421,41 @@
+@@ -420,34 +423,41 @@
## is the prefix for user_t).
## </summary>
## </param>
@@ -31060,7 +31166,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -497,11 +505,7 @@
+@@ -497,11 +507,7 @@
attribute unpriv_userdomain;
')
@@ -31073,7 +31179,7 @@ diff -b -B --ignore-all-space --exclude-
##############################
#
-@@ -512,189 +516,200 @@
+@@ -512,189 +518,200 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -31355,7 +31461,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -722,13 +737,26 @@
+@@ -722,13 +739,26 @@
userdom_base_user_template($1)
@@ -31387,7 +31493,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_change_password_template($1)
-@@ -746,70 +774,71 @@
+@@ -746,70 +776,71 @@
allow $1_t self:context contains;
@@ -31492,7 +31598,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -846,6 +875,28 @@
+@@ -846,6 +877,28 @@
# Local policy
#
@@ -31521,7 +31627,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -876,7 +927,10 @@
+@@ -876,7 +929,10 @@
userdom_restricted_user_template($1)
@@ -31533,7 +31639,7 @@ diff -b -B --ignore-all-space --exclude-
##############################
#
-@@ -884,14 +938,19 @@
+@@ -884,14 +940,19 @@
#
auth_role($1_r, $1_t)
@@ -31558,7 +31664,7 @@ diff -b -B --ignore-all-space --exclude-
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +958,33 @@
+@@ -899,28 +960,33 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -31599,7 +31705,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -954,8 +1018,8 @@
+@@ -954,8 +1020,8 @@
# Declarations
#
@@ -31609,7 +31715,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_common_user_template($1)
##############################
-@@ -964,11 +1028,12 @@
+@@ -964,11 +1030,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -31624,7 +31730,7 @@ diff -b -B --ignore-all-space --exclude-
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1051,55 @@
+@@ -986,37 +1053,55 @@
')
')
@@ -31694,7 +31800,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -1050,7 +1133,7 @@
+@@ -1050,7 +1135,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -31703,7 +31809,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -1059,8 +1142,7 @@
+@@ -1059,8 +1144,7 @@
#
# Inherit rules for ordinary users.
@@ -31713,7 +31819,7 @@ diff -b -B --ignore-all-space --exclude-
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1165,8 @@
+@@ -1083,7 +1167,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -31723,7 +31829,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1182,7 @@
+@@ -1099,6 +1184,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -31731,7 +31837,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1190,6 @@
+@@ -1106,8 +1192,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -31740,7 +31846,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1244,6 @@
+@@ -1162,20 +1246,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -31761,7 +31867,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1289,7 @@
+@@ -1221,6 +1291,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -31769,7 +31875,7 @@ diff -b -B --ignore-all-space --exclude-
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1355,15 @@
+@@ -1286,11 +1357,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -31785,7 +31891,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1387,7 +1460,7 @@
+@@ -1387,7 +1462,7 @@
########################################
## <summary>
@@ -31794,7 +31900,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1493,14 @@
+@@ -1420,6 +1495,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -31809,7 +31915,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1435,9 +1516,11 @@
+@@ -1435,9 +1518,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -31821,7 +31927,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1494,6 +1577,25 @@
+@@ -1494,6 +1579,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -31847,7 +31953,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1568,6 +1670,8 @@
+@@ -1568,6 +1672,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -31856,7 +31962,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1643,6 +1747,7 @@
+@@ -1643,6 +1749,7 @@
type user_home_dir_t, user_home_t;
')
@@ -31864,7 +31970,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,30 +1846,80 @@
+@@ -1741,30 +1848,80 @@
########################################
## <summary>
@@ -31955,7 +32061,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1787,6 +1942,46 @@
+@@ -1787,6 +1944,46 @@
########################################
## <summary>
@@ -32002,7 +32108,7 @@ diff -b -B --ignore-all-space --exclude-
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -1799,6 +1994,7 @@
+@@ -1799,6 +1996,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -32010,7 +32116,7 @@ diff -b -B --ignore-all-space --exclude-
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2524,7 @@
+@@ -2328,7 +2526,7 @@
########################################
## <summary>
@@ -32019,7 +32125,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2814,12 +3010,12 @@
+@@ -2814,12 +3012,12 @@
type user_tmp_t;
')
@@ -32034,7 +32140,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2827,17 +3023,35 @@
+@@ -2827,17 +3025,35 @@
## </summary>
## </param>
#
@@ -32074,7 +32180,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2851,6 +3065,7 @@
+@@ -2851,6 +3067,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -32082,7 +32188,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -2981,3 +3196,481 @@
+@@ -2981,3 +3198,481 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.851
retrieving revision 1.852
diff -u -p -r1.851 -r1.852
--- selinux-policy.spec 11 May 2009 13:11:03 -0000 1.851
+++ selinux-policy.spec 12 May 2009 18:10:29 -0000 1.852
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 34%{?dist}
+Release: 35%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -63,6 +63,7 @@ SELinux Base package
%dir %{_usr}/share/selinux
%dir %{_usr}/share/selinux/devel
%dir %{_usr}/share/selinux/devel/include
+%dir %{_usr}/share/selinux/packages
%dir %{_sysconfdir}/selinux
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%ghost %{_sysconfdir}/sysconfig/selinux
@@ -234,6 +235,7 @@ make clean
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
mkdir %{buildroot}%{_usr}/share/selinux/devel/
+mkdir %{buildroot}%{_usr}/share/selinux/packages/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
install -m 644 $RPM_SOURCE_DIR/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
@@ -471,6 +473,10 @@ exit 0
%endif
%changelog
+* Mon May 11 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-35
+- Add /usr/share/selinux/packages
+- Turn on nsplugin boolean
+
* Mon May 11 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-34
- Allow rpcd_t to send signals to kernel threads
More information about the scm-commits
mailing list