rpms/selinux-policy/devel policy-F12.patch, 1.1, 1.2 selinux-policy.spec, 1.857, 1.858
Daniel J Walsh
dwalsh at fedoraproject.org
Tue May 26 16:58:30 UTC 2009
- Previous message: rpms/ncl/devel ncarg.csh, 1.2, 1.3 ncarg.sh, 1.2, 1.3 ncl.spec, 1.16, 1.17
- Next message: rpms/selinux-policy/F-11 policy-20090521.patch, 1.2, 1.3 selinux-policy.spec, 1.863, 1.864
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8764
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.13-2
- New log file for vmware
- Allow xdm to setattr on user_tmp_t
policy-F12.patch:
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- policy-F12.patch 22 May 2009 14:37:43 -0000 1.1
+++ policy-F12.patch 26 May 2009 16:57:59 -0000 1.2
@@ -4776,6 +4776,17 @@ diff -b -B --ignore-all-space --exclude-
type uml_tmp_t;
typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.13/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-01-05 15:39:38.000000000 -0500
++++ serefpolicy-3.6.13/policy/modules/apps/vmware.fc 2009-05-26 08:07:36.000000000 -0400
+@@ -63,6 +63,7 @@
+ ')
+
+ /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
++/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+
+ /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.13/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/apps/vmware.te 2009-05-21 09:48:23.000000000 -0400
@@ -8683,7 +8694,7 @@ diff -b -B --ignore-all-space --exclude-
+permissive afs_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.13/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/services/apache.fc 2009-05-21 09:48:23.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/services/apache.fc 2009-05-26 09:24:36.000000000 -0400
@@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -8746,7 +8757,7 @@ diff -b -B --ignore-all-space --exclude-
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -64,11 +74,28 @@
+@@ -64,11 +74,30 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -8774,7 +8785,9 @@ diff -b -B --ignore-all-space --exclude-
+
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
-+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
++/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.13/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/apache.if 2009-05-21 09:48:23.000000000 -0400
@@ -10704,7 +10717,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/services/cron.if 2009-05-21 09:48:23.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/services/cron.if 2009-05-26 08:39:51.000000000 -0400
@@ -12,6 +12,10 @@
## </param>
#
@@ -10757,43 +10770,37 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization($1_t)
-@@ -147,26 +163,26 @@
+@@ -147,27 +163,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
-+ type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
++ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t crontab_t };
-+ role $1 types { unconfined_cronjob_t admin_crontab_t };
++ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
- # Transition from the user domain to the derived domain.
+- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-
- # crontab shows up in user ps
+-
+- # crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
-+ ps_process_pattern($2, admin_crontab_t)
-+ allow $2 admin_crontab_t:process signal;
-
- # Run helper programs as the user domain
+-
+- # Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
-+ #corecmd_bin_domtrans(admin_crontab_t, $2)
-+ #corecmd_shell_domtrans(admin_crontab_t, $2)
-+ corecmd_exec_bin(admin_crontab_t)
-+ corecmd_exec_shell(admin_crontab_t)
-
+-
optional_policy(`
gen_require(`
-@@ -261,10 +277,12 @@
+ class dbus send_msg;
+@@ -261,10 +264,12 @@
allow $1 system_cronjob_t:fifo_file rw_file_perms;
allow $1 system_cronjob_t:process sigchld;
@@ -10806,7 +10813,7 @@ diff -b -B --ignore-all-space --exclude-
role system_r types $1;
')
-@@ -343,6 +361,24 @@
+@@ -343,6 +348,24 @@
########################################
## <summary>
@@ -10831,7 +10838,7 @@ diff -b -B --ignore-all-space --exclude-
## Read and write a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -361,7 +397,7 @@
+@@ -361,7 +384,7 @@
########################################
## <summary>
@@ -10840,7 +10847,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -369,7 +405,7 @@
+@@ -369,7 +392,7 @@
## </summary>
## </param>
#
@@ -10849,7 +10856,7 @@ diff -b -B --ignore-all-space --exclude-
gen_require(`
type crond_t;
')
