[selinux-policy] * Tue Aug 10 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-12 - Fix devicekit_power bug - Allow policykit
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 11 12:58:18 UTC 2010
commit b12ede2ac05ff179c19d8236079cc81488dab277
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Aug 11 08:58:16 2010 -0400
* Tue Aug 10 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
policy-F14.patch | 164 +++++++++++++++++++++++++++++++++++++++---------------
1 files changed, 118 insertions(+), 46 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index bb9a0b2..855dace 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -570,7 +570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.8.8/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/alsa.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/alsa.if 2010-08-11 08:22:58.000000000 -0400
@@ -1,8 +1,9 @@
-## <summary>Ainit ALSA configuration tool</summary>
+## <summary>Advanced Linux Sound Architecture.</summary>
@@ -677,7 +677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
+ type alsa_home_t;
+ ')
+
-+ allow $1 also_home_t:file read_file_perms;
++ allow $1 alsa_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.8.8/policy/modules/admin/alsa.te
@@ -1591,8 +1591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.8/policy/modules/admin/ncftool.te
--- nsaserefpolicy/policy/modules/admin/ncftool.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-08-10 05:23:35.000000000 -0400
-@@ -0,0 +1,87 @@
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-08-11 08:45:52.000000000 -0400
+@@ -0,0 +1,91 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
@@ -1680,6 +1680,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+optional_policy(`
+ iptables_initrc_domtrans(ncftool_t)
+')
++
++optional_policy(`
++ netutils_domtrans(ncftool_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.8/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-07-27 16:06:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/netutils.te 2010-07-30 14:06:53.000000000 -0400
@@ -1767,7 +1771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-10 07:29:36.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-11 08:24:20.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -1821,6 +1825,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
+@@ -158,6 +169,8 @@
+
+ cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+
++ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
++
+ optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.if serefpolicy-3.8.8/policy/modules/admin/quota.if
--- nsaserefpolicy/policy/modules/admin/quota.if 2010-07-27 16:12:33.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/quota.if 2010-07-30 14:06:53.000000000 -0400
@@ -4405,8 +4418,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,68 @@
++++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te 2010-08-11 08:49:51.000000000 -0400
+@@ -0,0 +1,69 @@
+policy_module(kdumpgui,1.0.0)
+
+########################################
@@ -4453,6 +4466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+files_manage_boot_symlinks(kdumpgui_t)
+# Needed for running chkconfig
+files_manage_etc_symlinks(kdumpgui_t)
++files_read_usr_files(kdumpgui_t)
+
+auth_use_nsswitch(kdumpgui_t)
+
@@ -5175,8 +5189,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-10 11:45:49.000000000 -0400
-@@ -0,0 +1,300 @@
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-11 08:01:15.000000000 -0400
+@@ -0,0 +1,301 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -5241,6 +5255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket create_socket_perms;
++allow nsplugin_t nsplugin_rw_t:dir search_dir_perms;
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
@@ -5640,7 +5655,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.8.8/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te 2010-08-11 08:27:39.000000000 -0400
+@@ -27,7 +27,7 @@
+ # podsleuth local policy
+ #
+ allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+-allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
++allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+ allow podsleuth_t self:fifo_file rw_file_perms;
+ allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+ allow podsleuth_t self:sem create_sem_perms;
@@ -73,6 +73,7 @@
sysnet_dns_name_resolve(podsleuth_t)
@@ -6687,7 +6711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-06 12:05:20.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-11 08:01:44.000000000 -0400
@@ -5,40 +5,45 @@
# Declarations
#
@@ -9885,7 +9909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-08-11 08:20:53.000000000 -0400
@@ -27,17 +27,29 @@
corecmd_exec_shell(sysadm_t)
@@ -10022,17 +10046,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -199,6 +230,9 @@
+@@ -199,6 +230,13 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
+ ipsec_run_setkey(sysadm_t, sysadm_r)
+ ipsec_run_racoon(sysadm_t, sysadm_r)
+ ipsec_stream_connect_racoon(sysadm_t)
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(sysadm_t)
++ ')
')
optional_policy(`
-@@ -206,12 +240,18 @@
+@@ -206,12 +244,18 @@
')
optional_policy(`
@@ -10051,7 +10079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -221,9 +261,11 @@
+@@ -221,9 +265,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -10063,7 +10091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -246,8 +288,10 @@
+@@ -246,8 +292,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -10074,7 +10102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -255,6 +299,7 @@
+@@ -255,6 +303,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -10082,7 +10110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -269,6 +314,10 @@
+@@ -269,6 +318,10 @@
')
optional_policy(`
@@ -10093,7 +10121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -302,8 +351,14 @@
+@@ -302,8 +355,14 @@
')
optional_policy(`
@@ -10108,7 +10136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -313,9 +368,11 @@
+@@ -313,9 +372,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -10120,7 +10148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -325,9 +382,11 @@
+@@ -325,9 +386,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -10132,7 +10160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -352,8 +411,14 @@
+@@ -352,8 +415,14 @@
')
optional_policy(`
@@ -10147,7 +10175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -376,9 +441,11 @@
