rpms/selinux-policy/F-13 policy-F13.patch, 1.91, 1.92 selinux-policy.spec, 1.996, 1.997
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Apr 5 18:40:22 UTC 2010
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv11537
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
* Mon Apr 5 2010 Dan Walsh <dwalsh at redhat.com> 3.7.17-6
- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t)
- Allow accountsd to read shadow file
- Allow apache to send audit messages when using pam
- Allow asterisk to bind and connect to sip tcp ports
- Fixes for dovecot 2.0
- Allow initrc_t to setattr on milter directories
- Add procemail_home_t for .procmailrc file
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 1
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 166 +++
policy/modules/admin/accountsd.te | 54 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 1
policy/modules/admin/firstboot.te | 9
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.fc | 1
policy/modules/admin/netutils.te | 20
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 78 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 +++++++
policy/modules/admin/rpm.te | 104 +
policy/modules/admin/shorewall.te | 2
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 118 ++
policy/modules/admin/shutdown.te | 57 +
policy/modules/admin/su.if | 8
policy/modules/admin/sudo.if | 9
policy/modules/admin/tmpreaper.te | 23
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 20
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 85 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 46
policy/modules/apps/execmem.if | 110 ++
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 ++++++++
policy/modules/apps/gnome.te | 116 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 75 +
policy/modules/apps/gpg.te | 95 +
policy/modules/apps/irc.fc | 7
policy/modules/apps/irc.if | 37
policy/modules/apps/irc.te | 104 +
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 104 +
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 2
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 29
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 390 +++++++
policy/modules/apps/nsplugin.te | 297 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.if | 39
policy/modules/apps/pulseaudio.te | 1
policy/modules/apps/qemu.if | 84 +
policy/modules/apps/qemu.te | 9
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 287 +++++
policy/modules/apps/sandbox.te | 365 ++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 48
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 10
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 20
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 27
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 24
policy/modules/kernel/devices.fc | 1
policy/modules/kernel/devices.if | 73 +
policy/modules/kernel/devices.te | 12
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 109 ++
policy/modules/kernel/files.fc | 18
policy/modules/kernel/files.if | 635 +++++++++++
policy/modules/kernel/files.te | 11
policy/modules/kernel/filesystem.if | 118 +-
policy/modules/kernel/filesystem.te | 12
policy/modules/kernel/kernel.if | 57 +
policy/modules/kernel/kernel.te | 34
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 2
policy/modules/roles/guest.te | 6
policy/modules/roles/staff.te | 110 ++
policy/modules/roles/sysadm.te | 97 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 422 +++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 72 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 143 ++
policy/modules/services/abrt.te | 155 ++
policy/modules/services/afs.te | 5
policy/modules/services/aiccu.fc | 5
policy/modules/services/aiccu.if | 119 ++
policy/modules/services/aiccu.te | 41
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 115 ++
policy/modules/services/apache.fc | 63 +
policy/modules/services/apache.if | 492 ++++++---
policy/modules/services/apache.te | 500 ++++++++-
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 45
policy/modules/services/avahi.if | 1
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 81 +
policy/modules/services/cachefilesd.fc | 28
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 146 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 ++++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 9
policy/modules/services/cgroup.if | 35
policy/modules/services/cgroup.te | 87 +
policy/modules/services/clamav.te | 18
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cobbler.if | 4
policy/modules/services/cobbler.te | 12
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 34
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 122 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 99 +
policy/modules/services/cron.te | 93 +
policy/modules/services/cups.fc | 14
policy/modules/services/cups.te | 65 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 110 +-
policy/modules/services/dbus.te | 31
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +
policy/modules/services/denyhosts.te | 73 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 100 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 6
policy/modules/services/dovecot.te | 46
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 19
policy/modules/services/git.if | 533 +++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/gpsd.te | 2
policy/modules/services/hal.te | 33
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ldap.fc | 3
policy/modules/services/ldap.if | 38
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 21
policy/modules/services/memcached.te | 10
policy/modules/services/milter.if | 18
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 21
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 168 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 142 ++
policy/modules/services/nagios.te | 283 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 86 +
