[selinux-policy] - Allow cron to look at user_cron_spool links - Lots of fixes for mozilla_plugin_t - Add sysv file s
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 25 02:48:10 UTC 2010
commit cc138e86b5d73e58a8c1feb1a5ae2254eebfbd30
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Aug 24 22:48:06 2010 -0400
- Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t
- Add sysv file system
- Turn unconfined domains to permissive to find additional avcs
policy-F14.patch | 372 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 8 +-
2 files changed, 290 insertions(+), 90 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index f0caa77..7b7cb6e 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -4846,7 +4846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-23 18:10:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-24 10:04:03.000000000 -0400
@@ -25,6 +25,7 @@
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
@@ -4910,7 +4910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +284,42 @@
+@@ -266,3 +284,46 @@
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4924,10 +4924,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
-+allow mozilla_plugin_t self:unix_stream_socket create_stream_socket_perms;
++allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+
++kernel_read_kernel_sysctls(mozilla_plugin_t)
++kernel_read_system_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
+
+corecmd_exec_bin(mozilla_plugin_t)
@@ -4942,16 +4944,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+files_read_usr_files(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
-+allow mozilla_plugin_t self:process setsched;
+
-+allow mozilla_plugin_t self:unix_stream_socket connectto;
++term_getattr_all_ttys(mozilla_plugin_t)
++term_getattr_all_ptys(mozilla_plugin_t)
+
+optional_policy(`
+ nsplugin_domtrans(mozilla_plugin_t)
++ nsplugin_rw_exec(mozilla_plugin_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
++ xserver_stream_connect(mozilla_plugin_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.8.8/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-07-27 16:06:04.000000000 -0400
@@ -5051,7 +5055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.8.8/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-23 17:57:01.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-24 10:00:03.000000000 -0400
@@ -0,0 +1,391 @@
+
+## <summary>policy for nsplugin</summary>
@@ -6544,8 +6548,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-23 17:16:41.000000000 -0400
-@@ -0,0 +1,400 @@
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-23 18:24:37.000000000 -0400
+@@ -0,0 +1,401 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6826,6 +6830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
+
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
++kernel_request_load_module(sandbox_web_type)
+
+dev_read_rand(sandbox_web_type)
+dev_write_sound(sandbox_web_type)
@@ -9690,7 +9695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.8.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-08-24 10:24:43.000000000 -0400
@@ -52,6 +52,7 @@
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
@@ -9724,7 +9729,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-@@ -248,6 +258,7 @@
+@@ -148,6 +158,12 @@
+ genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+ files_mountpoint(squash_t)
+
++type sysv_t;
++fs_noxattr_type(sysv_t)
++files_mountpoint(sysv_t)
++genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
++genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
++
+ type vmblock_t;
+ fs_noxattr_type(vmblock_t)
+ files_mountpoint(vmblock_t)
+@@ -248,6 +264,7 @@
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -10027,7 +10045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.8.8/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-03 13:44:23.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-24 10:01:21.000000000 -0400
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -13745,7 +13763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.8.8/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-08-24 15:48:30.000000000 -0400
@@ -62,6 +62,7 @@
dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
@@ -13773,6 +13791,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
sysnet_domtrans_ifconfig(apmd_t)
')
+@@ -218,9 +224,13 @@
+ udev_read_state(apmd_t) #necessary?