+@@ -376,9 +445,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -10159,7 +10187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -387,17 +454,21 @@
+@@ -387,17 +458,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -10181,7 +10209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -411,9 +482,11 @@
+@@ -411,9 +486,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -10193,7 +10221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -421,9 +494,15 @@
+@@ -421,9 +498,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -10209,7 +10237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -434,13 +513,30 @@
+@@ -434,13 +517,30 @@
')
optional_policy(`
@@ -10925,7 +10953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-11 07:44:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-11 08:23:36.000000000 -0400
@@ -0,0 +1,453 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -14445,7 +14473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
corenet_udp_bind_chronyd_port(chronyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-10 08:26:22.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-11 08:54:31.000000000 -0400
@@ -80,6 +80,7 @@
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
@@ -14466,7 +14494,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -189,6 +191,7 @@
+@@ -182,6 +184,8 @@
+ allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+ logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+
++kernel_read_kernel_sysctls(freshclam_t)
++
+ corenet_all_recvfrom_unlabeled(freshclam_t)
+ corenet_all_recvfrom_netlabel(freshclam_t)
+ corenet_tcp_sendrecv_generic_if(freshclam_t)
+@@ -189,6 +193,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -14474,7 +14511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +210,8 @@
+@@ -207,6 +212,8 @@
clamav_stream_connect(freshclam_t)
@@ -15231,6 +15268,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+ # Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
+ dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.8.8/policy/modules/services/consolekit.if
+--- nsaserefpolicy/policy/modules/services/consolekit.if 2010-07-27 16:06:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/consolekit.if 2010-08-11 08:07:53.000000000 -0400
+@@ -95,3 +95,22 @@
+ files_search_pids($1)
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+ ')
++
++########################################
++## <summary>
++## List consolekit PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`consolekit_list_pid_files',`
++ gen_require(`
++ type consolekit_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.8.8/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-07-27 16:06:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/consolekit.te 2010-07-30 14:06:53.000000000 -0400
@@ -16030,7 +16093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cups.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cups.te 2010-08-11 08:24:50.000000000 -0400
@@ -15,6 +15,7 @@
type cupsd_t;
type cupsd_exec_t;
@@ -16109,7 +16172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -587,13 +599,18 @@
+@@ -587,13 +599,19 @@
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -16119,6 +16182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
++userdom_dontaudit_search_admin_dir(cups_pdf_t)
lpd_manage_spool(cups_pdf_t)
@@ -21232,7 +21296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-10 11:37:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-11 08:57:21.000000000 -0400
@@ -24,6 +24,9 @@
type policykit_reload_t alias polkit_reload_t;
files_type(policykit_reload_t)
@@ -21277,7 +21341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
auth_use_nsswitch(policykit_t)
-@@ -67,45 +77,84 @@
+@@ -67,45 +77,89 @@
miscfiles_read_localization(policykit_t)
@@ -21298,6 +21362,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
+')
+
+optional_policy(`
++ consolekit_list_pid_files(policykit_t)
++ consolekit_read_pid_files(policykit_t)
++')
++
++optional_policy(`
+ gnome_read_config(policykit_t)
+')
@@ -21368,7 +21437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,6 +167,14 @@
+@@ -118,6 +172,14 @@
hal_read_state(policykit_auth_t)
')
@@ -21383,7 +21452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
########################################
#
# polkit_grant local policy
-@@ -125,7 +182,8 @@
+@@ -125,7 +187,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -21393,7 +21462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -155,9 +213,12 @@
+@@ -155,9 +218,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -21407,7 +21476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -169,7 +230,8 @@
+@@ -169,7 +235,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -27516,7 +27585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-05 16:01:15.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-11 08:03:36.000000000 -0400
@@ -35,6 +35,13 @@
## <desc>
@@ -27863,7 +27932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+fs_read_noxattr_fs_files(xdm_t)
+fs_dontaudit_list_fusefs(xdm_t)
+fs_manage_cgroup_dirs(xdm_t)
-+fs_rw_cgroup_files(xdm_t)
++fs_manage_cgroup_files(xdm_t)
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
@@ -29306,7 +29375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
## <rolecap/>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.8/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/hotplug.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/hotplug.te 2010-08-11 08:14:12.000000000 -0400
@@ -23,7 +23,7 @@
#
@@ -29316,7 +29385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
allow hotplug_t self:process { setpgid getsession getattr signal_perms };
-@@ -39,12 +39,14 @@
+@@ -39,14 +39,16 @@
can_exec(hotplug_t, hotplug_exec_t)
@@ -29330,7 +29399,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
kernel_read_system_state(hotplug_t)
+kernel_read_network_state(hotplug_t)
kernel_read_kernel_sysctls(hotplug_t)
- kernel_read_net_sysctls(hotplug_t)
+-kernel_read_net_sysctls(hotplug_t)
++kernel_rw_net_sysctls(hotplug_t)
+
+ files_read_kernel_modules(hotplug_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2010-07-27 16:06:06.000000000 -0400
@@ -30500,7 +30572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-10 11:57:19.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-11 08:20:05.000000000 -0400
@@ -72,7 +72,7 @@
#
@@ -34939,7 +35011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-11 08:23:58.000000000 -0400
@@ -30,8 +30,9 @@
')
More information about the scm-commits
mailing list