rpms/selinux-policy/F-12 policy-20100106.patch, 1.20, 1.21 selinux-policy.spec, 1.1007, 1.1008
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Feb 1 20:22:46 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23257
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Allow xdm to execute octave
- Add label for var/run/lxdm.auth
- Allow pppd sys_admin capability
- Allow cups-pdf fowner capability
- Fix path for cluster binaries
- Fixes for pulseaudio
- Add label for /var/webmin directory
- Allow prelink execmod on files in home directory
- Allow cups-config to read process state of all user domains.
- Fixes for vmware policy
- Fixes for lirc policy
- Allow amavis to read utmp
policy-20100106.patch:
modules/admin/prelink.te | 1
modules/admin/rpm.if | 20 +++---
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 4 +
modules/apps/gnome.fc | 8 ++
modules/apps/gnome.if | 24 +++----
modules/apps/gnome.te | 6 +
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5 -
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/pulseaudio.fc | 2
modules/apps/pulseaudio.if | 4 -
modules/apps/pulseaudio.te | 8 ++
modules/apps/sandbox.if | 50 +++++++++++++---
modules/apps/sandbox.te | 43 ++++++++-----
modules/apps/vmware.if | 18 +++++
modules/apps/vmware.te | 9 ++
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 3
modules/kernel/devices.if | 36 +++++++++++
modules/kernel/devices.te | 12 +++
modules/kernel/files.if | 20 ++++++
modules/kernel/filesystem.if | 20 ++++++
modules/roles/unconfineduser.fc | 2
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.if | 5 +
modules/services/abrt.te | 4 +
modules/services/afs.te | 6 +
modules/services/amavis.te | 1
modules/services/apache.fc | 1
modules/services/apache.if | 27 ++++++++
modules/services/apache.te | 7 +-
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 1
modules/services/avahi.fc | 2
modules/services/cron.te | 4 +
modules/services/cups.te | 6 +
modules/services/dovecot.te | 5 +
modules/services/fail2ban.if | 18 +++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++
modules/services/git.fc | 3
modules/services/git.if | 8 +-
modules/services/git.te | 5 +
modules/services/kerberos.if | 2
modules/services/ldap.fc | 6 +
modules/services/ldap.te | 7 ++
modules/services/lircd.te | 7 +-
modules/services/mailman.te | 1
modules/services/memcached.te | 14 +++-
modules/services/mysql.te | 2
modules/services/nagios.fc | 40 ++++++++++++
modules/services/nagios.te | 7 ++
modules/services/networkmanager.fc | 1
modules/services/networkmanager.te | 1
modules/services/nis.fc | 5 +
modules/services/nis.te | 6 +
modules/services/nx.if | 18 +++++
modules/services/openvpn.te | 4 +
modules/services/plymouth.te | 28 +++++----
modules/services/policykit.te | 6 +
modules/services/postfix.te | 5 +
modules/services/ppp.fc | 2
modules/services/ppp.te | 6 +
modules/services/prelude.te | 2
modules/services/rgmanager.if | 2
modules/services/rhcs.fc | 8 +-
modules/services/samba.te | 7 +-
modules/services/sendmail.te | 2
modules/services/snmp.te | 4 -
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 +++++
modules/services/ssh.te | 80 +------------------------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 ++++++++++++++++-----------
modules/services/sssd.te | 14 +++-
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/virt.te | 5 +
modules/services/xserver.fc | 6 +
modules/services/xserver.te | 14 ++++
modules/system/fstools.fc | 1
modules/system/hostname.te | 3
modules/system/hotplug.te | 4 +
modules/system/init.te | 5 +
modules/system/ipsec.te | 2
modules/system/iscsi.fc | 2
modules/system/iscsi.te | 4 +
modules/system/libraries.fc | 15 ++++
modules/system/locallogin.te | 5 +
modules/system/logging.fc | 2
modules/system/miscfiles.if | 37 ++++++++++++
modules/system/mount.te | 5 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 +++++
modules/system/xen.te | 7 ++
support/obj_perm_sets.spt | 3
users | 2
106 files changed, 902 insertions(+), 222 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -p -r1.20 -r1.21
--- policy-20100106.patch 29 Jan 2010 11:11:23 -0000 1.20
+++ policy-20100106.patch 1 Feb 2010 20:22:44 -0000 1.21
@@ -1,3 +1,14 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te
+--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-01-18 18:24:22.564530406 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-02-01 20:30:49.318160848 +0100
+@@ -108,6 +108,7 @@
+ miscfiles_read_localization(prelink_t)
+
+ userdom_use_user_terminals(prelink_t)
++userdom_execmod_user_home_files(prelink_t)
+ userdom_manage_user_home_content(prelink_t)
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-01-18 18:24:22.567540216 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2010-01-29 10:12:23.130864561 +0100
@@ -226,6 +237,54 @@ diff -b -B --ignore-all-space --exclude-
userdom_signal_unpriv_users(podsleuth_t)
