[selinux-policy/f13/master] - Add support for luci - Add label for /var/spool/up2date
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Aug 6 12:36:39 UTC 2010
commit 7ac049fd2ea6a29878041041ea980b603c9869f6
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Aug 6 14:34:25 2010 +0200
- Add support for luci
- Add label for /var/spool/up2date
policy-F13.patch | 213 ++++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 6 +-
2 files changed, 173 insertions(+), 46 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 8411ffc..ccd98ff 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -791,8 +791,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te
--- nsaserefpolicy/policy/modules/admin/ncftool.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-08-04 14:43:51.328085349 +0200
-@@ -0,0 +1,81 @@
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-08-06 12:08:25.383084696 +0200
+@@ -0,0 +1,85 @@
+
+policy_module(ncftool,1.0.0)
+
@@ -866,12 +866,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
+userdom_read_user_tmp_files(ncftool_t)
+
++#optional_policy(`
++# brctl_domtrans(ncftool_t)
++#')
++
+optional_policy(`
-+ brctl_domtrans(ncftool_t)
++ dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
-+ dbus_system_bus_client(ncftool_t)
++ iptables_initrc_domtrans(ncftool_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc
@@ -1226,7 +1230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
fs_dontaudit_read_ramfs_files(readahead_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.19/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/rpm.fc 2010-07-13 15:40:51.058503014 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/rpm.fc 2010-08-05 16:24:23.494085276 +0200
@@ -1,18 +1,20 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1254,7 +1258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
ifdef(`distro_redhat', `
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -21,15 +23,23 @@
+@@ -21,15 +23,25 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1268,6 +1272,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++
++/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -5647,7 +5653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.19/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te 2010-07-13 08:42:05.605502749 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te 2010-08-05 10:55:36.778085667 +0200
@@ -0,0 +1,299 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -5679,7 +5685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
-+userdom_user_home_content(nsplugin_rw_t)
++files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
@@ -8410,7 +8416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-07-14 11:12:04.568158290 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-08-05 11:50:26.359085282 +0200
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -8479,7 +8485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-@@ -125,39 +133,52 @@
+@@ -125,39 +133,53 @@
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -8493,6 +8499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
+network_port(lirc, tcp,8765,s0)
++network_port(luci, tcp,8084,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
@@ -8534,7 +8541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,18 +198,22 @@
+@@ -177,18 +199,22 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -8558,7 +8565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,23 +226,23 @@
+@@ -201,23 +227,23 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -11211,7 +11218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.19/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/storage.if 2010-05-28 09:42:00.041610572 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/storage.if 2010-08-06 12:20:38.267333652 +0200
@@ -101,6 +101,8 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
@@ -11221,7 +11228,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
typeattribute $1 fixed_disk_raw_read;
')
-@@ -572,6 +574,26 @@
+@@ -203,6 +205,8 @@
+ type fixed_disk_device_t;
+ ')
+
++ allow $1 self:capability mknod;
++
+ allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ dev_add_entry_generic_dirs($1)
+ ')
+@@ -572,6 +576,26 @@
########################################
## <summary>
@@ -23174,7 +23190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-08-02 09:03:13.550641907 +0200
++++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-08-06 12:19:29.129334324 +0200
@@ -28,12 +28,26 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -23213,7 +23229,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
# Allow access to the munin databases
manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -131,8 +146,13 @@
+@@ -108,6 +123,7 @@
+
+ miscfiles_read_fonts(munin_t)
+ miscfiles_read_localization(munin_t)
++miscfiles_setattr_fonts_cache_dirs(munin_t)
+
+ sysnet_exec_ifconfig(munin_t)
+
+@@ -131,8 +147,13 @@
')
optional_policy(`
@@ -23227,7 +23251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
