[selinux-policy/f14/master] - label dead.letter as mail_home_t
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Aug 17 11:21:48 UTC 2010
commit 99b0d82f5a1bbdccd573c969ae85fb5833e4667c
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Aug 17 07:21:35 2010 -0400
- label dead.letter as mail_home_t
policy-F14.patch | 241 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 5 +-
2 files changed, 183 insertions(+), 63 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 355ea17..06cd7c3 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1463,7 +1463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.8.8/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-08-17 07:18:59.000000000 -0400
@@ -19,6 +19,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -1484,7 +1484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -92,8 +98,15 @@
+@@ -92,8 +98,16 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -1498,6 +1498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+logging_read_all_logs(logwatch_mail_t)
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
+allow logwatch_mail_t self:capability { dac_read_search dac_override };
++mta_read_home(logwatch_mail_t)
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
@@ -2337,8 +2338,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool
mount_exec(sectoolm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.8.8/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-07-30 14:06:53.000000000 -0400
-@@ -134,9 +134,10 @@
++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-08-17 06:09:36.000000000 -0400
+@@ -18,6 +18,24 @@
+ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+ ')
+
++######################################
++## <summary>
++## Execute a domain transition to run shorewall.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`shorewall_domtrans_lib',`
++ gen_require(`
++ type shorewall_t, shorewall_var_lib_t;
++ ')
++
++ domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
++')
++
+ #######################################
+ ## <summary>
+ ## Read shorewall etc configuration files.
+@@ -134,9 +152,10 @@
#
interface(`shorewall_admin',`
gen_require(`
@@ -2351,7 +2377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
allow $1 shorewall_t:process { ptrace signal_perms };
-@@ -153,12 +154,12 @@
+@@ -153,12 +172,12 @@
files_search_locks($1)
admin_pattern($1, shorewall_lock_t)
@@ -2369,8 +2395,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.8/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-07-30 14:06:53.000000000 -0400
-@@ -80,13 +80,14 @@
++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-08-17 06:09:36.000000000 -0400
+@@ -58,6 +58,9 @@
+ manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
++allow shorewall_t shorewall_var_lib_t:file entrypoint;
++
++allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
+
+ kernel_read_kernel_sysctls(shorewall_t)
+ kernel_read_network_state(shorewall_t)
+@@ -80,13 +83,18 @@
init_rw_utmp(shorewall_t)
@@ -2383,6 +2419,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
++
++optional_policy(`
++ brctl_domtrans(shorewall_t)
++')
optional_policy(`
hostname_exec(shorewall_t)
@@ -3040,8 +3080,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.8.8/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,49 @@
++++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-08-13 16:54:24.000000000 -0400
+@@ -0,0 +1,48 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -3049,7 +3089,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -6298,8 +6337,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-03 13:19:32.000000000 -0400
-@@ -0,0 +1,390 @@
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-16 07:01:26.000000000 -0400
+@@ -0,0 +1,392 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6499,6 +6538,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+miscfiles_read_fonts(sandbox_x_domain)
+
++storage_dontaudit_rw_fuse(sandbox_x_domain)
++
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
@@ -7987,7 +8028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-13 09:07:52.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-16 07:06:37.000000000 -0400
@@ -461,6 +461,24 @@
########################################
@@ -8110,7 +8151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
########################################
## <summary>
-+## Relableto the autofs device node.
++## Relable the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -8118,12 +8159,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+## </summary>
+## </param>
+#
-+interface(`dev_relabelto_autofs_dev',`
++interface(`dev_relabel_autofs_dev',`
+ gen_require(`
+ type autofs_device_t;
+ ')
+
-+ allow $1 autofs_device_t:chr_file relabelto;
++ allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
@@ -9638,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.8.8/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-05 14:41:46.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-16 07:00:32.000000000 -0400
@@ -101,6 +101,8 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
@@ -14546,7 +14587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
corenet_udp_bind_chronyd_port(chronyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-11 08:54:31.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-16 07:42:43.000000000 -0400
@@ -80,6 +80,7 @@
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
@@ -14567,16 +14608,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -182,6 +184,8 @@
+@@ -182,6 +184,9 @@
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
++kernel_read_system_state(freshclam_t)
+
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +193,7 @@
+@@ -189,6 +194,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -14584,7 +14626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +212,8 @@
+@@ -207,6 +213,8 @@
clamav_stream_connect(freshclam_t)
@@ -16696,7 +16738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-13 12:10:15.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-16 07:30:39.000000000 -0400
@@ -18,7 +18,7 @@
files_tmp_file(dovecot_auth_tmp_t)
@@ -16746,7 +16788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +256,25 @@
+@@ -253,19 +256,26 @@
allow dovecot_deliver_t dovecot_t:process signull;
@@ -16755,6 +16797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
++allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
@@ -16774,7 +16817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +311,5 @@
+@@ -302,4 +312,5 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -19400,8 +19443,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.8.8/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-07-30 14:06:53.000000000 -0400
-@@ -13,6 +13,8 @@
++++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-08-17 07:18:28.000000000 -0400
+@@ -1,4 +1,7 @@
+-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
++HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+
+ /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+@@ -13,6 +16,8 @@
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -19412,7 +19464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-08-17 07:17:30.000000000 -0400
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@@ -19500,7 +19552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -899,3 +920,23 @@
+@@ -899,3 +920,43 @@
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -19524,15 +19576,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+interface(`mta_filetrans_aliases',`
