[selinux-policy] - Merge with upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Aug 30 21:34:53 UTC 2010
commit a7a2367a59e3fd6a548d9d555941eb7f8f662225
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Aug 30 17:34:52 2010 -0400
- Merge with upstream
.gitignore | 1 +
policy-F14.patch | 230 ++++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 7 +-
sources | 2 +-
4 files changed, 141 insertions(+), 99 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 61e5f38..6574aaf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -221,3 +221,4 @@ serefpolicy-3.8.8.tgz
*.rpm
serefpolicy*
/serefpolicy-3.9.0.tgz
+/serefpolicy-3.9.1.tgz
diff --git a/policy-F14.patch b/policy-F14.patch
index 9247ef9..3083567 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -188,7 +188,7 @@ index 3316f6e..cf3a77b 100644
+gen_tunable(mmap_low_allowed, false)
+
diff --git a/policy/mcs b/policy/mcs
-index af90ef2..ebe5833 100644
+index af90ef2..fbd2c40 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
@@ -204,6 +204,15 @@ index af90ef2..ebe5833 100644
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
+@@ -98,7 +98,7 @@ mlsconstrain process { transition dyntransition }
+ mlsconstrain process { ptrace }
+ (( h1 dom h2) or ( t1 == mcsptraceall ));
+
+-mlsconstrain process { sigkill sigstop }
++mlsconstrain process { signal sigkill sigstop }
+ (( h1 dom h2 ) or ( t1 == mcskillall ));
+
+ #
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index 30a0ac7..f5fc753 100644
--- a/policy/modules/admin/alsa.fc
@@ -991,10 +1000,10 @@ index aa0dcc6..0154b77 100644
rpm_read_db(prelink_cron_system_t)
')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index c5c7852..947df2b 100644
+index 2df2f1d..c1aaa79 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
-@@ -51,6 +51,7 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,6 +53,7 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
@@ -1002,7 +1011,7 @@ index c5c7852..947df2b 100644
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
-@@ -64,6 +65,7 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,6 +67,7 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -5100,10 +5109,10 @@ index 0000000..15778fd
+# No types are sandbox_exec_t
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
-index 0000000..d104714
+index 0000000..c20d303
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
-@@ -0,0 +1,334 @@
+@@ -0,0 +1,335 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -5155,6 +5164,7 @@ index 0000000..d104714
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
++ dontaudit sandbox_x_domain $1:process signal;
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
@@ -7178,10 +7188,10 @@ index 3b2da10..7eed11d 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index cac0c64..d0aaa1c 100644
+index 8b09281..e896bf7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
-@@ -461,6 +461,24 @@ interface(`dev_getattr_generic_chr_files',`
+@@ -498,6 +498,24 @@ interface(`dev_getattr_generic_chr_files',`
########################################
## <summary>
@@ -7206,7 +7216,7 @@ index cac0c64..d0aaa1c 100644
## Dontaudit getattr for generic character device files.
## </summary>
## <param name="domain">
-@@ -497,6 +515,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+@@ -534,6 +552,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
## <summary>
@@ -7231,7 +7241,7 @@ index cac0c64..d0aaa1c 100644
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -515,6 +551,24 @@ interface(`dev_rw_generic_chr_files',`
+@@ -552,6 +588,24 @@ interface(`dev_rw_generic_chr_files',`
########################################
## <summary>
@@ -7253,10 +7263,10 @@ index cac0c64..d0aaa1c 100644
+
+########################################
+## <summary>
- ## Create generic character device files.
+ ## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
-@@ -606,6 +660,24 @@ interface(`dev_delete_generic_symlinks',`
+@@ -661,6 +715,24 @@ interface(`dev_delete_generic_symlinks',`
########################################
## <summary>
@@ -7281,7 +7291,7 @@ index cac0c64..d0aaa1c 100644
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1015,6 +1087,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1070,6 +1142,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -7324,7 +7334,7 @@ index cac0c64..d0aaa1c 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1277,6 +1385,24 @@ interface(`dev_getattr_autofs_dev',`
+@@ -1332,6 +1440,24 @@ interface(`dev_getattr_autofs_dev',`
########################################
## <summary>
@@ -7349,7 +7359,7 @@ index cac0c64..d0aaa1c 100644
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -3540,6 +3666,24 @@ interface(`dev_manage_smartcard',`
+@@ -3595,6 +3721,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
@@ -7374,7 +7384,7 @@ index cac0c64..d0aaa1c 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3682,6 +3826,24 @@ interface(`dev_rw_sysfs',`
+@@ -3737,6 +3881,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -7399,7 +7409,7 @@ index cac0c64..d0aaa1c 100644
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
-@@ -3851,6 +4013,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3906,6 +4068,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -7424,7 +7434,7 @@ index cac0c64..d0aaa1c 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4161,11 +4341,10 @@ interface(`dev_write_video_dev',`
+@@ -4216,11 +4396,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -7439,10 +7449,10 @@ index cac0c64..d0aaa1c 100644
########################################
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 102d130..ec8eb73 100644
+index eb9c360..20c2d34 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
-@@ -100,6 +100,7 @@ dev_node(ksm_device_t)
+@@ -102,6 +102,7 @@ dev_node(ksm_device_t)
#
type kvm_device_t;
dev_node(kvm_device_t)
@@ -7450,7 +7460,7 @@ index 102d130..ec8eb73 100644
#
# Type for /dev/lirc
-@@ -300,5 +301,5 @@ files_associate_tmp(device_node)
+@@ -304,5 +305,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -8722,7 +8732,7 @@ index e3e17ba..3b34959 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index fb63c3a..3561f03 100644
+index 56c3408..30bc860 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -8775,7 +8785,7 @@ index fb63c3a..3561f03 100644
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
-@@ -248,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -247,6 +264,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -8873,7 +8883,7 @@ index ed7667a..d676187 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fa55f2..90ee6db 100644
+index e4f98ce..806026c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -156,6 +156,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
@@ -8884,7 +8894,7 @@ index 6fa55f2..90ee6db 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -255,7 +256,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -254,7 +255,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -8894,7 +8904,7 @@ index 6fa55f2..90ee6db 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,19 +271,29 @@ files_list_root(kernel_t)
+@@ -268,19 +270,29 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -8924,7 +8934,7 @@ index 6fa55f2..90ee6db 100644
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -358,6 +370,10 @@ optional_policy(`
+@@ -357,6 +369,10 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -11693,7 +11703,7 @@ index 9e39aa5..b37de8e 100644
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..7260bf6 100644
+index c9e1a44..c96d035 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -11843,7 +11853,16 @@ index c9e1a44..7260bf6 100644
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -312,6 +307,25 @@ interface(`apache_domtrans',`
+@@ -243,6 +238,8 @@ interface(`apache_role',`
+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
++ apache_exec_modules($2)
++
+ tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
+ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+@@ -312,6 +309,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -11869,7 +11888,7 @@ index c9e1a44..7260bf6 100644
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -400,7 +414,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -400,7 +416,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -11878,7 +11897,7 @@ index c9e1a44..7260bf6 100644
')
########################################
-@@ -526,6 +540,25 @@ interface(`apache_rw_cache_files',`
+@@ -526,6 +542,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -11904,7 +11923,7 @@ index c9e1a44..7260bf6 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -740,6 +773,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -740,6 +775,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -11930,7 +11949,7 @@ index c9e1a44..7260bf6 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -756,6 +808,7 @@ interface(`apache_list_modules',`