-@@ -416,6 +452,42 @@
+@@ -416,6 +439,42 @@
########################################
## <summary>
@@ -10892,7 +10899,7 @@ diff -b -B --ignore-all-space --exclude-
## Inherit and use a file descriptor
## from system cron jobs.
## </summary>
-@@ -481,11 +553,14 @@
+@@ -481,11 +540,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -10908,7 +10915,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -506,3 +581,101 @@
+@@ -506,3 +568,101 @@
dontaudit $1 system_cronjob_tmp_t:file append;
')
@@ -17928,6 +17935,24 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.13/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-05-22 10:28:56.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/postgresql.if 2009-05-21 09:48:24.000000000 -0400
+@@ -64,7 +64,7 @@
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
+ type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
+
+- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
++ allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+ type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
+
+ allow $2 sepgsql_trusted_proc_t:process transition;
+@@ -362,7 +362,7 @@
+ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
+ type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
+
+- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
++ allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+ type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
+ ')
+
@@ -384,3 +384,46 @@
typeattribute $1 sepgsql_unconfined_type;
@@ -17978,6 +18003,13 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.13/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-05-22 10:28:56.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/postgresql.te 2009-05-21 09:48:24.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(postgresql, 1.8.7)
++policy_module(postgresql, 1.8.6)
+
+ gen_require(`
+ class db_database all_db_database_perms;
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
@@ -24139,7 +24171,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.13/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/services/xserver.te 2009-05-21 09:48:24.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/services/xserver.te 2009-05-26 08:16:53.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -24493,16 +24525,17 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +538,8 @@
+@@ -472,6 +538,9 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
++userdom_manage_user_tmp_dirs(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
xserver_rw_session(xdm_t,xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +572,12 @@
+@@ -504,10 +573,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -24515,7 +24548,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -515,12 +585,45 @@
+@@ -515,12 +586,45 @@
')
optional_policy(`
@@ -24561,7 +24594,7 @@ diff -b -B --ignore-all-space --exclude-
hostname_exec(xdm_t)
')
-@@ -542,6 +645,23 @@
+@@ -542,6 +646,23 @@
')
optional_policy(`
@@ -24585,7 +24618,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +670,9 @@
+@@ -550,8 +671,9 @@
')
optional_policy(`
@@ -24597,7 +24630,7 @@ diff -b -B --ignore-all-space --exclude-
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +681,6 @@
+@@ -560,7 +682,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -24605,7 +24638,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +691,10 @@
+@@ -571,6 +692,10 @@
')
optional_policy(`
@@ -24616,7 +24649,7 @@ diff -b -B --ignore-all-space --exclude-
xfs_stream_connect(xdm_t)
')
-@@ -587,7 +711,7 @@
+@@ -587,7 +712,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24625,7 +24658,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +726,11 @@
+@@ -602,9 +727,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -24637,7 +24670,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +742,14 @@
+@@ -616,13 +743,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -24653,7 +24686,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +762,19 @@
+@@ -635,9 +763,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24673,7 +24706,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +817,14 @@
+@@ -680,9 +818,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -24688,7 +24721,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +839,13 @@
+@@ -697,8 +840,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -24702,7 +24735,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -720,6 +867,7 @@
+@@ -720,6 +868,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -24710,7 +24743,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +890,7 @@
+@@ -742,7 +891,7 @@
')
ifdef(`enable_mls',`
@@ -24719,7 +24752,7 @@ diff -b -B --ignore-all-space --exclude-
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,12 +922,16 @@
+@@ -774,12 +923,16 @@
')
optional_policy(`
@@ -24737,7 +24770,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domtrans(xserver_t)
')
-@@ -806,7 +958,7 @@
+@@ -806,7 +959,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -24746,7 +24779,7 @@ diff -b -B --ignore-all-space --exclude-
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +979,14 @@
+@@ -827,9 +980,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24761,7 +24794,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1001,14 @@
+@@ -844,11 +1002,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -24777,7 +24810,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -856,6 +1016,11 @@
+@@ -856,6 +1017,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -24789,7 +24822,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Rules common to all X window domains
-@@ -881,6 +1046,8 @@
+@@ -881,6 +1047,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -24798,7 +24831,7 @@ diff -b -B --ignore-all-space --exclude-
