rpms/selinux-policy/F-12 policy-20100106.patch, 1.21, 1.22 selinux-policy.spec, 1.1008, 1.1009
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 2 15:57:16 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv862
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Allow policykit-auth to set attributes on fonts cache directory
- Add label for RealPlayer plugins
- Add label for /usr/sbin/xrdp
- Allow chrome-sandbox to read gnome homedir content
- Allow rsyslogd to connect to MySQL using a unix domain stream socket
- Allow apache to list inotifyfs filesystem
- Add label for /dev/pps device
policy-20100106.patch:
modules/admin/prelink.te | 1
modules/admin/rpm.if | 20 +++---
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 4 +
modules/apps/chrome.te | 3
modules/apps/gnome.fc | 8 ++
modules/apps/gnome.if | 81 ++++++++++++++++++++++----
modules/apps/gnome.te | 6 +
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5 -
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/pulseaudio.fc | 2
modules/apps/pulseaudio.if | 4 -
modules/apps/pulseaudio.te | 8 ++
modules/apps/sandbox.if | 50 +++++++++++++---
modules/apps/sandbox.te | 43 ++++++++-----
modules/apps/vmware.if | 18 +++++
modules/apps/vmware.te | 9 ++
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.if.in | 18 +++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 3
modules/kernel/devices.if | 36 +++++++++++
modules/kernel/devices.te | 12 +++
modules/kernel/files.if | 20 ++++++
modules/kernel/filesystem.if | 20 ++++++
modules/roles/unconfineduser.fc | 5 +
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.if | 5 +
modules/services/abrt.te | 4 +
modules/services/afs.te | 6 +
modules/services/amavis.te | 1
modules/services/apache.fc | 1
modules/services/apache.if | 27 ++++++++
modules/services/apache.te | 8 ++
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 1
modules/services/avahi.fc | 2
modules/services/cron.te | 4 +
modules/services/cups.te | 6 +
modules/services/dovecot.te | 5 +
modules/services/fail2ban.if | 18 +++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++
modules/services/git.fc | 3
modules/services/git.if | 8 +-
modules/services/git.te | 5 +
modules/services/kerberos.if | 2
modules/services/ldap.fc | 6 +
modules/services/ldap.te | 7 ++
modules/services/lircd.te | 7 +-
modules/services/mailman.te | 1
modules/services/memcached.te | 14 +++-
modules/services/mta.te | 1
modules/services/mysql.te | 2
modules/services/nagios.fc | 40 ++++++++++++
modules/services/nagios.te | 7 ++
modules/services/networkmanager.fc | 1
modules/services/networkmanager.te | 1
modules/services/nis.fc | 5 +
modules/services/nis.te | 6 +
modules/services/nx.if | 18 +++++
modules/services/openvpn.te | 4 +
modules/services/plymouth.te | 28 +++++----
modules/services/policykit.te | 8 ++
modules/services/postfix.te | 5 +
modules/services/ppp.fc | 2
modules/services/ppp.te | 6 +
modules/services/prelude.te | 2
modules/services/rgmanager.if | 2
modules/services/rhcs.fc | 8 +-
modules/services/samba.te | 7 +-
modules/services/sendmail.te | 2
modules/services/snmp.te | 4 -
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 +++++
modules/services/ssh.te | 80 +------------------------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 ++++++++++++++++-----------
modules/services/sssd.te | 14 +++-
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/virt.te | 5 +
modules/services/xserver.fc | 6 +
modules/services/xserver.te | 14 ++++
modules/system/fstools.fc | 1
modules/system/hostname.te | 3
modules/system/hotplug.te | 4 +
modules/system/init.if | 22 +++++++
modules/system/init.te | 5 +
modules/system/ipsec.te | 2
modules/system/iptables.te | 2
modules/system/iscsi.fc | 3
modules/system/iscsi.te | 10 +++
modules/system/libraries.fc | 14 +++-
modules/system/locallogin.te | 5 +
modules/system/logging.fc | 2
modules/system/logging.te | 4 +
modules/system/miscfiles.if | 37 ++++++++++++
modules/system/mount.te | 5 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 +++++
modules/system/xen.te | 7 ++
support/obj_perm_sets.spt | 3
users | 2
112 files changed, 1019 insertions(+), 224 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -p -r1.21 -r1.22
--- policy-20100106.patch 1 Feb 2010 20:22:44 -0000 1.21
+++ policy-20100106.patch 2 Feb 2010 15:57:16 -0000 1.22
@@ -71,6 +71,19 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Crack local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te
+--- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-02-02 14:30:20.961067885 +0100
+@@ -59,7 +59,8 @@
+ miscfiles_read_fonts(chrome_sandbox_t)
+
+ optional_policy(`
+- gnome_write_inherited_config(chrome_sandbox_t)
++ gnome_rw_inherited_config(chrome_sandbox_t)
++ gnome_list_home_config(chrome_sandbox_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-01-21 18:31:02.867611919 +0100
@@ -91,8 +104,33 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-01-18 18:24:22.595534558 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-01-21 18:31:10.642612238 +0100
-@@ -84,12 +84,12 @@
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-02-02 15:10:12.321068500 +0100
+@@ -72,6 +72,24 @@
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+ ')