policy/modules/services/networkmanager.te | 123 +-
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 78 +
policy/modules/services/nis.te | 21
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 27
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 34
policy/modules/services/ntp.te | 2
policy/modules/services/nut.te | 21
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openvpn.te | 6
policy/modules/services/pcscd.if | 38
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 ++++++
policy/modules/services/plymouthd.te | 105 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 82 +
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 187 +++
policy/modules/services/postfix.te | 149 ++
policy/modules/services/ppp.fc | 1
policy/modules/services/ppp.if | 4
policy/modules/services/ppp.te | 9
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.te | 26
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 98 +
policy/modules/services/rgmanager.te | 226 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 424 +++++++
policy/modules/services/rhcs.te | 239 ++++
policy/modules/services/ricci.te | 39
policy/modules/services/rpc.fc | 4
policy/modules/services/rpc.if | 46
policy/modules/services/rpc.te | 35
policy/modules/services/rsync.if | 4
policy/modules/services/rsync.te | 26
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 122 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.if | 19
policy/modules/services/sendmail.te | 17
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/snort.te | 10
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 88 +
policy/modules/services/ssh.te | 53
policy/modules/services/sssd.fc | 4
policy/modules/services/sssd.if | 47
policy/modules/services/sssd.te | 25
policy/modules/services/tgtd.te | 4
policy/modules/services/tor.fc | 3
policy/modules/services/tor.te | 13
policy/modules/services/tuned.te | 4
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 4
policy/modules/services/usbmuxd.if | 39
policy/modules/services/usbmuxd.te | 50
policy/modules/services/varnishd.if | 19
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 34
policy/modules/services/virt.te | 39
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 58 -
policy/modules/services/xserver.if | 385 +++++++
policy/modules/services/xserver.te | 385 ++++++-
policy/modules/system/application.te | 15
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 52
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 8
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 3
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 146 ++
policy/modules/system/init.te | 193 +++
policy/modules/system/ipsec.te | 10
policy/modules/system/iptables.fc | 2
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 15
policy/modules/system/libraries.fc | 144 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 40
policy/modules/system/logging.fc | 14
policy/modules/system/logging.if | 24
policy/modules/system/logging.te | 17
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 20
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 138 ++
policy/modules/system/mount.te | 147 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 ++++++
policy/modules/system/selinuxutil.te | 241 +---
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 74 +
policy/modules/system/sosreport.te | 128 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 96 +
policy/modules/system/sysnetwork.te | 17
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 13
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 9
policy/modules/system/userdomain.if | 1606 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 47
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 11
policy/support/misc_patterns.spt | 4
policy/support/obj_perm_sets.spt | 35
policy/users | 17
371 files changed, 21322 insertions(+), 2195 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.91
retrieving revision 1.92
diff -u -p -r1.91 -r1.92
--- policy-F13.patch 1 Apr 2010 19:34:18 -0000 1.91
+++ policy-F13.patch 5 Apr 2010 18:40:19 -0000 1.92
@@ -239,8 +239,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.7.17/policy/modules/admin/accountsd.te
--- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/admin/accountsd.te 2010-03-31 08:46:30.000000000 -0400
-@@ -0,0 +1,53 @@
++++ serefpolicy-3.7.17/policy/modules/admin/accountsd.te 2010-04-05 08:40:00.000000000 -0400
+@@ -0,0 +1,54 @@
+policy_module(accountsd,1.0.0)
+
+########################################
@@ -276,6 +276,7 @@ diff --exclude-from=exclude -N -u -r nsa
+fs_list_inotifyfs(accountsd_t)
+
+auth_use_nsswitch(accountsd_t)
++auth_read_shadow(accountsd_t)
+
+miscfiles_read_localization(accountsd_t)
+
@@ -12502,7 +12503,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.17/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-03-18 06:48:02.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/apache.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/apache.te 2010-04-05 09:11:33.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -12512,15 +12513,13 @@ diff --exclude-from=exclude -N -u -r nsa
## <desc>
## <p>
## Allow Apache to modify public files
-@@ -30,10 +32,17 @@
+@@ -37,6 +39,20 @@
## <desc>
## <p>
--## Allow Apache to use mod_auth_pam
+## Allow httpd scripts and modules execmem/execstack
- ## </p>
- ## </desc>
--gen_tunable(allow_httpd_mod_auth_pam, false)
++## </p>
++## </desc>
+gen_tunable(httpd_execmem, false)
+
+## <desc>
@@ -12529,10 +12528,13 @@ diff --exclude-from=exclude -N -u -r nsa
+## </p>
+## </desc>
+gen_tunable(httpd_dbus_avahi, false)
-
- ## <desc>
- ## <p>
-@@ -44,6 +53,13 @@
++
++## <desc>
++## <p>
+ ## Allow httpd to use built in scripting (usually php)
+ ## </p>
+ ## </desc>
+@@ -44,6 +60,13 @@
## <desc>
## <p>
@@ -12546,7 +12548,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Allow HTTPD scripts and modules to connect to the network using TCP.
