[selinux-policy/f12/master] - Fixes for cobbler policy - Dont audit varnishd sys_tty_config capability - Allow varnishd kill cap
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Aug 5 12:46:15 UTC 2010
commit 822d034469fea2f13a814e9e2ce5406a71fac4cd
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Aug 5 14:45:59 2010 +0200
- Fixes for cobbler policy
- Dont audit varnishd sys_tty_config capability
- Allow varnishd kill capability
- Fixes for munin policy
- Change label for /var/tmp
- Add clamd_use_jit boolean
policy-20100106.patch | 337 ++++++++++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 10 ++-
2 files changed, 286 insertions(+), 61 deletions(-)
---
diff --git a/policy-20100106.patch b/policy-20100106.patch
index 276e503..3c1e58e 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -1345,6 +1345,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ networkmanager_attach_tun_iface(vpnc_t)
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.32/policy/modules/apps/awstats.te
+--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/awstats.te 2010-08-05 13:50:54.931085324 +0200
+@@ -48,6 +48,7 @@
+ files_read_etc_files(awstats_t)
+ # e.g. /usr/share/awstats/lang/awstats-en.txt
+ files_read_usr_files(awstats_t)
++files_dontaudit_search_all_mountpoints(awstats_t)
+
+ fs_list_inotifyfs(awstats_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.6.32/policy/modules/apps/cdrecord.te
--- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/cdrecord.te 2010-02-09 09:59:13.342615577 +0100
@@ -2113,7 +2124,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 2010-01-18 18:24:22.628540083 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2010-03-10 15:58:15.169618442 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2010-08-05 13:35:21.686335260 +0200
+@@ -28,7 +28,7 @@
+
+ type nsplugin_rw_t;
+ files_poly_member(nsplugin_rw_t)
+-userdom_user_home_content(nsplugin_rw_t)
++files_type(nsplugin_rw_t)
+
+ type nsplugin_tmp_t;
+ files_tmp_file(nsplugin_tmp_t)
@@ -182,6 +182,10 @@
')
@@ -3505,7 +3525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
gen_require(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-05-21 13:29:04.023389987 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-08-05 14:26:20.415085268 +0200
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.13.0)
@@ -3596,7 +3616,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
-@@ -145,10 +146,12 @@
+@@ -131,8 +132,9 @@
+ network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+ network_port(jabber_interserver, tcp,5269,s0)
+ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
++network_port(kerberos_admin, tcp,749,s0)
+ network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
++network_port(kerberos_password, tcp,464,s0, udp,464,s0)
+ network_port(kismet, tcp,2501,s0)
+ network_port(kprop, tcp,754,s0)
+ network_port(ktalkd, udp,517,s0, udp,518,s0)
+@@ -145,10 +147,12 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -3611,7 +3642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntp, udp,123,s0)
-@@ -195,7 +198,7 @@
+@@ -195,7 +199,7 @@
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -3620,7 +3651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
-@@ -205,29 +208,27 @@
+@@ -205,29 +209,27 @@
network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
@@ -3657,7 +3688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -249,9 +250,8 @@
+@@ -249,9 +251,8 @@
# nodes in net_contexts or net_contexts.mls.
#
type node_t, node_type;
@@ -4423,7 +4454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-02-21 20:44:28.920309784 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-04-13 15:27:35.562850211 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-08-05 13:52:13.460084974 +0200
@@ -100,7 +100,7 @@
# HOME_ROOT
# expanded by genhomedircon
@@ -4444,6 +4475,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# /opt
#
/opt -d gen_context(system_u:object_r:usr_t,s0)
+@@ -254,7 +258,7 @@
+ /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+ /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+-/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/var/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /var/tmp/.* <<none>>
+ /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /var/tmp/lost\+found/.* <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-21 20:44:28.921325502 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-04-23 07:41:58.899496269 +0200
@@ -5631,7 +5671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-01-18 18:24:22.716539752 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2010-02-26 09:33:59.084547345 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2010-08-05 13:35:41.743085106 +0200
@@ -241,6 +241,25 @@
########################################
@@ -5871,7 +5911,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Do not audit attempts to get the
-@@ -1142,6 +1320,26 @@
+@@ -1113,10 +1291,12 @@
+ interface(`term_dontaudit_getattr_all_user_ttys',`
+ gen_require(`
+ attribute ttynode;
++ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ dontaudit $1 ttynode:chr_file getattr;
++ dontaudit $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1142,6 +1322,26 @@
########################################
## <summary>
@@ -5898,7 +5951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Relabel from and to all user