+
++#######################################
++## <summary>
++## Dontaudit search gnome homedir content (.config)
++## </summary>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++interface(`gnome_dontaudit_search_config',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ dontaudit $1 gnome_home_type:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## manage gnome homedir content (.config)
+@@ -84,12 +102,12 @@
#
interface(`gnome_manage_config',`
gen_require(`
@@ -109,7 +147,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_search_user_home_dirs($1)
')
-@@ -129,12 +129,12 @@
+@@ -129,17 +147,17 @@
#
template(`gnome_read_config',`
gen_require(`
@@ -126,7 +164,38 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -255,11 +255,11 @@
+ ## <summary>
+-## read gconf config files
++## Read gconf config files
+ ## </summary>
+ ## <param name="userdomain_prefix">
+ ## <summary>
+@@ -238,6 +256,24 @@
+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
+ ')
+
++#######################################
++## <summary>
++## Read gnome homedir content (.config)
++## </summary>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++template(`gnome_list_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ allow $1 config_home_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Connect to gnome over an unix stream socket.
+@@ -255,11 +291,29 @@
#
interface(`gnome_stream_connect',`
gen_require(`
@@ -137,10 +206,28 @@ diff -b -B --ignore-all-space --exclude-
# Connect to pulseaudit server
- stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++')
++
++#######################################
++## <summary>
++## Read/Write all inherited gnome home config
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_rw_inherited_config',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ allow $1 gnome_home_type:file rw_inherited_file_perms;
')
########################################
-@@ -274,8 +274,8 @@
+@@ -274,8 +328,9 @@
#
interface(`gnome_write_inherited_config',`
gen_require(`
@@ -151,6 +238,7 @@ diff -b -B --ignore-all-space --exclude-
- allow $1 gnome_home_t:file rw_inherited_file_perms;
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2010-01-18 18:24:22.596529936 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2010-01-21 18:31:15.086614286 +0100
@@ -621,6 +709,34 @@ diff -b -B --ignore-all-space --exclude-
domain_mmap_low_type(wine_t)
tunable_policy(`mmap_low_allowed',`
domain_mmap_low(wine_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in 2010-02-02 15:20:43.717067439 +0100
+@@ -1703,6 +1703,24 @@
+ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+ ')
+
++#######################################
++## <summary>
++## dontaudit Read and write the TUN/TAP virtual network device.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_rw_tun_tap_dev',`
++ gen_require(`
++ type tun_tap_device_t;
++ ')
++
++ dontaudit $1 tun_tap_device_t:chr_file { read write };
++')
++
+ ########################################
+ ## <summary>
+ ## Getattr the point-to-point device.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:10:56.565608631 +0100
@@ -791,13 +907,16 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-18 18:27:02.752530994 +0100
-@@ -2,7 +2,7 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-02-02 10:47:12.668175161 +0100
+@@ -2,7 +2,10 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++
/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
@@ -975,7 +1094,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-26 15:36:27.882713495 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-02 14:56:02.348068014 +0100
@@ -309,7 +309,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -985,7 +1104,15 @@ diff -b -B --ignore-all-space --exclude-
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -612,6 +612,11 @@
+@@ -400,6 +400,7 @@
+ dev_rw_crypto(httpd_t)
+
+ fs_getattr_all_fs(httpd_t)
++fs_list_inotifyfs(httpd_t)
+ fs_search_auto_mountpoints(httpd_t)
+ fs_read_iso9660_files(httpd_t)
+
+@@ -612,6 +613,11 @@
avahi_dbus_chat(httpd_t)
')
')
@@ -1531,6 +1658,17 @@ diff -b -B --ignore-all-space --exclude-
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
+--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-18 18:24:22.813543710 +0100
++++ serefpolicy-3.6.32/policy/modules/services/mta.te 2010-02-02 10:43:31.244162625 +0100
+@@ -132,6 +132,7 @@
+
+ optional_policy(`
+ fail2ban_append_log(system_mail_t)
++ fail2ban_dontaudit_leaks(system_mail_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-01-26 14:38:16.349463228 +0100
@@ -1797,7 +1935,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(plymouth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-02-01 20:36:15.743410648 +0100
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-02-02 15:30:16.529067989 +0100
@@ -89,6 +89,10 @@
')
')
@@ -1818,6 +1956,16 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
files_search_home(policykit_auth_t)
+@@ -129,7 +135,9 @@
+
+ miscfiles_read_localization(policykit_auth_t)
+ miscfiles_read_fonts(policykit_auth_t)
++miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
+
++userdom_read_admin_home_files(policykit_auth_t)
+ userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100
@@ -2630,6 +2778,35 @@ diff -b -B --ignore-all-space --exclude-
consoletype_exec(hotplug_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-02-02 15:33:20.194067768 +0100
+@@ -1686,3 +1686,25 @@
+ allow $1 initrc_t:sem rw_sem_perms;
+ ')
+
++#######################################
++## <summary>
++## Dontaudit read and write an leaked init scrip file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_script_leaks',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ dontaudit $1 initrc_t:tcp_socket { read write };
++ dontaudit $1 initrc_t:unix_dgram_socket { read write };
++ dontaudit $1 initrc_t:unix_stream_socket { read write };
++ dontaudit $1 initrc_t:shm rw_shm_perms;
++ init_dontaudit_use_script_ptys($1)
++ init_dontaudit_use_script_fds($1)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-18 18:27:02.782531248 +0100
@@ -2664,19 +2841,51 @@ diff -b -B --ignore-all-space --exclude-
allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
+--- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-18 18:24:22.941530168 +0100
++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-02 15:25:03.135335306 +0100
+@@ -52,6 +52,7 @@
+ kernel_use_fds(iptables_t)
+
+ corenet_relabelto_all_packets(iptables_t)
++corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+
+ dev_read_sysfs(iptables_t)
+
+@@ -71,6 +72,7 @@
+
+ auth_use_nsswitch(iptables_t)
+
++init_dontaudit_script_leaks(iptables_t)
+ init_use_fds(iptables_t)
+ init_use_script_ptys(iptables_t)
+ # to allow rules to be saved on reboot:
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-18 18:27:02.783531305 +0100
-@@ -1,3 +1,5 @@
++++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-02-02 15:17:13.812067843 +0100
+@@ -1,5 +1,8 @@
+
-+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
++/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
++/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
+ /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+ /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-18 18:24:22.943530492 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-01-18 18:27:02.783531305 +0100
-@@ -35,10 +35,13 @@
++++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-02-02 15:08:50.761068281 +0100
+@@ -14,6 +14,9 @@
+ type iscsi_lock_t;
+ files_lock_file(iscsi_lock_t)
+
++type iscsi_log_t;
++logging_log_file(iscsi_log_t)
++
+ type iscsi_tmp_t;
+ files_tmp_file(iscsi_tmp_t)
+
+@@ -35,10 +38,13 @@
allow iscsid_t self:unix_dgram_socket create_socket_perms;
allow iscsid_t self:sem create_sem_perms;
allow iscsid_t self:shm create_shm_perms;
@@ -2690,7 +2899,17 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
-@@ -67,6 +70,7 @@
+@@ -51,6 +57,9 @@
+ read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+ files_search_var_lib(iscsid_t)
+
++manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
++logging_log_filetrans(iscsid_t, iscsi_log_t, file)
++
+ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
+ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+
+@@ -67,6 +76,7 @@
corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
@@ -2700,7 +2919,7 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-27 14:59:22.372614529 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-02 10:45:09.949162869 +0100
@@ -245,8 +245,12 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -2725,14 +2944,13 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -433,8 +435,17 @@
+@@ -433,8 +435,16 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/real/RealPlayer/plugins/theorarend\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/real/RealPlayer/plugins/oggfformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/real/RealPlayer/plugins/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -2774,6 +2992,20 @@ diff -b -B --ignore-all-space --exclude-
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-18 18:24:22.951535142 +0100
++++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-02 14:39:43.439068166 +0100
+@@ -489,6 +489,10 @@
+ ')
+
+ optional_policy(`
++ mysql_stream_connect(syslogd_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(syslogd_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1008
retrieving revision 1.1009
diff -u -p -r1.1008 -r1.1009
--- selinux-policy.spec 1 Feb 2010 20:22:44 -0000 1.1008
+++ selinux-policy.spec 2 Feb 2010 15:57:16 -0000 1.1009
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 80%{?dist}
+Release: 81%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -454,6 +454,15 @@ exit 0
%endif
%changelog
+* Tue Feb 2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-81
+- Allow policykit-auth to set attributes on fonts cache directory
+- Add label for RealPlayer plugins
+- Add label for /usr/sbin/xrdp
+- Allow chrome-sandbox to read gnome homedir content
+- Allow rsyslogd to connect to MySQL using a unix domain stream socket
+- Allow apache to list inotifyfs filesystem
+- Add label for /dev/pps device
+
* Mon Feb 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-80
- Allow xdm to execute octave
- Add label for var/run/lxdm.auth
More information about the scm-commits
mailing list