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc
+--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc 2010-02-01 17:25:46.487082096 +0100
+@@ -1 +1,3 @@
++/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
++
+ /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
+--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-01-18 18:24:22.632542198 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2010-02-01 17:25:51.033096867 +0100
+@@ -137,10 +137,10 @@
+ #
+ interface(`pulseaudio_stream_connect',`
+ gen_require(`
+- type pulseaudio_t;
++ type pulseaudio_t, pulseaudio_var_run_t;
+ ')
+
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+- allow $1 pulseaudio_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
+--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-01-18 18:24:22.633540020 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-02-01 17:25:54.881332083 +0100
+@@ -11,6 +11,9 @@
+ application_domain(pulseaudio_t, pulseaudio_exec_t)
+ role system_r types pulseaudio_t;
+
++type pulseaudio_var_run_t;
++files_pid_file(pulseaudio_var_run_t)
++
+ ########################################
+ #
+ # pulseaudio local policy
+@@ -24,6 +27,11 @@
+ allow pulseaudio_t self:udp_socket create_socket_perms;
+ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
++manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
++manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
++files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
++
+ can_exec(pulseaudio_t, pulseaudio_exec_t)
+
+ kernel_getattr_proc(pulseaudio_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-22 15:41:50.752727640 +0100
@@ -324,7 +383,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-22 15:41:56.778871235 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-02-01 20:25:27.706170172 +0100
@@ -10,14 +10,15 @@
#
@@ -427,7 +486,16 @@ diff -b -B --ignore-all-space --exclude-
selinux_get_fs_mount(sandbox_x_client_t)
selinux_validate_context(sandbox_x_client_t)
selinux_compute_access_vector(sandbox_x_client_t)
-@@ -267,7 +274,7 @@
+@@ -239,6 +246,8 @@
+ kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
+
+ dev_read_rand(sandbox_web_client_t)
++dev_read_sound(sandbox_web_client_t)
++dev_write_sound(sandbox_web_client_t)
+
+ # Browse the web, connect to printer
+ corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
+@@ -267,7 +276,7 @@
corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
corenet_tcp_connect_speech_port(sandbox_web_client_t)
@@ -436,7 +504,16 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_bus_client(sandbox_web_client_t)
dbus_read_config(sandbox_web_client_t)
-@@ -310,7 +317,7 @@
+@@ -279,6 +288,8 @@
+ selinux_compute_user_contexts(sandbox_web_client_t)
+ seutil_read_default_contexts(sandbox_web_client_t)
+
++userdom_rw_user_tmpfs_files(sandbox_web_client_t)
++
+ optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
+@@ -310,7 +321,7 @@
corenet_tcp_connect_all_ports(sandbox_net_client_t)
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
@@ -473,6 +550,32 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Read VMWare system configuration files.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te
+--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-01-18 18:24:22.655542539 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/vmware.te 2010-02-01 20:38:46.148160807 +0100
+@@ -32,6 +32,10 @@
+ type vmware_host_pid_t alias vmware_var_run_t;
+ files_pid_file(vmware_host_pid_t)
+
++type vmware_host_tmp_t;
++files_tmp_file(vmware_host_tmp_t)
++ubac_constrained(vmware_host_tmp_t)
++
+ type vmware_log_t;
+ typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
+ typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
+@@ -87,6 +91,11 @@
+ manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+
++manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
++manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
++manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
++files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
++
+ kernel_read_kernel_sysctls(vmware_host_t)
+ kernel_read_system_state(vmware_host_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-18 18:24:22.657540000 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-01-18 18:27:02.744541291 +0100
@@ -722,6 +825,21 @@ diff -b -B --ignore-all-space --exclude-
## </p>
## </desc>
gen_tunable(xguest_connect_network, true)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if
+--- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100
+@@ -35,6 +35,11 @@
+ ')
+
+ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit abrt_helper_t $1:socket_class_set { read write };
++ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
++ ')
+ ')
+
+ ######################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-27 15:33:53.900626544 +0100