+ ')
+
++ifdef(`enforcing',`
+ optional_policy(`
+ unconfined_domain(apmd_t)
+ ')
++', `
++ permissive apmd_t;
++')
+
+ optional_policy(`
+ vbetool_domtrans(apmd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.8.8/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-07-27 16:06:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te 2010-08-03 09:15:01.000000000 -0400
@@ -14223,7 +14255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-23 09:55:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-24 22:47:01.000000000 -0400
@@ -0,0 +1,152 @@
+policy_module(boinc,1.0.0)
+
@@ -14281,7 +14313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
+
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
@@ -16315,7 +16347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-13 11:29:11.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-24 09:31:07.000000000 -0400
@@ -63,9 +63,12 @@
type crond_tmp_t;
@@ -16601,14 +16633,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,6 +675,7 @@
+@@ -590,7 +675,9 @@
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
tunable_policy(`fcron_crond', `
+ allow crond_t user_cron_spool_t:file manage_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.8.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2010-07-27 16:06:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/cups.fc 2010-07-30 14:06:53.000000000 -0400
@@ -17031,7 +17065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.8/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-10 11:09:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-24 15:48:30.000000000 -0400
@@ -75,10 +75,12 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -17057,15 +17091,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
-@@ -178,13 +182,19 @@
+@@ -178,13 +182,25 @@
virt_manage_images(devicekit_disk_t)
')
++ifdef(`enforcing',`
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
++', `
++ permissive devicekit_t;
++ permissive devicekit_power_t;
++ permissive devicekit_disk_t;
++')
+
########################################
#
@@ -17212,7 +17252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-16 07:30:39.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-24 10:17:59.000000000 -0400
@@ -18,7 +18,7 @@
files_tmp_file(dovecot_auth_tmp_t)
@@ -17254,7 +17294,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -242,6 +244,7 @@
+@@ -159,6 +161,11 @@
+ ')
+
+ optional_policy(`
++ postfix_manage_private_sockets(dovecot_t)
++ postfix_search_spool(dovecot_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(dovecot_t)
+ ')
+
+@@ -242,6 +249,7 @@
')
optional_policy(`
@@ -17262,7 +17314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +256,26 @@
+@@ -253,19 +261,26 @@
allow dovecot_deliver_t dovecot_t:process signull;
@@ -17291,7 +17343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +312,5 @@
+@@ -302,4 +317,5 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -23675,6 +23727,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
## </summary>
## </param>
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.8.8/policy/modules/services/remotelogin.te
+--- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/remotelogin.te 2010-08-24 09:11:29.000000000 -0400
+@@ -114,7 +114,6 @@
+ ')
+
+ optional_policy(`
+- unconfined_domain(remote_login_t)
+ unconfined_shell_domtrans(remote_login_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.8.8/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.fc 2010-07-30 14:06:53.000000000 -0400
@@ -23754,7 +23817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.8/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-08-24 09:12:13.000000000 -0400
@@ -17,6 +17,9 @@
domain_type(rgmanager_t)
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
@@ -23814,6 +23877,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
+@@ -193,9 +209,13 @@
+ virt_stream_connect(rgmanager_t)
+ ')
+
++ifdef(`enforcing',`
+ optional_policy(`
+ unconfined_domain(rgmanager_t)
+ ')
++', `
++ permissive rgmanager_t;
++')
+
+ optional_policy(`
+ xen_domtrans_xm(rgmanager_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.8.8/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/rhcs.fc 2010-08-10 11:56:57.000000000 -0400
@@ -24224,7 +24301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.8.8/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-10 05:23:35.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-24 09:12:28.000000000 -0400
@@ -10,6 +10,9 @@
domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
@@ -24264,18 +24341,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
unconfined_use_fds(ricci_t)
')
-@@ -241,6 +252,10 @@
+@@ -241,8 +252,7 @@
')
optional_policy(`
+- # XXX This has got to go.
+- unconfined_domain(ricci_modcluster_t)
+ rgmanager_stream_connect(ricci_modclusterd_t)
-+')
-+
-+optional_policy(`
- # XXX This has got to go.
- unconfined_domain(ricci_modcluster_t)
')
-@@ -261,6 +276,10 @@
+
+ ########################################
+@@ -261,6 +271,10 @@
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
@@ -24286,7 +24362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +291,7 @@
+@@ -272,6 +286,7 @@
kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
@@ -24294,7 +24370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
corecmd_exec_bin(ricci_modclusterd_t)
-@@ -444,6 +464,12 @@
+@@ -444,6 +459,12 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -27185,7 +27261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-10 05:23:35.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-24 09:12:59.000000000 -0400
@@ -4,6 +4,7 @@
#
# Declarations
@@ -27433,7 +27509,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -402,6 +459,19 @@
+@@ -385,9 +442,13 @@
+ udev_read_db(virtd_t)
+ ')
+
++ifdef(`enforcing',`
+ optional_policy(`
+ unconfined_domain(virtd_t)
+ ')
++', `
++ permissive virtd_t;
++')
+
+ ########################################
+ #
+@@ -402,6 +463,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -27453,7 +27543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +492,7 @@