## </p>
## </desc>
-@@ -51,6 +67,13 @@
+@@ -51,6 +74,13 @@
## <desc>
## <p>
@@ -12560,7 +12562,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## </desc>
-@@ -87,6 +110,13 @@
+@@ -87,6 +117,13 @@
## <desc>
## <p>
@@ -12574,7 +12576,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
-@@ -94,6 +124,13 @@
+@@ -94,6 +131,13 @@
## <desc>
## <p>
@@ -12588,7 +12590,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -108,6 +145,36 @@
+@@ -108,6 +152,36 @@
## </desc>
gen_tunable(httpd_unified, false)
@@ -12625,7 +12627,7 @@ diff --exclude-from=exclude -N -u -r nsa
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -140,6 +207,9 @@
+@@ -140,6 +214,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
@@ -12635,7 +12637,7 @@ diff --exclude-from=exclude -N -u -r nsa
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -180,6 +250,10 @@
+@@ -180,6 +257,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -12646,7 +12648,7 @@ diff --exclude-from=exclude -N -u -r nsa
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -187,28 +261,28 @@
+@@ -187,28 +268,28 @@
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
@@ -12688,7 +12690,7 @@ diff --exclude-from=exclude -N -u -r nsa
# for apache2 memory mapped files
type httpd_var_lib_t;
-@@ -230,7 +304,7 @@
+@@ -230,7 +311,7 @@
# Apache server local policy
#
@@ -12697,7 +12699,7 @@ diff --exclude-from=exclude -N -u -r nsa
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +323,7 @@
+@@ -249,6 +330,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -12705,7 +12707,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -272,6 +347,7 @@
+@@ -272,6 +354,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -12713,7 +12715,7 @@ diff --exclude-from=exclude -N -u -r nsa
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,13 +359,14 @@
+@@ -283,13 +366,14 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -12732,7 +12734,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -301,9 +378,11 @@
+@@ -301,9 +385,11 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -12745,7 +12747,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -312,18 +391,21 @@
+@@ -312,18 +398,21 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -12772,7 +12774,7 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -335,15 +417,16 @@
+@@ -335,15 +424,16 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -12792,7 +12794,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
-@@ -358,6 +441,10 @@
+@@ -358,6 +448,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -12803,7 +12805,7 @@ diff --exclude-from=exclude -N -u -r nsa
libs_read_lib_files(httpd_t)
-@@ -372,18 +459,33 @@
+@@ -372,18 +466,27 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -12817,15 +12819,10 @@ diff --exclude-from=exclude -N -u -r nsa
#
# We need optionals to be able to be within booleans to make this work
#
-+## <desc>
-+## <p>
-+## Allow Apache to use mod_auth_pam
-+## </p>
-+## </desc>
-+gen_tunable(allow_httpd_mod_auth_pam, false)
-+
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
++ logging_send_audit_msgs(httpd_t)
+')
+
+## <desc>
@@ -12835,13 +12832,12 @@ diff --exclude-from=exclude -N -u -r nsa
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
-@@ -391,32 +493,71 @@
+@@ -391,32 +494,71 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -12918,7 +12914,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -424,11 +565,23 @@
+@@ -424,11 +566,23 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -12942,7 +12938,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,7 +604,18 @@
+@@ -451,7 +605,18 @@
')
optional_policy(`
@@ -12961,7 +12957,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -463,8 +627,24 @@
+@@ -463,8 +628,24 @@
')
optional_policy(`
@@ -12988,7 +12984,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -472,22 +652,19 @@
+@@ -472,22 +653,19 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
@@ -13014,7 +13010,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -498,12 +675,23 @@
+@@ -498,12 +676,23 @@
')
optional_policy(`
@@ -13038,7 +13034,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -512,6 +700,11 @@
+@@ -512,6 +701,11 @@
')