mta_read_queue(munin_t)
')
-@@ -147,6 +167,7 @@
+@@ -147,6 +168,7 @@
optional_policy(`
postfix_list_spool(munin_t)
@@ -23235,7 +23259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -164,3 +185,160 @@
+@@ -164,3 +186,160 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -24588,7 +24612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
+/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.19/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/nis.if 2010-05-28 09:42:00.136610568 +0200
++++ serefpolicy-3.7.19/policy/modules/services/nis.if 2010-08-06 12:16:38.934083793 +0200
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -24598,6 +24622,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
+@@ -38,27 +38,27 @@
+ allow $1 var_yp_t:file read_file_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+- corenet_tcp_sendrecv_generic_if($1)
+- corenet_udp_sendrecv_generic_if($1)
+- corenet_tcp_sendrecv_generic_node($1)
+- corenet_udp_sendrecv_generic_node($1)
+- corenet_tcp_sendrecv_all_ports($1)
+- corenet_udp_sendrecv_all_ports($1)
+- corenet_tcp_bind_generic_node($1)
+- corenet_udp_bind_generic_node($1)
+- corenet_tcp_bind_generic_port($1)
+- corenet_udp_bind_generic_port($1)
+- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+- corenet_dontaudit_udp_bind_all_reserved_ports($1)
+- corenet_dontaudit_tcp_bind_all_ports($1)
+- corenet_dontaudit_udp_bind_all_ports($1)
+- corenet_tcp_connect_portmap_port($1)
+- corenet_tcp_connect_reserved_port($1)
+- corenet_tcp_connect_generic_port($1)
+- corenet_dontaudit_tcp_connect_all_ports($1)
+- corenet_sendrecv_portmap_client_packets($1)
+- corenet_sendrecv_generic_client_packets($1)
++ corenet_all_recvfrom_netlabel($1)
++ corenet_tcp_sendrecv_generic_if($1)
++ corenet_udp_sendrecv_generic_if($1)
++ corenet_tcp_sendrecv_generic_node($1)
++ corenet_udp_sendrecv_generic_node($1)
++ corenet_tcp_sendrecv_all_ports($1)
++ corenet_udp_sendrecv_all_ports($1)
++ corenet_tcp_bind_generic_node($1)
++ corenet_udp_bind_generic_node($1)
++ corenet_tcp_bind_generic_port($1)
++ corenet_udp_bind_generic_port($1)
++ corenet_tcp_bind_all_rpc_ports($1)
++ corenet_udp_bind_all_rpc_ports($1)
++ corenet_dontaudit_tcp_bind_all_ports($1)
++ corenet_dontaudit_udp_bind_all_ports($1)
++ corenet_tcp_connect_portmap_port($1)
++ corenet_tcp_connect_all_reserved_ports($1)
++ corenet_tcp_connect_generic_port($1)
++ corenet_dontaudit_tcp_connect_all_ports($1)
++ corenet_sendrecv_portmap_client_packets($1)
++ corenet_sendrecv_generic_client_packets($1)
+ corenet_sendrecv_generic_server_packets($1)
+
+ sysnet_read_config($1)
@@ -133,11 +133,37 @@
########################################
@@ -25503,8 +25576,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.fc serefpolicy-3.7.19/policy/modules/services/piranha.fc
--- nsaserefpolicy/policy/modules/services/piranha.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/piranha.fc 2010-05-28 09:42:00.148610747 +0200
-@@ -0,0 +1,21 @@
++++ serefpolicy-3.7.19/policy/modules/services/piranha.fc 2010-08-05 10:49:22.814085304 +0200
+@@ -0,0 +1,27 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
@@ -25513,11 +25586,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
++/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
++
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
++/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
++/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
++/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
++
+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
@@ -25707,8 +25786,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te
--- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-07-09 09:34:16.430135505 +0200
-@@ -0,0 +1,198 @@
++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-08-05 10:47:23.099085304 +0200
+@@ -0,0 +1,225 @@
+
+policy_module(piranha,1.0.0)
+
@@ -25740,6 +25819,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+type piranha_web_tmpfs_t;
+files_tmpfs_file(piranha_web_tmpfs_t)
+
++type piranha_web_conf_t;
++files_type(piranha_web_conf_t)
++
++type piranha_web_data_t;
++files_type(piranha_web_data_t)
++
++type piranha_web_tmp_t;
++files_tmp_file(piranha_web_tmp_t)
++
+permissive piranha_fos_t;
+permissive piranha_lvs_t;
+permissive piranha_pulse_t;
@@ -25783,10 +25871,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
++manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
++
++read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
++
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
+
++can_exec(piranha_web_t, piranha_web_tmp_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
++
+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
@@ -25796,6 +25895,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+kernel_read_kernel_sysctls(piranha_web_t)
+
+corenet_tcp_bind_piranha_port(piranha_web_t)
++corenet_tcp_bind_luci_port(piranha_web_t)
++corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_urand(piranha_web_t)
+