@@ -775,6 +893,17 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# AFS bossserver local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.32/policy/modules/services/amavis.te
+--- nsaserefpolicy/policy/modules/services/amavis.te 2010-01-18 18:24:22.732530124 +0100
++++ serefpolicy-3.6.32/policy/modules/services/amavis.te 2010-02-01 21:16:32.215094407 +0100
+@@ -138,6 +138,7 @@
+
+ auth_dontaudit_read_shadow(amavis_t)
+
++init_read_utmp(amavis_t)
+ init_stream_connect_script(amavis_t)
+
+ logging_send_syslog_msg(amavis_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-01-27 17:22:29.733863060 +0100
@@ -788,7 +917,7 @@ diff -b -B --ignore-all-space --exclude-
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-22 17:15:37.455855038 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-02-01 15:06:59.560081274 +0100
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
@@ -797,7 +926,15 @@ diff -b -B --ignore-all-space --exclude-
')
#This type is for webpages
type httpd_$1_content_t;
-@@ -123,6 +124,8 @@
+@@ -55,6 +56,7 @@
+ allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
+
+ allow httpd_$1_script_t self:fifo_file rw_file_perms;
++ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
+ allow httpd_$1_script_t self:unix_stream_socket connectto;
+
+ allow httpd_$1_script_t httpd_t:fifo_file write;
+@@ -123,6 +125,8 @@
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -806,7 +943,7 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`httpd_enable_cgi',`
-@@ -1167,6 +1170,29 @@
+@@ -1167,6 +1171,29 @@
allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
')
@@ -908,7 +1045,7 @@ diff -b -B --ignore-all-space --exclude-
# System cron process domain
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-18 18:24:22.771540183 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-25 17:36:13.178435741 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-02-01 21:13:34.192326070 +0100
@@ -265,6 +265,7 @@
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
@@ -917,7 +1054,20 @@ diff -b -B --ignore-all-space --exclude-
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -555,6 +556,7 @@
+@@ -430,10 +431,12 @@
+
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+ userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
++userdom_read_all_users_state(cupsd_config_t)
+ userdom_rw_user_tmp_files(cupsd_config_t)
+
+ cups_stream_connect(cupsd_config_t)
+
++gnome_dontaudit_search_config(cupsd_config_t)
+ lpd_read_config(cupsd_config_t)
+
+ ifdef(`distro_redhat',`
+@@ -555,6 +558,7 @@
logging_send_syslog_msg(cupsd_lpd_t)
miscfiles_read_localization(cupsd_lpd_t)
@@ -925,6 +1075,15 @@ diff -b -B --ignore-all-space --exclude-
cups_stream_connect(cupsd_lpd_t)
+@@ -567,7 +571,7 @@
+ # cups_pdf local policy
+ #
+
+-allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
++allow cups_pdf_t self:capability { chown fsetid fowner setuid setgid dac_override };
+ allow cups_pdf_t self:fifo_file rw_file_perms;
+ allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-27 16:52:32.499864534 +0100
@@ -1296,6 +1455,29 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
+--- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-18 18:24:22.806540025 +0100
++++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2010-02-01 20:50:49.950161278 +0100
+@@ -1,5 +1,5 @@
+
+-policy_module(lircd, 1.0.0)
++policy_module(lircd, 1.0.1)
+
+ ########################################
+ #
+@@ -24,9 +24,10 @@
+ # lircd local policy
+ #
+
+-allow lircd_t self:process signal;
++allow lircd_t self:capability { chown kill sys_admin };
++allow lircd_t self:process { fork signal };
+ allow lircd_t self:unix_dgram_socket create_socket_perms;
+-allow lircd_t self:fifo_file rw_file_perms;
++allow lircd_t self:fifo_file rw_fifo_file_perms;
+ allow lircd_t self:tcp_socket create_stream_socket_perms;
+
+ # etc file
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2010-01-18 18:24:22.808530642 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2010-01-22 17:16:41.576604913 +0100
@@ -1453,6 +1635,28 @@ diff -b -B --ignore-all-space --exclude-
######################################
#
# local policy for system check plugins
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc
+--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-01-18 18:24:22.823530245 +0100
++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2010-02-01 18:05:10.499091573 +0100
+@@ -17,6 +17,7 @@
+ /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
+ /var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
++/var/log/wicd.* gen_context(system_u:object_r:NetworkManager_log_t,s0)
+ /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+
+ /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
+--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-01-18 18:24:22.825542512 +0100
++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-02-01 20:40:02.343160698 +0100
+@@ -51,6 +51,7 @@
+ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+
+ can_exec(NetworkManager_t, NetworkManager_exec_t)
++can_exec(NetworkManager_t, NetworkManager_tmp_t)
+
+ manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+ logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2010-01-18 18:24:22.826540614 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nis.fc 2010-01-29 09:57:02.171614102 +0100
@@ -1593,7 +1797,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(plymouth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-01-29 10:12:36.454864455 +0100
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-02-01 20:36:15.743410648 +0100
@@ -89,6 +89,10 @@
')
')
@@ -1605,6 +1809,15 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# polkit_auth local policy
+@@ -115,6 +119,8 @@
+ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+ files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+
++dev_read_video_dev(policykit_auth_t)
++
+ files_read_etc_files(policykit_auth_t)
+ files_read_usr_files(policykit_auth_t)
+ files_search_home(policykit_auth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100
@@ -1634,6 +1847,41 @@ diff -b -B --ignore-all-space --exclude-
# connect to master process
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.32/policy/modules/services/ppp.fc
+--- nsaserefpolicy/policy/modules/services/ppp.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/ppp.fc 2010-02-01 15:04:13.696080784 +0100
+@@ -3,6 +3,8 @@
+ #
+ /etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
++/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
++
+ /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+ /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+ /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te
+--- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 18:24:22.860530341 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-02-01 17:54:50.906099781 +0100
+@@ -71,7 +71,7 @@
+ # PPPD Local policy
+ #
+
+-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
+ dontaudit pppd_t self:capability sys_tty_config;
+ allow pppd_t self:process signal;
+ allow pppd_t self:fifo_file rw_fifo_file_perms;
+@@ -192,6 +192,10 @@
+ ')
+
+ optional_policy(`
++ hal_dontaudit_rw_dgram_sockets(pppd_t)
++')
++
++optional_policy(`
+ mta_send_mail(pppd_t)
+ mta_system_content(pppd_etc_t)
+ mta_system_content(pppd_etc_rw_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2010-01-18 18:24:22.861530469 +0100
+++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2010-01-26 15:37:38.488473779 +0100
@@ -1658,9 +1906,36 @@ diff -b -B --ignore-all-space --exclude-
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc
+--- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-01-18 18:24:22.872542275 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2010-02-01 16:27:13.351081209 +0100
+@@ -1,19 +1,19 @@
+
+-/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
++/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+ /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+ /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+
+-/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr//sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+ /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+ /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+ /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+
+-/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
++/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+ /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+ /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+
+-/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+ /var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+
+ /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-18 18:27:02.770531119 +0100
++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-01 20:42:31.450160322 +0100
@@ -286,6 +286,8 @@
allow smbd_t winbind_t:process { signal signull };
@@ -1670,6 +1945,15 @@ diff -b -B --ignore-all-space --exclude-
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
+@@ -350,7 +352,7 @@
+ miscfiles_read_public_files(smbd_t)
+
+ userdom_use_unpriv_users_fds(smbd_t)
+-userdom_dontaudit_search_user_home_dirs(smbd_t)
++userdom_search_user_home_content(smbd_t)
+ userdom_signal_all_users(smbd_t)
+
+ usermanage_read_crack_db(smbd_t)
@@ -485,6 +487,8 @@
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
@@ -2175,7 +2459,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-18 18:27:02.776530834 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-02-01 17:46:33.611080298 +0100
@@ -226,7 +226,7 @@
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
@@ -2185,7 +2469,15 @@ diff -b -B --ignore-all-space --exclude-
userdom_getattr_all_users(virtd_t)
userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
-@@ -430,6 +430,8 @@
+@@ -370,6 +370,7 @@