## user tty device nodes.
## </summary>
-@@ -1201,6 +1399,45 @@
+@@ -1201,6 +1401,45 @@
########################################
## <summary>
@@ -6208,7 +6261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-06-04 12:25:03.267409676 +0200
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-08-05 13:56:21.288085332 +0200
@@ -77,6 +77,7 @@
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
@@ -6217,7 +6270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# abrt pid files
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
-@@ -96,16 +97,19 @@
+@@ -96,22 +97,26 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
@@ -6238,7 +6291,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_usr_files(abrt_t)
files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
-@@ -119,6 +123,7 @@
+
+ files_dontaudit_list_default(abrt_t)
+ files_dontaudit_read_default_files(abrt_t)
++files_dontaudit_getattr_all_sockets(abrt_t)
+
+ fs_list_inotifyfs(abrt_t)
+ fs_getattr_all_fs(abrt_t)
+@@ -119,6 +124,7 @@
fs_read_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
@@ -6246,7 +6306,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_all(abrt_t)
sysnet_read_config(abrt_t)
-@@ -173,9 +178,23 @@
+@@ -129,6 +135,7 @@
+ miscfiles_read_certs(abrt_t)
+ miscfiles_read_localization(abrt_t)
+
++userdom_dontaudit_read_admin_home_files(abrt_t)
+ userdom_dontaudit_read_user_home_content_files(abrt_t)
+
+ optional_policy(`
+@@ -173,9 +180,23 @@
')
optional_policy(`
@@ -6270,7 +6338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
permissive abrt_t;
########################################
-@@ -183,12 +202,13 @@
+@@ -183,12 +204,13 @@
# abrt--helper local policy
#
@@ -6285,7 +6353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -200,10 +220,16 @@
+@@ -200,10 +222,16 @@
files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)
@@ -7348,8 +7416,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.32/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-18 18:24:22.756540300 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/clamav.te 2010-05-21 13:23:07.973140539 +0200
-@@ -57,6 +57,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/clamav.te 2010-08-05 14:02:03.476085546 +0200
+@@ -6,6 +6,13 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow clamd to use JIT compiler
++## </p>
++## </desc>
++gen_tunable(clamd_use_jit, false)
++
+ # Main clamd domain
+ type clamd_t;
+ type clamd_exec_t;
+@@ -57,6 +64,8 @@
#
allow clamd_t self:capability { kill setgid setuid dac_override };
@@ -7358,6 +7440,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
+@@ -128,6 +137,16 @@
+ mta_read_config(clamd_t)
+ mta_send_mail(clamd_t)
+
++tunable_policy(`clamd_use_jit',`
++ allow clamd_t self:process execmem;
++ allow clamscan_t self:process execmem;
++ allow freshclam_t self:process execmem;
++', `
++ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
++ dontaudit freshclam_t self:process execmem;
++')
++
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.32/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 2010-01-18 18:24:22.757540078 +0100
+++ serefpolicy-3.6.32/policy/modules/services/clogd.if 2010-02-17 11:59:55.124863336 +0100
@@ -7630,8 +7729,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.32/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-01-18 18:24:22.760530473 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2010-05-05 13:28:18.436628603 +0200
-@@ -1,5 +1,135 @@
++++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2010-08-05 13:33:24.437085197 +0200
+@@ -1,5 +1,158 @@
-policy_module(cobbler, 1.10.0)
+policy_module(cobbler, 1.0.0)
@@ -7649,6 +7748,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(cobbler_anon_write, false)
+
++## <desc>
++## <p>
++## Allow Cobbler to connect to the
++## network using TCP.