@@ -25806,11 +25907,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+consoletype_exec(piranha_web_t)
+
+optional_policy(`
++ apache_read_config(piranha_web_t)
+ apache_getattr_suexec(piranha_web_t)
+ apache_exec_modules(piranha_web_t)
+ apache_exec(piranha_web_t)
+')
+
++optional_policy(`
++ sasl_connect(piranha_web_t)
++')
++
+######################################
+#
+# piranha-lvs local policy
@@ -29254,8 +29360,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-07-09 09:10:00.586383981 +0200
-@@ -0,0 +1,244 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-08-06 12:18:34.559334235 +0200
+@@ -0,0 +1,245 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -29328,6 +29434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
++allow fenced_t self:unix_stream_socket connectto;
+
+can_exec(fenced_t,fenced_exec_t)
+
@@ -33772,7 +33879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-04 15:12:04.599085274 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-06 12:35:56.607334166 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -34518,7 +34625,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +953,6 @@
+@@ -647,6 +927,7 @@
+ # Xorg wants to check if kernel is tainted
+ kernel_read_kernel_sysctls(xserver_t)
+ kernel_write_proc_files(xserver_t)
++kernel_request_load_module(xserver_t)
+
+ # Run helper programs in xserver_t.
+ corecmd_exec_bin(xserver_t)
+@@ -673,7 +954,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -34526,7 +34641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +962,12 @@
+@@ -683,9 +963,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -34540,7 +34655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +982,13 @@
+@@ -700,8 +983,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -34554,7 +34669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1010,14 @@
+@@ -723,11 +1011,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -34569,7 +34684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1069,28 @@
+@@ -779,12 +1070,28 @@
')
optional_policy(`
@@ -34599,7 +34714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1117,7 @@
+@@ -811,7 +1118,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -34608,7 +34723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1138,14 @@
+@@ -832,9 +1139,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -34623,7 +34738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1160,14 @@
+@@ -849,11 +1161,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -34640,7 +34755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1313,33 @@
+@@ -999,3 +1314,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -36008,7 +36123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-06-29 10:04:26.921616707 +0200
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-08-06 12:09:07.432084464 +0200
@@ -73,7 +73,7 @@
#
@@ -36018,7 +36133,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
-@@ -167,6 +167,8 @@
+@@ -150,6 +150,7 @@
+ files_list_tmp(ipsec_t)
+ files_read_etc_files(ipsec_t)
+ files_read_usr_files(ipsec_t)
++files_dontaudit_search_home(ipsec_t)
+
+ fs_getattr_all_fs(ipsec_t)
+ fs_search_auto_mountpoints(ipsec_t)
+@@ -167,6 +168,8 @@
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -36027,7 +36150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,7 +188,9 @@
+@@ -186,7 +189,9 @@
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
@@ -36038,7 +36161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +229,6 @@
+@@ -225,7 +230,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -36046,7 +36169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -258,7 +261,13 @@
+@@ -258,7 +262,13 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -36061,7 +36184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -270,19 +279,25 @@
+@@ -270,19 +280,25 @@
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -36088,7 +36211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
logging_send_syslog_msg(ipsec_mgmt_t)
miscfiles_read_localization(ipsec_mgmt_t)
-@@ -291,15 +306,38 @@
+@@ -291,15 +307,38 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
@@ -36127,7 +36250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -386,6 +424,8 @@
+@@ -386,6 +425,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -36136,7 +36259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +452,7 @@
+@@ -412,6 +453,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -36144,7 +36267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +464,4 @@
+@@ -423,3 +465,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9d53773..e9017a3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 43%{?dist}
+Release: 44%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Thu Aug 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-44
+- Add support for luci
+- Add label for /var/spool/up2date
+
* Wed Aug 4 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-43
- Allow ncftool to run brctl
- Fixes for ricci-modclusterd policy
More information about the scm-commits
mailing list