optional_policy(`
@@ -13050,7 +13046,7 @@ diff --exclude-from=exclude -N -u -r nsa
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -539,6 +732,23 @@
+@@ -539,6 +733,23 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -13074,7 +13070,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# Apache PHP script local policy
-@@ -568,20 +778,32 @@
+@@ -568,20 +779,32 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -13113,7 +13109,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -599,23 +821,24 @@
+@@ -599,23 +822,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -13142,7 +13138,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +851,7 @@
+@@ -628,6 +852,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -13150,7 +13146,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -635,22 +859,31 @@
+@@ -635,22 +860,31 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -13189,7 +13185,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -676,16 +909,16 @@
+@@ -676,16 +910,16 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -13210,7 +13206,7 @@ diff --exclude-from=exclude -N -u -r nsa
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -700,15 +933,29 @@
+@@ -700,15 +934,29 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -13242,7 +13238,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -716,6 +963,35 @@
+@@ -716,6 +964,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -13278,7 +13274,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -728,6 +1004,10 @@
+@@ -728,6 +1005,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -13289,7 +13285,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -739,6 +1019,8 @@
+@@ -739,6 +1020,8 @@
# httpd_rotatelogs local policy
#
@@ -13298,7 +13294,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -758,11 +1040,88 @@
+@@ -758,11 +1041,88 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -13318,7 +13314,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
- ')
++')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
@@ -13368,7 +13364,7 @@ diff --exclude-from=exclude -N -u -r nsa
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
-+')
+ ')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
@@ -13462,7 +13458,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Connect to asterisk over a unix domain
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.17/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/asterisk.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/asterisk.te 2010-04-05 12:07:40.000000000 -0400
@@ -40,12 +40,13 @@
#
@@ -13495,12 +13491,21 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
-@@ -104,10 +108,14 @@
+@@ -96,6 +100,7 @@
+ corenet_tcp_bind_generic_node(asterisk_t)
+ corenet_udp_bind_generic_node(asterisk_t)
+ corenet_tcp_bind_asterisk_port(asterisk_t)
++corenet_tcp_bind_sip_port(asterisk_t)
+ corenet_udp_bind_asterisk_port(asterisk_t)
+ corenet_udp_bind_sip_port(asterisk_t)
+ corenet_sendrecv_asterisk_server_packets(asterisk_t)
+@@ -104,10 +109,15 @@
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_postgresql_port(asterisk_t)
+corenet_tcp_connect_snmp_port(asterisk_t)
++corenet_tcp_connect_sip_port(asterisk_t)
+dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
@@ -13510,7 +13515,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_use_interactive_fds(asterisk_t)
-@@ -118,19 +126,33 @@
+@@ -118,19 +128,33 @@
files_read_usr_files(asterisk_t)
fs_getattr_all_fs(asterisk_t)
@@ -13547,7 +13552,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -138,10 +160,11 @@
+@@ -138,10 +162,11 @@
')
optional_policy(`
@@ -16953,7 +16958,7 @@ diff --exclude-from=exclude -N -u -r nsa
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.17/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/dovecot.te 2010-03-30 09:39:56.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/dovecot.te 2010-04-02 11:36:35.000000000 -0400
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -16964,16 +16969,18 @@ diff --exclude-from=exclude -N -u -r nsa
type dovecot_auth_t;
type dovecot_auth_exec_t;
domain_type(dovecot_auth_t)
-@@ -54,7 +57,7 @@
+@@ -54,15 +57,16 @@