+@@ -756,6 +810,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -11938,7 +11957,7 @@ index c9e1a44..7260bf6 100644
')
########################################
-@@ -814,6 +867,7 @@ interface(`apache_list_sys_content',`
+@@ -814,6 +869,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -11946,7 +11965,7 @@ index c9e1a44..7260bf6 100644
files_search_var($1)
')
-@@ -836,11 +890,80 @@ interface(`apache_manage_sys_content',`
+@@ -836,11 +892,80 @@ interface(`apache_manage_sys_content',`
')
files_search_var($1)
@@ -12027,7 +12046,7 @@ index c9e1a44..7260bf6 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +981,11 @@ interface(`apache_domtrans_sys_script',`
+@@ -858,6 +983,11 @@ interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -12039,7 +12058,7 @@ index c9e1a44..7260bf6 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1073,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -12048,7 +12067,7 @@ index c9e1a44..7260bf6 100644
')
########################################
-@@ -1086,6 +1214,25 @@ interface(`apache_read_tmp_files',`
+@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -12074,7 +12093,7 @@ index c9e1a44..7260bf6 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1249,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -12083,7 +12102,7 @@ index c9e1a44..7260bf6 100644
')
########################################
-@@ -1172,7 +1319,7 @@ interface(`apache_admin',`
+@@ -1172,7 +1321,7 @@ interface(`apache_admin',`
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -12092,7 +12111,7 @@ index c9e1a44..7260bf6 100644
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1349,43 @@ interface(`apache_admin',`
+@@ -1202,12 +1351,43 @@ interface(`apache_admin',`
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -17340,7 +17359,7 @@ index 7cf6763..5b9771e 100644
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
-index 24c6253..0a54d67 100644
+index 24c6253..188cd75 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
@@ -17370,7 +17389,7 @@ index 24c6253..0a54d67 100644
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
-@@ -211,10 +215,13 @@ seutil_read_config(hald_t)
+@@ -211,14 +215,19 @@ seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
@@ -17385,7 +17404,13 @@ index 24c6253..0a54d67 100644
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -268,6 +275,10 @@ optional_policy(`
+
++netutils_domtrans(hald_t)
++
+ optional_policy(`
+ alsa_domtrans(hald_t)
+ alsa_read_rw_config(hald_t)
+@@ -268,6 +277,10 @@ optional_policy(`
')
optional_policy(`
@@ -17396,7 +17421,7 @@ index 24c6253..0a54d67 100644
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -318,6 +329,10 @@ optional_policy(`
+@@ -318,6 +331,10 @@ optional_policy(`
')
optional_policy(`
@@ -17407,7 +17432,7 @@ index 24c6253..0a54d67 100644
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
-@@ -338,6 +353,10 @@ optional_policy(`
+@@ -338,6 +355,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
@@ -17418,7 +17443,7 @@ index 24c6253..0a54d67 100644
########################################
#
# Hal acl local policy
-@@ -358,6 +377,7 @@ files_search_var_lib(hald_acl_t)
+@@ -358,6 +379,7 @@ files_search_var_lib(hald_acl_t)
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -17426,7 +17451,7 @@ index 24c6253..0a54d67 100644
corecmd_exec_bin(hald_acl_t)
-@@ -470,6 +490,10 @@ files_read_usr_files(hald_keymap_t)
+@@ -470,6 +492,10 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -28755,12 +28780,12 @@ index 408f4e6..55c2d03 100644
auth_rw_login_records(getty_t)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index b9efd1b..f1edb15 100644
+index 1fd31c1..683494c 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
-@@ -26,15 +26,18 @@ kernel_read_proc_symlinks(hostname_t)
-
- dev_read_sysfs(hostname_t)
+@@ -28,15 +28,18 @@ dev_read_sysfs(hostname_t)
+ # Early devtmpfs, before udev relabel
+ dev_dontaudit_rw_generic_chr_files(hostname_t)
+domain_dontaudit_leaks(hostname_t)
domain_use_interactive_fds(hostname_t)
@@ -28777,7 +28802,7 @@ index b9efd1b..f1edb15 100644
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
-@@ -53,6 +56,10 @@ sysnet_read_config(hostname_t)
+@@ -55,6 +58,10 @@ sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
optional_policy(`
@@ -29216,7 +29241,7 @@ index f6aafe7..7da8294 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index bd45076..a100eb6 100644
+index abab4cf..9f9b812 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -29292,14 +29317,15 @@ index bd45076..a100eb6 100644
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -120,15 +145,19 @@ corecmd_exec_chroot(init_t)
+@@ -119,6 +144,7 @@ corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