+@@ -422,6 +496,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -27461,7 +27551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +500,12 @@
+@@ -429,10 +504,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -27474,7 +27564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +513,11 @@
+@@ -440,6 +517,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -27486,7 +27576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +535,121 @@
+@@ -457,8 +539,121 @@
')
optional_policy(`
@@ -27762,7 +27852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-08-23 17:59:07.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-08-24 10:28:17.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -28375,7 +28465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-11 08:03:36.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-24 10:03:23.000000000 -0400
@@ -35,6 +35,13 @@
## <desc>
@@ -29177,7 +29267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,12 +1072,28 @@
+@@ -775,14 +1072,34 @@
')
optional_policy(`
@@ -29202,12 +29292,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ udev_read_db(xserver_t)
+')
+
++ifdef(`enforcing',`
+optional_policy(`
+ unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
++', `
++ permissive xserver_t;
++')
-@@ -804,10 +1117,10 @@
+ optional_policy(`
+ userhelper_search_config(xserver_t)
+@@ -804,10 +1121,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -29220,7 +29316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,6 +1141,13 @@
+@@ -828,6 +1145,13 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29234,7 +29330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -843,11 +1163,14 @@
+@@ -843,11 +1167,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -29251,7 +29347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -993,3 +1316,33 @@
+@@ -993,3 +1320,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -30108,7 +30204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.8.8/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-08-23 08:25:15.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-08-24 15:48:29.000000000 -0400
@@ -55,6 +55,7 @@
kernel_read_system_state(fsadm_t)
@@ -30126,7 +30222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -147,7 +150,7 @@
+@@ -147,12 +150,16 @@
seutil_read_config(fsadm_t)
@@ -30134,8 +30230,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
+term_use_all_terms(fsadm_t)
ifdef(`distro_redhat',`
++ifdef(`enforcing',`
optional_policy(`
-@@ -166,6 +169,14 @@
+ unconfined_domain(fsadm_t)
+ ')
++', `
++ permissive fsadm_t;
++')
+ ')
+
+ optional_policy(`
+@@ -166,6 +173,14 @@
')
optional_policy(`
@@ -32032,7 +32137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.8.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-08-24 09:14:30.000000000 -0400
@@ -61,7 +61,7 @@
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
@@ -32069,6 +32174,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
+@@ -141,6 +147,10 @@
+ rpm_manage_script_tmp_files(ldconfig_t)
+ ')
+
++ifdef(`enforcing',`
+ optional_policy(`
+ unconfined_domain(ldconfig_t)
++')'
++, `
++ permissive ldconfig_t;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.fc serefpolicy-3.8.8/policy/modules/system/locallogin.fc
--- nsaserefpolicy/policy/modules/system/locallogin.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/locallogin.fc 2010-07-30 14:06:53.000000000 -0400
@@ -32490,20 +32606,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
## <rolecap/>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.8.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-08-23 18:10:53.000000000 -0400
-@@ -141,6 +141,11 @@
- ')
++++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-08-24 15:48:29.000000000 -0400
+@@ -135,9 +135,18 @@
+ lvm_read_config(clvmd_t)
- optional_policy(`
-+ aisexec_stream_connect(clvmd_t)
-+ corosync_stream_connect(clvmd_t)
+ ifdef(`distro_redhat',`
++ifdef(`enforcing',`
+ optional_policy(`
+ unconfined_domain(clvmd_t)
+ ')
++', `
++ permissive clvmd_t;
++')
+')
+
+optional_policy(`
- ccs_stream_connect(clvmd_t)
++ aisexec_stream_connect(clvmd_t)
++ corosync_stream_connect(clvmd_t)
')
-@@ -170,6 +175,7 @@
+ optional_policy(`
+@@ -170,6 +179,7 @@
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@@ -32511,7 +32634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -210,12 +216,15 @@
+@@ -210,12 +220,15 @@
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
@@ -32527,7 +32650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -242,6 +251,7 @@
+@@ -242,6 +255,7 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -32535,7 +32658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -251,8 +261,9 @@
+@@ -251,8 +265,9 @@
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -32546,7 +32669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -262,6 +273,7 @@
+@@ -262,6 +277,7 @@
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
@@ -32554,19 +32677,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -309,6 +321,11 @@
- ')
+@@ -303,9 +319,18 @@
+ # this is from the initrd:
+ files_rw_isid_type_dirs(lvm_t)
- optional_policy(`
-+ aisexec_stream_connect(lvm_t)
-+ corosync_stream_connect(lvm_t)
++ifdef(`enforcing',`
+ optional_policy(`
+ unconfined_domain(lvm_t)
+ ')
++', `
++ permissive lvm_t;
++')
+')
+
+optional_policy(`
- bootloader_rw_tmp_files(lvm_t)
++ aisexec_stream_connect(lvm_t)
++ corosync_stream_connect(lvm_t)
')
-@@ -329,6 +346,10 @@
+ optional_policy(`
+@@ -329,6 +354,10 @@
')
optional_policy(`
@@ -32727,7 +32857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.8.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-08-24 09:16:21.000000000 -0400
@@ -18,6 +18,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -32759,7 +32889,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -104,7 +108,7 @@
+@@ -94,17 +98,21 @@
+ rpm_manage_script_tmp_files(depmod_t)
+ ')
+
++ifdef(`enforcing',`
+ optional_policy(`
+ # Read System.map from home directories.