++## </p>
++## </desc>
++gen_tunable(cobbler_can_network_connect, false)
++
+type cobblerd_t;
+type cobblerd_exec_t;
+init_daemon_domain(cobblerd_t, cobblerd_exec_t)
@@ -7673,9 +7780,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+
+allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
++dontaudit cobblerd_t self:capability sys_tty_config;
+allow cobblerd_t self:process { getsched setsched signal };
+allow cobblerd_t self:fifo_file rw_fifo_file_perms;
++allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
+allow cobblerd_t self:tcp_socket create_stream_socket_perms;
++allow cobblerd_t self:udp_socket create_stream_socket_perms;
+
+list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
@@ -7703,6 +7813,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+corenet_tcp_sendrecv_generic_if(cobblerd_t)
+corenet_tcp_sendrecv_generic_node(cobblerd_t)
+corenet_tcp_sendrecv_generic_port(cobblerd_t)
++corenet_tcp_connect_http_port(cobblerd_t)
++corenet_tcp_sendrecv_http_port(cobblerd_t)
++corenet_sendrecv_http_client_packets(cobblerd_t)
++
++domain_dontaudit_exec_all_entry_files(cobblerd_t)
++domain_dontaudit_read_all_domains_state(cobblerd_t)
+
+dev_read_urand(cobblerd_t)
+
@@ -7723,6 +7839,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ miscfiles_manage_public_files(cobblerd_t)
+')
+
++tunable_policy(`cobbler_can_network_connect',`
++ corenet_tcp_connect_all_ports(cobblerd_t)
++ corenet_tcp_sendrecv_all_ports(cobblerd_t)
++ corenet_sendrecv_all_client_packets(cobblerd_t)
++')
++
+optional_policy(`
+ apache_read_sys_content(cobblerd_t)
+')
@@ -9775,7 +9897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read/Write hald PID files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-01-18 18:24:22.795530524 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-04-02 10:03:49.167852833 +0200
++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-08-05 13:58:23.761084856 +0200
@@ -1,5 +1,5 @@
-policy_module(hal, 1.12.0)
@@ -9895,16 +10017,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
-@@ -525,7 +537,7 @@
+@@ -525,8 +537,9 @@
corenet_tcp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_dhcpc_port(hald_dccm_t)
-corenet_tcp_bind_ftps_port(hald_dccm_t)
+corenet_tcp_bind_ftp_port(hald_dccm_t)
corenet_tcp_bind_dccm_port(hald_dccm_t)
++corenet_tcp_connect_ftp_port(hald_dccm_t)
logging_send_syslog_msg(hald_dccm_t)
-@@ -534,6 +546,8 @@
+
+@@ -534,6 +547,8 @@
miscfiles_read_localization(hald_dccm_t)
@@ -10752,7 +10876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.32/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/munin.if 2010-04-13 15:08:54.365612326 +0200
++++ serefpolicy-3.6.32/policy/modules/services/munin.if 2010-08-05 13:44:58.343085372 +0200
@@ -43,6 +43,24 @@
files_search_etc($1)
')
@@ -10778,7 +10902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#######################################
## <summary>
## Append to the munin log.
-@@ -102,6 +120,54 @@
+@@ -102,6 +120,60 @@
dontaudit $1 munin_var_lib_t:dir search_dir_perms;
')
@@ -10808,12 +10932,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type munin_$1_plugin_tmp_t;
+ files_tmp_file(munin_$1_plugin_tmp_t)
+
++ allow munin_t munin_$1_plugin_t:process signal;
++
+ allow munin_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t)
+ manage_dirs_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t)
+ files_tmp_filetrans(munin_$1_plugin_t, munin_$1_plugin_tmp_t, { dir file })
+
++ manage_files_pattern(munin_$1_plugin_t, munin_var_lib_t, munin_var_lib_t)
++
+ # automatic transition rules from munin domain
+ # to specific munin plugin domain
+ domtrans_pattern(munin_t, munin_$1_plugin_exec_t, munin_$1_plugin_t)
@@ -10827,6 +10955,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ corecmd_exec_bin(munin_$1_plugin_t)
+
++ files_read_usr_files(munin_$1_plugin_t)
++
+ miscfiles_read_localization(munin_$1_plugin_t)
+')
+
@@ -10835,7 +10965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-01-18 18:24:22.815530066 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-05-21 13:20:57.917140425 +0200
++++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-08-05 13:47:47.560085330 +0200
@@ -28,6 +28,20 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -10875,6 +11005,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# local policy for disk plugins
+#
+
++allow munin_disk_plugin_t self:capability { sys_rawio };
++
+allow munin_disk_plugin_t self:tcp_socket create_stream_socket_perms;
+
+rw_files_pattern(munin_disk_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -10893,6 +11025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+dev_read_sysfs(munin_disk_plugin_t)
+dev_read_urand(munin_disk_plugin_t)
+
++storage_raw_read_fixed_disk(munin_disk_plugin_t)
+storage_getattr_fixed_disk_dev(munin_disk_plugin_t)
+
+sysnet_read_config(munin_disk_plugin_t)
@@ -10912,8 +11045,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+allow munin_mail_plugin_t self:capability dac_override;
+
-+rw_files_pattern(munin_mail_plugin_t, munin_var_lib_t, munin_var_lib_t)
-+
+dev_read_urand(munin_mail_plugin_t)
+
+files_read_etc_files(munin_mail_plugin_t)
@@ -10996,8 +11127,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+allow munin_system_plugin_t self:udp_socket create_socket_perms;