# dovecot local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
- allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
++allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
-@@ -63,6 +66,7 @@
+ allow dovecot_t self:tcp_socket create_stream_socket_perms;
+ allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
@@ -18359,12 +18366,12 @@ diff --exclude-from=exclude -N -u -r nsa
# Local hald dccm policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.17/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/inn.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/inn.te 2010-04-05 08:56:23.000000000 -0400
@@ -106,6 +106,7 @@
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
-+userdom_stream_connect(innd_t)
++userdom_dgram_send(innd_t)
mta_send_mail(innd_t)
@@ -18595,6 +18602,34 @@ diff --exclude-from=exclude -N -u -r nsa
+term_dontaudit_use_all_ptys(memcached_t)
+term_dontaudit_use_all_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.17/policy/modules/services/milter.if
+--- nsaserefpolicy/policy/modules/services/milter.if 2009-12-18 11:38:25.000000000 -0500
++++ serefpolicy-3.7.17/policy/modules/services/milter.if 2010-04-05 13:57:30.000000000 -0400
+@@ -82,6 +82,24 @@
+
+ ########################################
+ ## <summary>
++## Allow setattr of milter dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`milter_setattr_all_dirs',`
++ gen_require(`
++ attribute milter_data_type;
++ ')
++
++ setattr_dirs_pattern($1, milter_data_type, milter_data_type)
++')
++
++########################################
++## <summary>
+ ## Manage spamassassin milter state
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.17/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.17/policy/modules/services/modemmanager.te 2010-03-29 15:35:14.000000000 -0400
@@ -22616,10 +22651,29 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
consoletype_exec(pppd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.7.17/policy/modules/services/procmail.fc
+--- nsaserefpolicy/policy/modules/services/procmail.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/procmail.fc 2010-04-05 08:18:37.000000000 -0400
+@@ -1,3 +1,5 @@
++HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
++/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+
+ /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.17/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/procmail.te 2010-03-31 15:03:39.000000000 -0400
-@@ -22,7 +22,7 @@
++++ serefpolicy-3.7.17/policy/modules/services/procmail.te 2010-04-05 09:54:35.000000000 -0400
+@@ -11,6 +11,9 @@
+ application_domain(procmail_t, procmail_exec_t)
+ role system_r types procmail_t;
+
++type procmail_home_t;
++userdom_user_home_content(procmail_home_t)
++
+ type procmail_log_t;
+ logging_log_file(procmail_log_t)
+
+@@ -22,7 +25,7 @@
# Local policy
#
@@ -22628,7 +22682,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
allow procmail_t self:unix_stream_socket create_socket_perms;
-@@ -68,7 +68,6 @@
+@@ -68,7 +71,6 @@
corecmd_exec_bin(procmail_t)
corecmd_exec_shell(procmail_t)
@@ -22636,7 +22690,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(procmail_t)
files_read_etc_runtime_files(procmail_t)
-@@ -77,6 +76,7 @@
+@@ -77,21 +79,25 @@
files_read_usr_files(procmail_t)
logging_send_syslog_msg(procmail_t)
@@ -22644,19 +22698,29 @@ diff --exclude-from=exclude -N -u -r nsa
miscfiles_read_localization(procmail_t)
-@@ -89,9 +89,10 @@
- userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
-
- # Do not audit attempts to access /root.
++list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
++read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
++userdom_search_user_home_dirs(procmail_t)
++userdom_search_admin_dir(procmail_t)
++
+ # only works until we define a different type for maildir
+ userdom_manage_user_home_content_dirs(procmail_t)
+ userdom_manage_user_home_content_files(procmail_t)
+ userdom_manage_user_home_content_symlinks(procmail_t)
+ userdom_manage_user_home_content_pipes(procmail_t)
+ userdom_manage_user_home_content_sockets(procmail_t)
+-userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
+-
+-# Do not audit attempts to access /root.