+ unconfined_domain(depmod_t)
+ ')
++', `
++ permissive depmod_t;
++')
+
+ ########################################
+ #
# insmod local policy
#
@@ -32768,7 +32912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -125,6 +129,7 @@
+@@ -125,6 +133,7 @@
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -32776,7 +32920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +147,7 @@
+@@ -142,6 +151,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -32784,7 +32928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -160,11 +166,15 @@
+@@ -160,11 +170,15 @@
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -32800,7 +32944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -173,8 +183,7 @@
+@@ -173,8 +187,7 @@
seutil_read_file_contexts(insmod_t)
@@ -32810,17 +32954,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -235,6 +244,10 @@
+@@ -229,10 +242,18 @@
+ rpm_rw_pipes(insmod_t)
')
++ifdef(`enforcing',`
optional_policy(`
-+ virt_dontaudit_write_pipes(insmod_t)
+ unconfined_domain(insmod_t)
+ unconfined_dontaudit_rw_pipes(insmod_t)
+ ')
++', `
++ permissive insmod_t;
+')
+
+optional_policy(`
- # cjp: why is this needed:
- dev_rw_xserver_misc(insmod_t)
++ virt_dontaudit_write_pipes(insmod_t)
++')
+ optional_policy(`
+ # cjp: why is this needed:
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.8.8/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/mount.fc 2010-07-30 14:06:53.000000000 -0400
@@ -33416,7 +33568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.i
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.8.8/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-08-24 09:17:23.000000000 -0400
@@ -30,8 +30,9 @@
allow mdadm_t mdadm_map_t:file manage_file_perms;
dev_filetrans(mdadm_t, mdadm_map_t, file)
@@ -33436,6 +33588,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+@@ -95,6 +97,10 @@
+ udev_read_db(mdadm_t)
+ ')
+
++ifdef(`enforcing',`
+ optional_policy(`
+ unconfined_domain(mdadm_t)
+ ')
++', `
++ permissive mdadm_t;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc 2010-07-30 14:06:53.000000000 -0400
@@ -33859,7 +34022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-13 15:47:08.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-24 09:17:28.000000000 -0400
@@ -22,6 +22,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -34098,7 +34261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -498,112 +492,50 @@
+@@ -498,112 +492,54 @@
userdom_read_user_tmp_files(semanage_t)
')
@@ -34239,9 +34402,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
')
++ifdef(`enforcing',`
optional_policy(`
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
++')
++', `
++ permissive lvm_t;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.8.8/policy/modules/system/setrans.if
--- nsaserefpolicy/policy/modules/system/setrans.if 2010-07-27 16:06:06.000000000 -0400
@@ -34421,8 +34588,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.8.8/policy/modules/system/sosreport.te
--- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,154 @@
++++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-08-24 15:48:28.000000000 -0400
+@@ -0,0 +1,158 @@
+policy_module(sosreport,1.0.0)
+
+########################################
@@ -34574,9 +34741,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep
+ xserver_stream_connect(sosreport_t)
+')
+
++ifdef(`enforcing',`
+optional_policy(`
+ unconfined_domain(sosreport_t)
+')
++', `
++ permissive sosreport_t;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc 2010-07-30 14:06:53.000000000 -0400
@@ -35131,7 +35302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.8.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-08-24 09:18:25.000000000 -0400
@@ -52,6 +52,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -35163,7 +35334,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
mcs_ptrace_all(udev_t)
-@@ -216,6 +220,10 @@
+@@ -192,9 +196,13 @@
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_domtrans(udev_t)
+
++ ifdef(`enforcing',`
+ optional_policy(`
+ unconfined_domain(udev_t)
+ ')
++ ', `
++ permissive udev_t;
++ ')
+ ')
+
+ optional_policy(`
+@@ -216,6 +224,10 @@
')
optional_policy(`
@@ -35174,7 +35359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
consoletype_exec(udev_t)
')
-@@ -259,6 +267,10 @@
+@@ -259,6 +271,10 @@
')
optional_policy(`
@@ -35185,7 +35370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +285,10 @@
+@@ -273,6 +289,10 @@
')
optional_policy(`
@@ -38524,7 +38709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.8.8/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-08-24 09:18:35.000000000 -0400
@@ -4,6 +4,7 @@
#
# Declarations
@@ -38680,6 +38865,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
+@@ -469,8 +380,4 @@
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
+ ')
+-
+- optional_policy(`
+- unconfined_domain(xend_t)
+- ')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.8.8/policy/support/misc_patterns.spt
--- nsaserefpolicy/policy/support/misc_patterns.spt 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.8/policy/support/misc_patterns.spt 2010-07-30 14:06:53.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 266ac1d..e4dedb8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Tue Aug 24 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-20
+- Allow cron to look at user_cron_spool links
+- Lots of fixes for mozilla_plugin_t
+- Add sysv file system
+- Turn unconfined domains to permissive to find additional avcs
+
* Mon Aug 23 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-19
- Update policy for mozilla_plugin_t
More information about the scm-commits
mailing list