+
-+rw_files_pattern(munin_system_plugin_t, munin_var_lib_t, munin_var_lib_t)
-+
+kernel_read_network_state(munin_system_plugin_t)
+kernel_read_all_sysctls(munin_system_plugin_t)
+
@@ -11013,6 +11142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+domain_read_all_domains_state(munin_system_plugin_t)
+
+term_getattr_all_ptys(munin_system_plugin_t)
++term_getattr_unallocated_ttys(munin_system_plugin_t)
+
+# needed by users plugin
+init_read_utmp(munin_system_plugin_t)
@@ -14032,7 +14162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_read_cifs_files(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-03-18 14:27:30.841764712 +0100
++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-08-05 13:39:21.371085170 +0200
@@ -208,7 +208,7 @@
files_read_usr_symlinks(samba_net_t)
@@ -14103,7 +14233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow swat_t nmbd_t:process { signal signull };
allow swat_t nmbd_exec_t:file mmap_file_perms;
-@@ -693,6 +701,8 @@
+@@ -693,11 +701,14 @@
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -14112,7 +14242,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
-@@ -828,7 +838,9 @@
+ allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+ allow swat_t winbind_var_run_t:sock_file { create unlink };
++read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
+
+ kernel_read_kernel_sysctls(swat_t)
+ kernel_read_system_state(swat_t)
+@@ -828,7 +839,9 @@
corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
@@ -14122,7 +14258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-@@ -838,7 +850,7 @@
+@@ -838,7 +851,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -15060,6 +15196,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################
## <summary>
## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.6.32/policy/modules/services/varnishd.te
+--- nsaserefpolicy/policy/modules/services/varnishd.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/varnishd.te 2010-08-05 13:40:19.106085338 +0200
+@@ -51,7 +51,9 @@
+ # varnishd local policy
+ #
+
+-allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
++allow varnishd_t self:capability { dac_override ipc_lock kill setuid setgid };
++dontaudit varnishd_t self:capability sys_tty_config;
++
+ allow varnishd_t self:process signal;
+ allow varnishd_t self:fifo_file rw_fifo_file_perms;
+ allow varnishd_t self:tcp_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-01-18 18:24:22.913542181 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-04-06 08:25:52.847789753 +0200
@@ -15118,7 +15268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-03-23 13:23:37.331641076 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-08-05 13:55:06.111335355 +0200
@@ -1,5 +1,5 @@
-policy_module(virt, 1.2.1)
@@ -15168,7 +15318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
read_files_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -370,6 +382,7 @@
+@@ -370,16 +382,19 @@
tunable_policy(`virt_use_fusefs',`
fs_read_fusefs_files(svirt_t)
@@ -15176,7 +15326,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`virt_use_nfs',`
-@@ -429,11 +442,13 @@
+ fs_manage_nfs_dirs(svirt_t)
+ fs_manage_nfs_files(svirt_t)
++ fs_manage_nfs_named_sockets(svirt_t)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(svirt_t)
+ fs_manage_cifs_files(svirt_t)
++ fs_manage_cifs_named_sockets(svirt_t)
+ ')
+
+ tunable_policy(`virt_use_usb',`
+@@ -429,11 +444,13 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -15191,7 +15353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(virt_domain)
-@@ -446,6 +461,11 @@
+@@ -446,6 +463,11 @@
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -16516,7 +16678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-05-05 15:11:20.701878862 +0200
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-08-05 13:49:43.778084944 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.2.3)
@@ -16878,7 +17040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
-@@ -566,7 +597,6 @@
+@@ -566,13 +597,13 @@
logging_read_generic_logs(xdm_t)
@@ -16886,7 +17048,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_search_man_pages(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-@@ -583,6 +613,7 @@
+ miscfiles_manage_fonts_cache(xdm_t)
+ miscfiles_manage_localization(xdm_t)
+ miscfiles_read_hwdata(xdm_t)
++miscfiles_setattr_fonts_dirs(xdm_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(xdm_t)
+ userdom_create_all_users_keys(xdm_t)
+@@ -583,6 +614,7 @@
userdom_signal_all_users(xdm_t)
userdom_stream_connect(xdm_t)
userdom_manage_user_tmp_dirs(xdm_t)
@@ -16894,7 +17063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -635,6 +666,7 @@
+@@ -635,6 +667,7 @@
dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
xserver_xdm_append_log(xdm_dbusd_t)
@@ -16902,7 +17071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_bin_entry_type(xdm_t)
-@@ -667,7 +699,9 @@
+@@ -667,7 +700,9 @@
')
optional_policy(`
@@ -16912,7 +17081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -685,11 +719,6 @@
+@@ -685,11 +720,6 @@
optional_policy(`
# Do not audit attempts to check whether user root has email
mta_dontaudit_getattr_spool_files(xdm_t)