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1072,8 @@
+@@ -905,6 +1073,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24807,7 +24840,7 @@ diff -b -B --ignore-all-space --exclude-
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1141,49 @@
+@@ -972,17 +1142,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -24968,8 +25001,8 @@ diff -b -B --ignore-all-space --exclude-
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.13/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/authlogin.if 2009-05-21 09:48:24.000000000 -0400
-@@ -43,20 +43,38 @@
++++ serefpolicy-3.6.13/policy/modules/system/authlogin.if 2009-05-26 08:44:04.000000000 -0400
+@@ -43,22 +43,42 @@
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t;
@@ -25007,8 +25040,12 @@ diff -b -B --ignore-all-space --exclude-
+
# for SSP/ProPolice
dev_read_urand($1)
++ # for encrypted homedir
++ dev_read_sysfs($1)
# for fingerprint readers
-@@ -90,6 +108,7 @@
+ dev_rw_input_dev($1)
+ dev_rw_generic_usb_dev($1)
+@@ -90,6 +110,7 @@
auth_rw_faillog($1)
auth_exec_pam($1)
auth_use_nsswitch($1)
@@ -25016,7 +25053,7 @@ diff -b -B --ignore-all-space --exclude-
init_rw_utmp($1)
-@@ -100,9 +119,42 @@
+@@ -100,9 +121,42 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -25061,7 +25098,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -197,8 +249,11 @@
+@@ -197,8 +251,11 @@
interface(`auth_domtrans_chk_passwd',`
gen_require(`
type chkpwd_t, chkpwd_exec_t, shadow_t;
@@ -25073,7 +25110,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_search_bin($1)
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
-@@ -207,19 +262,16 @@
+@@ -207,19 +264,16 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -25098,7 +25135,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -230,6 +282,29 @@
+@@ -230,6 +284,29 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -25128,7 +25165,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -254,6 +329,7 @@
+@@ -254,6 +331,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -25136,7 +25173,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -650,7 +726,7 @@
+@@ -650,7 +728,7 @@
########################################
## <summary>
@@ -25145,7 +25182,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1031,6 +1107,32 @@
+@@ -1031,6 +1109,32 @@
########################################
## <summary>
@@ -25178,7 +25215,7 @@ diff -b -B --ignore-all-space --exclude-
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1297,6 +1399,14 @@
+@@ -1297,6 +1401,14 @@
')
optional_policy(`
@@ -25193,7 +25230,7 @@ diff -b -B --ignore-all-space --exclude-
nis_use_ypbind($1)
')
-@@ -1305,8 +1415,13 @@
+@@ -1305,8 +1417,13 @@
')
optional_policy(`
@@ -25207,7 +25244,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -1341,3 +1456,99 @@
+@@ -1341,3 +1458,99 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -25452,8 +25489,8 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.13/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/init.fc 2009-05-21 09:48:24.000000000 -0400
-@@ -4,8 +4,7 @@
++++ serefpolicy-3.6.13/policy/modules/system/init.fc 2009-05-26 09:16:32.000000000 -0400
+@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -25462,8 +25499,11 @@ diff -b -B --ignore-all-space --exclude-
+/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ /etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -45,6 +44,8 @@
+@@ -45,6 +45,8 @@
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -25474,7 +25514,7 @@ diff -b -B --ignore-all-space --exclude-
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.13/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/init.if 2009-05-21 09:48:24.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/system/init.if 2009-05-26 09:12:18.000000000 -0400
@@ -174,6 +174,7 @@
role system_r types $1;
@@ -26075,7 +26115,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.13/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400
-+++ serefpolicy-3.6.13/policy/modules/system/ipsec.te 2009-05-21 09:48:24.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/system/ipsec.te 2009-05-26 09:16:40.000000000 -0400
@@ -55,7 +55,7 @@
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
@@ -26103,6 +26143,14 @@ diff -b -B --ignore-all-space --exclude-
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
+@@ -347,6 +349,7 @@
+ files_read_etc_files(setkey_t)
+
+ init_dontaudit_use_fds(setkey_t)
++init_read_script_tmp_files(setkey_t)
+
+ # allow setkey to set the context for ipsec SAs and policy.
+ ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.13/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-04-06 12:42:08.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/system/iptables.fc 2009-05-21 13:27:58.000000000 -0400
@@ -29267,7 +29315,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/userdomain.if 2009-05-21 09:48:24.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/system/userdomain.if 2009-05-26 08:16:31.000000000 -0400
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.857
retrieving revision 1.858
diff -u -p -r1.857 -r1.858
--- selinux-policy.spec 22 May 2009 14:37:43 -0000 1.857
+++ selinux-policy.spec 26 May 2009 16:57:59 -0000 1.858
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.13
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,10 @@ exit 0
%endif
%changelog
+* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.13-2
+- New log file for vmware
+- Allow xdm to setattr on user_tmp_t
+
* Thu May 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.13-1
- Upgrade to upstream
- Previous message: rpms/ncl/devel ncarg.csh, 1.2, 1.3 ncarg.sh, 1.2, 1.3 ncl.spec, 1.16, 1.17
- Next message: rpms/selinux-policy/F-11 policy-20090521.patch, 1.2, 1.3 selinux-policy.spec, 1.863, 1.864
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list