+ filetrans_pattern($1, $2, etc_aliases_t, file)
+')
++
++######################################
++## <summary>
++## ALlow domain to read mail content in the homedir
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_read_home',`
++ gen_require(`
++ type mail_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ userdom_search_admin_dir($1)
++ read_files_pattern($1, mail_home_t, mail_home_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-13 15:25:16.000000000 -0400
-@@ -21,7 +21,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-17 07:17:58.000000000 -0400
+@@ -20,8 +20,8 @@
+ type etc_mail_t;
files_config_file(etc_mail_t)
- type mail_forward_t;
+-type mail_forward_t;
-files_type(mail_forward_t)
-+userdom_user_home_content(mail_forward_t)
++type mail_home_t alias mail_forward_t;
++userdom_user_home_content(mail_home_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
@@ -19658,14 +19732,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -220,6 +215,7 @@
+@@ -220,7 +215,8 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+userdom_search_admin_dir(mailserver_delivery)
- read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
++read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
@@ -249,6 +245,10 @@
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -26167,6 +26243,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
+ daemontools_sigchld_run(ucspitcp_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.8.8/policy/modules/services/ulogd.te
+--- nsaserefpolicy/policy/modules/services/ulogd.te 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ulogd.te 2010-08-17 06:53:12.000000000 -0400
+@@ -31,6 +31,7 @@
+
+ allow ulogd_t self:capability net_admin;
+ allow ulogd_t self:netlink_nflog_socket create_socket_perms;
++allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # config files
+ read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+@@ -43,6 +44,15 @@
+ manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+
+-files_search_etc(ulogd_t)
++files_read_etc_files(ulogd_t)
++files_read_usr_files(ulogd_t)
+
+ miscfiles_read_localization(ulogd_t)
++
++optional_policy(`
++ mysql_stream_connect(ulogd_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(ulogd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc 2010-07-30 14:06:53.000000000 -0400
@@ -29962,7 +30066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-13 09:08:20.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-17 06:09:36.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -30074,7 +30178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,68 @@
+@@ -185,15 +216,72 @@
sysadm_shell_domtrans(init_t)
')
@@ -30098,7 +30202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ dev_manage_generic_files(init_t)
+ dev_read_generic_chr_files(init_t)
+ dev_relabelfrom_generic_chr_files(init_t)
-+ dev_relabelto_autofs_dev(init_t)
++ dev_relabel_autofs_dev(init_t)
+
+ files_mounton_all_mountpoints(init_t)
+ files_manage_all_pids_dirs(init_t)
@@ -30116,6 +30220,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
++
++ optional_policy(`
++ udev_read_db(init_t)
++ ')
+')
+
optional_policy(`
@@ -30143,7 +30251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -211,7 +295,7 @@
+@@ -211,7 +299,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30152,7 +30260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +324,7 @@
+@@ -240,6 +328,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30160,7 +30268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +342,22 @@
+@@ -257,11 +346,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30183,7 +30291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +393,13 @@
+@@ -297,11 +397,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30197,7 +30305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +418,10 @@
+@@ -320,8 +422,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30209,7 +30317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,6 +437,8 @@
+@@ -337,6 +441,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30218,7 +30326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +452,8 @@
+@@ -350,6 +456,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30227,7 +30335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -362,6 +466,7 @@
+@@ -362,6 +470,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30235,7 +30343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -393,13 +498,14 @@
+@@ -393,13 +502,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -30251,7 +30359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +578,7 @@
+@@ -472,7 +582,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30260,7 +30368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -518,6 +624,19 @@
+@@ -518,6 +628,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -30280,7 +30388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -525,10 +644,17 @@
+@@ -525,10 +648,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30298,7 +30406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -543,6 +669,35 @@
+@@ -543,6 +673,35 @@
')
')
@@ -30334,7 +30442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +710,8 @@
+@@ -555,6 +714,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30343,7 +30451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -571,6 +728,7 @@
+@@ -571,6 +732,7 @@
optional_policy(`
cgroup_stream_connect(initrc_t)
@@ -30351,7 +30459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -583,6 +741,11 @@
+@@ -583,6 +745,11 @@
')
optional_policy(`
@@ -30363,7 +30471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -599,6 +762,7 @@
+@@ -599,6 +766,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30371,7 +30479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -700,7 +864,12 @@
+@@ -700,7 +868,12 @@
')
optional_policy(`
@@ -30384,7 +30492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -723,6 +892,10 @@
+@@ -723,6 +896,10 @@
')
optional_policy(`
@@ -30395,7 +30503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -744,6 +917,10 @@
+@@ -744,6 +921,10 @@
')
optional_policy(`
@@ -30406,7 +30514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -765,8 +942,6 @@
+@@ -765,8 +946,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30415,7 +30523,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -779,10 +954,12 @@
+@@ -775,14 +954,21 @@
+ ')
+
+ optional_policy(`
++ # shorewall-init script run /var/lib/shorewall/firewall
++ shorewall_domtrans_lib(initrc_t)
++')
++
++optional_policy(`
+ squid_read_config(initrc_t)
squid_manage_logs(initrc_t)
')
@@ -30428,7 +30545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +981,19 @@
+@@ -804,11 +990,19 @@
')
optional_policy(`
@@ -30449,7 +30566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +1003,25 @@
+@@ -818,6 +1012,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30475,7 +30592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -843,3 +1047,55 @@
+@@ -843,3 +1056,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bd57abf..3ec2e0a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 14%{?dist}
+Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Tue Aug 17 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-15
+- label dead.letter as mail_home_t
+
* Fri Aug 13 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-14
- Allow login programs to search /cgroups
More information about the scm-commits
mailing list