dev_read_sysfs(init_t)
+dev_read_urand(init_t)
+ # Early devtmpfs
+ dev_rw_generic_chr_files(init_t)
- domain_getpgid_all_domains(init_t)
- domain_kill_all_domains(init_t)
+@@ -127,9 +153,12 @@ domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -29312,7 +29338,7 @@ index bd45076..a100eb6 100644
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
files_manage_etc_runtime_files(init_t)
-@@ -167,6 +196,8 @@ seutil_read_config(init_t)
+@@ -168,6 +197,8 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
@@ -29321,7 +29347,7 @@ index bd45076..a100eb6 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -177,7 +208,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +209,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -29330,7 +29356,7 @@ index bd45076..a100eb6 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,23 +216,92 @@ tunable_policy(`init_upstart',`
+@@ -186,23 +217,92 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -29423,7 +29449,7 @@ index bd45076..a100eb6 100644
unconfined_domain(init_t)
')
-@@ -211,7 +311,7 @@ optional_policy(`
+@@ -212,7 +312,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29432,7 +29458,7 @@ index bd45076..a100eb6 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +340,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +341,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29440,7 +29466,7 @@ index bd45076..a100eb6 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +358,22 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +359,22 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29463,10 +29489,20 @@ index bd45076..a100eb6 100644
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +409,13 @@ dev_manage_generic_files(initrc_t)
+@@ -291,6 +403,7 @@ dev_read_sound_mixer(initrc_t)
+ dev_write_sound_mixer(initrc_t)
+ dev_setattr_all_chr_files(initrc_t)
+ dev_rw_lvm_control(initrc_t)
++dev_rw_generic_chr_files(initrc_t)
+ dev_delete_lvm_control_dev(initrc_t)
+ dev_manage_generic_symlinks(initrc_t)
+ dev_manage_generic_files(initrc_t)
+@@ -298,13 +411,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
+-# Early devtmpfs
+-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
domain_kill_all_domains(initrc_t)
@@ -29477,7 +29513,7 @@ index bd45076..a100eb6 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +434,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +436,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29489,7 +29525,7 @@ index bd45076..a100eb6 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,8 +453,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +455,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29503,7 +29539,7 @@ index bd45076..a100eb6 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -348,6 +468,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +470,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29512,7 +29548,7 @@ index bd45076..a100eb6 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -360,6 +482,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +484,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29520,7 +29556,7 @@ index bd45076..a100eb6 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,13 +514,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +516,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29536,7 +29572,7 @@ index bd45076..a100eb6 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -470,7 +594,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +596,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29545,7 +29581,7 @@ index bd45076..a100eb6 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -516,6 +640,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +642,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -29565,7 +29601,7 @@ index bd45076..a100eb6 100644
')
optional_policy(`
-@@ -523,10 +660,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +662,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29583,7 +29619,7 @@ index bd45076..a100eb6 100644
')
optional_policy(`
-@@ -541,6 +685,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +687,35 @@ ifdef(`distro_suse',`
')
')
@@ -29619,7 +29655,7 @@ index bd45076..a100eb6 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -553,6 +726,8 @@ optional_policy(`
+@@ -556,6 +728,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29628,7 +29664,7 @@ index bd45076..a100eb6 100644
')
optional_policy(`
-@@ -569,6 +744,7 @@ optional_policy(`
+@@ -572,6 +746,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -29636,7 +29672,7 @@ index bd45076..a100eb6 100644
')
optional_policy(`
-@@ -581,6 +757,11 @@ optional_policy(`
+@@ -584,6 +759,11 @@ optional_policy(`
')
optional_policy(`
@@ -29648,7 +29684,7 @@ index bd45076..a100eb6 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -597,6 +778,7 @@ optional_policy(`