@@ -16924,7 +17093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -705,13 +734,18 @@
+@@ -705,13 +735,18 @@
')
optional_policy(`
@@ -16945,7 +17114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# On crash gdm execs gdb to dump stack
-@@ -726,6 +760,10 @@
+@@ -726,6 +761,10 @@
')
optional_policy(`
@@ -16956,7 +17125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -767,6 +805,14 @@
+@@ -767,6 +806,14 @@
# X server local policy
#
@@ -16971,7 +17140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
-@@ -802,18 +848,12 @@
+@@ -802,18 +849,12 @@
allow xserver_t xauth_home_t:file read_file_perms;
@@ -16991,7 +17160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -907,6 +947,7 @@
+@@ -907,6 +948,7 @@
mls_process_write_to_clearance(xserver_t)
mls_file_read_to_clearance(xserver_t)
mls_file_write_all_levels(xserver_t)
@@ -16999,7 +17168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -928,13 +969,14 @@
+@@ -928,13 +970,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -17015,7 +17184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -952,7 +994,7 @@
+@@ -952,7 +995,7 @@
')
ifdef(`enable_mls',`
@@ -17024,7 +17193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -961,15 +1003,17 @@
+@@ -961,15 +1004,17 @@
# but typeattribute doesnt work in conditionals
allow xserver_t xserver_t:x_server *;
@@ -17045,7 +17214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t xextension_type:x_extension *;
allow xserver_t { x_domain xserver_t }:x_resource *;
allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
-@@ -1016,6 +1060,7 @@
+@@ -1016,6 +1061,7 @@
# cjp: when xdm is configurable via tunable these
# rules will be enabled only when xdm is enabled
@@ -17053,7 +17222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t xdm_t:process { signal getpgid };
allow xserver_t xdm_t:shm rw_shm_perms;
-@@ -1027,9 +1072,9 @@
+@@ -1027,9 +1073,9 @@
read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
@@ -17066,7 +17235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -1088,136 +1133,139 @@
+@@ -1088,136 +1134,139 @@
#
# Hacks
@@ -18951,8 +19120,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-01-18 18:24:22.971530073 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-04-21 14:18:56.424659141 +0200
-@@ -87,6 +87,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-08-05 14:12:26.900335094 +0200
+@@ -6,6 +6,13 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow dhcpc client applications to execute iptables commands
++## </p>
++## </desc>
++gen_tunable(dhcpc_exec_iptables, false)
++
+ # this is shared between dhcpc and dhcpd:
+ type dhcp_etc_t;
+ typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+@@ -87,6 +94,7 @@
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
@@ -18960,7 +19143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(dhcpc_t)
kernel_request_load_module(dhcpc_t)
kernel_use_fds(dhcpc_t)
-@@ -157,7 +158,7 @@
+@@ -157,7 +165,7 @@
')
optional_policy(`
@@ -18969,7 +19152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -374,6 +375,7 @@
+@@ -374,6 +382,14 @@
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -18977,6 +19160,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
')
++
++optional_policy(`
++ tunable_policy(`dhcpc_exec_iptables',`
++ iptables_domtrans(dhcpc_t)
++ ')
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-01-18 18:24:22.973540245 +0100
+++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-09 09:59:57.514626722 +0100
@@ -19023,7 +19213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-03-09 16:30:07.806384243 +0100
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-08-05 14:30:31.764085111 +0200
@@ -461,7 +461,7 @@
xserver_create_xdm_tmp_sockets($1)
# Needed for escd, remove if we get escd policy
@@ -19118,6 +19308,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow Search /root
## </summary>
## <param name="domain">
+@@ -3759,6 +3792,26 @@
+ read_files_pattern($1, admin_home_t, admin_home_t)
+ ')
+
++######################################
++## <summary>
++## Read admin home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_dontaudit_read_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:dir search_dir_perms;
++ dontaudit $1 admin_home_t:file read_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute admin home files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.32/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-01-18 18:24:22.984543460 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2010-04-16 09:59:51.257614843 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9ae3c49..d7ff18a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 119%{?dist}
+Release: 120%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,14 @@ exit 0
%endif
%changelog
+* Thu Aug 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-120
+- Fixes for cobbler policy
+- Dont audit varnishd sys_tty_config capability
+- Allow varnishd kill capability
+- Fixes for munin policy
+- Change label for /var/tmp
+- Add clamd_use_jit boolean
+
* Wed Jun 23 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-119
- Allow rpm to execute rpm tmp files
- Allow denyhosts to send syslog messages
More information about the scm-commits
mailing list