+
+ tunable_policy(`virt_use_fusefs',`
+ fs_read_fusefs_files(svirt_t)
++ fs_read_fusefs_symlinks(svirt_t)
+ ')
+
+ tunable_policy(`virt_use_nfs',`
+@@ -430,6 +431,8 @@
corenet_tcp_connect_virt_migration_port(virt_domain)
dev_read_sound(virt_domain)
@@ -2196,7 +2488,7 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-01-18 18:27:02.777542764 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-02-01 14:37:29.435332322 +0100
@@ -65,6 +65,8 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -2214,17 +2506,19 @@ diff -b -B --ignore-all-space --exclude-
/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
-@@ -116,6 +119,7 @@
+@@ -116,6 +119,9 @@
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-29 10:03:15.438864683 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-01 17:25:59.218331954 +0100
@@ -301,6 +301,9 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
@@ -2254,7 +2548,15 @@ diff -b -B --ignore-all-space --exclude-
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
dev_read_sound(xdm_t)
-@@ -668,6 +675,7 @@
+@@ -582,6 +589,7 @@
+ userdom_read_all_users_state(xdm_t)
+ userdom_signal_all_users(xdm_t)
+ userdom_stream_connect(xdm_t)
++userdom_manage_user_tmp_files(xdm_t)
+ userdom_manage_user_tmp_dirs(xdm_t)
+ userdom_manage_user_tmp_sockets(xdm_t)
+ userdom_manage_tmpfs_role(system_r, xdm_t)
+@@ -668,6 +676,7 @@
optional_policy(`
gnome_read_gconf_config(xdm_t)
@@ -2262,6 +2564,25 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+@@ -675,6 +684,10 @@
+ ')
+
+ optional_policy(`
++ java_exec(xdm_t)
++')
++
++optional_policy(`
+ loadkeys_exec(xdm_t)
+ ')
+
+@@ -712,6 +725,7 @@
+ optional_policy(`
+ pulseaudio_exec(xdm_t)
+ pulseaudio_dbus_chat(xdm_t)
++ pulseaudio_stream_connect(xdm_t)
+ ')
+
+ # On crash gdm execs gdb to dump stack
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-01-18 18:24:22.930540014 +0100
+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2010-01-27 18:13:10.349614395 +0100
@@ -2444,6 +2765,15 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`enable_mls',`
sysadm_shell_domtrans(sulogin_t)
',`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc
+--- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-18 18:24:22.949542779 +0100
++++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-02-01 20:28:30.386409309 +0100
+@@ -69,3 +69,5 @@
+
+ /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
++/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100
@@ -2555,7 +2885,7 @@ diff -b -B --ignore-all-space --exclude-
HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-01-18 18:27:02.794530889 +0100
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-02-01 20:32:18.731160012 +0100
@@ -3631,6 +3631,24 @@
########################################
@@ -2621,16 +2951,17 @@ diff -b -B --ignore-all-space --exclude-
storage_raw_read_fixed_disk(xenstored_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100
-+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-18 18:27:02.798533004 +0100
-@@ -28,7 +28,7 @@
++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-02-01 20:58:41.140409177 +0100
+@@ -28,8 +28,7 @@
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
-+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
-
+-
++define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
#
+ # Datagram socket classes.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users 2010-01-18 18:24:22.989541023 +0100
+++ serefpolicy-3.6.32/policy/users 2010-01-18 18:27:02.799531176 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1007
retrieving revision 1.1008
diff -u -p -r1.1007 -r1.1008
--- selinux-policy.spec 29 Jan 2010 11:11:23 -0000 1.1007
+++ selinux-policy.spec 1 Feb 2010 20:22:44 -0000 1.1008
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 79%{?dist}
+Release: 80%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -285,8 +285,6 @@ else
# if first time update booleans.local needs to be copied to sandbox
[ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/
[ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers
- grep -q "^SETLOCALDEFS" /etc/selinux/config || echo -n "
-">> /etc/selinux/config
fi
exit 0
@@ -456,6 +454,20 @@ exit 0
%endif
%changelog
+* Mon Feb 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-80
+- Allow xdm to execute octave
+- Add label for var/run/lxdm.auth
+- Allow pppd sys_admin capability
+- Allow cups-pdf fowner capability
+- Fix path for cluster binaries
+- Fixes for pulseaudio
+- Add label for /var/webmin directory
+- Allow prelink execmod on files in home directory
+- Allow cups-config to read process state of all user domains.
+- Fixes for vmware policy
+- Fixes for lirc policy
+- Allow amavis to read utmp
+
* Fri Jan 29 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-79
- Fix rpm_dontaudit_leaks
- Fix typo in rgmanager.if
More information about the scm-commits
mailing list