+@@ -600,6 +780,7 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29656,7 +29692,7 @@ index bd45076..a100eb6 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -698,7 +880,12 @@ optional_policy(`
+@@ -701,7 +882,12 @@ optional_policy(`
')
optional_policy(`
@@ -29669,7 +29705,7 @@ index bd45076..a100eb6 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -721,6 +908,10 @@ optional_policy(`
+@@ -724,6 +910,10 @@ optional_policy(`
')
optional_policy(`
@@ -29680,7 +29716,7 @@ index bd45076..a100eb6 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -742,6 +933,10 @@ optional_policy(`
+@@ -745,6 +935,10 @@ optional_policy(`
')
optional_policy(`
@@ -29691,7 +29727,7 @@ index bd45076..a100eb6 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -763,8 +958,6 @@ optional_policy(`
+@@ -766,8 +960,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29700,7 +29736,7 @@ index bd45076..a100eb6 100644
')
optional_policy(`
-@@ -773,14 +966,21 @@ optional_policy(`
+@@ -776,14 +968,21 @@ optional_policy(`
')
optional_policy(`
@@ -29722,7 +29758,7 @@ index bd45076..a100eb6 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -802,11 +1002,19 @@ optional_policy(`
+@@ -805,11 +1004,19 @@ optional_policy(`
')
optional_policy(`
@@ -29743,7 +29779,7 @@ index bd45076..a100eb6 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -816,6 +1024,25 @@ optional_policy(`
+@@ -819,6 +1026,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29769,7 +29805,7 @@ index bd45076..a100eb6 100644
')
optional_policy(`
-@@ -841,3 +1068,55 @@ optional_policy(`
+@@ -844,3 +1070,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31557,7 +31593,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index ee6520c..e36909c 100644
+index fca6947..24ffd8a 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -31607,7 +31643,7 @@ index ee6520c..e36909c 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,30 +68,54 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,32 +68,56 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -31646,6 +31682,8 @@ index ee6520c..e36909c 100644
+ifdef(`hide_broken_symptoms',`
+ dev_rw_generic_blk_files(mount_t)
+')
+ # Early devtmpfs, before udev relabel
+ dev_dontaudit_rw_generic_chr_files(mount_t)
domain_use_interactive_fds(mount_t)
+domain_dontaudit_search_all_domains_state(mount_t)
@@ -31664,7 +31702,7 @@ index ee6520c..e36909c 100644
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -79,25 +125,32 @@ files_read_isid_type_files(mount_t)
+@@ -81,25 +127,32 @@ files_read_isid_type_files(mount_t)
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -31700,7 +31738,7 @@ index ee6520c..e36909c 100644
term_use_all_terms(mount_t)
-@@ -106,6 +159,8 @@ auth_use_nsswitch(mount_t)
+@@ -108,6 +161,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -31709,7 +31747,7 @@ index ee6520c..e36909c 100644
logging_send_syslog_msg(mount_t)
-@@ -116,6 +171,12 @@ sysnet_use_portmap(mount_t)
+@@ -118,6 +173,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -31722,7 +31760,7 @@ index ee6520c..e36909c 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -131,10 +192,17 @@ ifdef(`distro_ubuntu',`
+@@ -133,10 +194,17 @@ ifdef(`distro_ubuntu',`
')
')
@@ -31740,7 +31778,7 @@ index ee6520c..e36909c 100644
')
optional_policy(`
-@@ -164,6 +232,8 @@ optional_policy(`
+@@ -166,6 +234,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -31749,7 +31787,7 @@ index ee6520c..e36909c 100644
')
optional_policy(`
-@@ -171,6 +241,25 @@ optional_policy(`
+@@ -173,6 +243,25 @@ optional_policy(`
')
optional_policy(`
@@ -31775,7 +31813,7 @@ index ee6520c..e36909c 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +267,11 @@ optional_policy(`
+@@ -180,6 +269,11 @@ optional_policy(`
')
')
@@ -31787,7 +31825,7 @@ index ee6520c..e36909c 100644
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -185,6 +279,19 @@ optional_policy(`
+@@ -187,6 +281,19 @@ optional_policy(`
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -31807,7 +31845,7 @@ index ee6520c..e36909c 100644
')
########################################
-@@ -193,6 +300,42 @@ optional_policy(`
+@@ -195,6 +302,42 @@ optional_policy(`
#
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a39aad9..0d858c7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,8 +19,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.0
-Release: 2%{?dist}
+Version: 3.9.1
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Mon Aug 30 2010 Dan Walsh <dwalsh at redhat.com> 3.9.1-1
+- Merge with upstream
+
* Thu Aug 26 2010 Dan Walsh <dwalsh at redhat.com> 3.9.0-2
- More access needed for devicekit
- Add dbadm policy
diff --git a/sources b/sources
index cb5f564..4192ac7 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-9012ab09af5480459942d4a54de91db4 serefpolicy-3.9.0.tgz
+1351ca1eca73598202c01ea63efba6d1 serefpolicy-3.9.1.tgz
More information about the scm-commits
mailing list