-userdom_dontaudit_search_user_home_dirs(procmail_t)
-+userdom_dontaudit_search_admin_dir(procmail_t)
++userdom_user_home_dir_filetrans_user_home_content(procmail_t, { file dir lnk_file fifo_file sock_file })
mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
-@@ -128,6 +129,10 @@
+@@ -128,6 +134,10 @@
')
optional_policy(`
@@ -22667,7 +22731,7 @@ diff --exclude-from=exclude -N -u -r nsa
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
-@@ -136,8 +141,8 @@
+@@ -136,8 +146,8 @@
mta_read_config(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
@@ -27013,7 +27077,7 @@ diff --exclude-from=exclude -N -u -r nsa
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.17/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/virt.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/virt.if 2010-04-05 12:51:59.000000000 -0400
@@ -21,6 +21,7 @@
type $1_t, virt_domain;
domain_type($1_t)
@@ -27042,7 +27106,15 @@ diff --exclude-from=exclude -N -u -r nsa
rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -516,3 +520,32 @@
+@@ -192,6 +196,7 @@
+ files_search_etc($1)
+ manage_files_pattern($1, virt_etc_t, virt_etc_t)
+ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
++ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ ')
+
+ ########################################
+@@ -516,3 +521,32 @@
virt_manage_log($1)
')
@@ -28722,8 +28794,16 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.17/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/system/authlogin.if 2010-03-29 15:35:14.000000000 -0400
-@@ -94,6 +94,8 @@
++++ serefpolicy-3.7.17/policy/modules/system/authlogin.if 2010-04-05 08:18:15.000000000 -0400
+@@ -41,7 +41,6 @@
+ ## </param>
+ #
+ interface(`auth_use_pam',`
+-
+ # for SSP/ProPolice
+ dev_read_urand($1)
+ # for encrypted homedir
+@@ -94,6 +93,8 @@
')
domain_type($1)
@@ -28732,7 +28812,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -107,6 +109,7 @@
+@@ -107,6 +108,7 @@
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
@@ -28740,7 +28820,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
-@@ -141,6 +144,7 @@
+@@ -141,6 +143,7 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -28748,7 +28828,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,6 +155,36 @@
+@@ -151,6 +154,36 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -28785,7 +28865,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -365,13 +399,15 @@
+@@ -365,13 +398,15 @@
')
optional_policy(`
@@ -28802,7 +28882,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -418,6 +454,7 @@
+@@ -418,6 +453,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -28810,7 +28890,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1500,6 +1537,8 @@
+@@ -1500,6 +1536,8 @@
#
interface(`auth_use_nsswitch',`
@@ -28819,7 +28899,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1570,15 @@
+@@ -1531,7 +1569,15 @@
')
optional_policy(`
@@ -29342,7 +29422,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.17/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/system/init.te 2010-03-31 10:16:04.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/system/init.te 2010-04-05 13:58:30.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -29632,7 +29712,7 @@ diff --exclude-from=exclude -N -u -r nsa
kerberos_use(initrc_t)
')
-@@ -690,12 +779,18 @@
+@@ -690,12 +779,22 @@
')
optional_policy(`
@@ -29646,12 +29726,16 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
++ milter_setattr_all_dirs(initrc_t)
++')
++
++optional_policy(`
mta_read_config(initrc_t)
+ mta_write_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +813,10 @@
+@@ -718,6 +817,10 @@
')
optional_policy(`
@@ -29662,7 +29746,7 @@ diff --exclude-from=exclude -N -u -r nsa
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -760,8 +859,6 @@
+@@ -760,8 +863,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29671,7 +29755,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -774,10 +871,12 @@
+@@ -774,10 +875,12 @@
squid_manage_logs(initrc_t)
')
@@ -29684,7 +29768,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +889,7 @@
+@@ -790,6 +893,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -29692,7 +29776,7 @@ diff --exclude-from=exclude -N -u -r nsa
udev_manage_pid_files(initrc_t)
')
-@@ -801,8 +901,15 @@
+@@ -801,8 +905,15 @@
virt_manage_svirt_cache(initrc_t)
')
@@ -29708,7 +29792,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +919,25 @@
+@@ -812,6 +923,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29734,7 +29818,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -837,3 +963,34 @@
+@@ -837,3 +967,34 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -33131,7 +33215,7 @@ diff --exclude-from=exclude -N -u -r nsa
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.17/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/system/userdomain.if 2010-04-01 15:13:32.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/system/userdomain.if 2010-04-05 08:54:14.000000000 -0400
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/selinux-policy.spec,v
retrieving revision 1.996
retrieving revision 1.997
diff -u -p -r1.996 -r1.997
--- selinux-policy.spec 1 Apr 2010 19:34:20 -0000 1.996
+++ selinux-policy.spec 5 Apr 2010 18:40:20 -0000 1.997
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.17
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ exit 0
%endif
%changelog
+* Mon Apr 5 2010 Dan Walsh <dwalsh at redhat.com> 3.7.17-6
+- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t)
+- Allow accountsd to read shadow file
+- Allow apache to send audit messages when using pam
+- Allow asterisk to bind and connect to sip tcp ports
+- Fixes for dovecot 2.0
+- Allow initrc_t to setattr on milter directories
+- Add procemail_home_t for .procmailrc file
+
+
* Thu Apr 1 2010 Dan Walsh <dwalsh at redhat.com> 3.7.17-5
- Fixes for labels during install from livecd
More information about the scm-commits
mailing list