rpms/selinux-policy/F-12 modules-minimum.conf, 1.48, 1.49 modules-mls.conf, 1.63, 1.64 modules-targeted.conf, 1.157, 1.158 policy-20100106.patch, 1.23, 1.24 selinux-policy.spec, 1.1010, 1.1011
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Feb 3 22:22:08 UTC 2010
- Previous message: rpms/translate-toolkit/F-12 translate-toolkit-1.5.3-stoplist.patch, NONE, 1.1 .cvsignore, 1.22, 1.23 sources, 1.23, 1.24 translate-toolkit.spec, 1.41, 1.42 translate-toolkit-1.2.1-stoplist.patch, 1.1, NONE
- Next message: rpms/selinux-policy/F-12 policy-20100106.patch,1.24,1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30313
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-20100106.patch selinux-policy.spec
Log Message:
- Add label for /root/.Xdefaults
- Allow xauth to read symbolic links on a NFS filesystem
- Add label for /var/run/slim.lock
- Add mcelog policy
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/modules-minimum.conf,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -p -r1.48 -r1.49
--- modules-minimum.conf 2 Feb 2010 18:31:24 -0000 1.48
+++ modules-minimum.conf 3 Feb 2010 22:22:08 -0000 1.49
@@ -884,6 +884,13 @@ lvm = base
#
mailman = module
+# Layer: admin
+# Module: mcelog
+#
+# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines.
+#
+mcelog = base
+
# Layer: kernel
# Module: mcs
# Required in base
Index: modules-mls.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/modules-mls.conf,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -p -r1.63 -r1.64
--- modules-mls.conf 9 Dec 2009 19:53:38 -0000 1.63
+++ modules-mls.conf 3 Feb 2010 22:22:08 -0000 1.64
@@ -785,6 +785,13 @@ lpd = module
#
lvm = base
+# Layer: admin
+# Module: mcelog
+#
+# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines.
+#
+mcelog = base
+
# Layer: services
# Module: mailman
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/modules-targeted.conf,v
retrieving revision 1.157
retrieving revision 1.158
diff -u -p -r1.157 -r1.158
--- modules-targeted.conf 2 Feb 2010 18:31:24 -0000 1.157
+++ modules-targeted.conf 3 Feb 2010 22:22:08 -0000 1.158
@@ -884,6 +884,13 @@ lvm = base
#
mailman = module
+# Layer: admin
+# Module: mcelog
+#
+# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines.
+#
+mcelog = base
+
# Layer: kernel
# Module: mcs
# Required in base
policy-20100106.patch:
modules/admin/dmesg.fc | 1
modules/admin/mcelog.fc | 2
modules/admin/mcelog.if | 20 ++++++
modules/admin/mcelog.te | 30 +++++++++
modules/admin/prelink.te | 1
modules/admin/rpm.if | 20 +++---
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 4 +
modules/apps/chrome.te | 3
modules/apps/firewallgui.te | 4 +
modules/apps/gnome.fc | 9 ++
modules/apps/gnome.if | 81 ++++++++++++++++++++++----
modules/apps/gnome.te | 8 +-
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5 -
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/pulseaudio.fc | 2
modules/apps/pulseaudio.if | 4 -
modules/apps/pulseaudio.te | 8 ++
modules/apps/sandbox.if | 50 +++++++++++++---
modules/apps/sandbox.te | 43 ++++++++-----
modules/apps/vmware.if | 18 +++++
modules/apps/vmware.te | 9 ++
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.if.in | 18 +++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 4 +
modules/kernel/devices.if | 36 +++++++++++
modules/kernel/devices.te | 12 +++
modules/kernel/files.if | 20 ++++++
modules/kernel/filesystem.if | 20 ++++++
modules/roles/unconfineduser.fc | 5 +
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.if | 5 +
modules/services/abrt.te | 11 +++
modules/services/afs.te | 6 +
modules/services/amavis.te | 1
modules/services/apache.fc | 1
modules/services/apache.if | 27 ++++++++
modules/services/apache.te | 12 ++-
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 1
modules/services/avahi.fc | 2
modules/services/chronyd.fc | 2
modules/services/chronyd.te | 15 +++-
modules/services/cron.te | 4 +
modules/services/cups.te | 6 +
modules/services/dovecot.te | 5 +
modules/services/fail2ban.if | 18 +++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++
modules/services/git.fc | 3
modules/services/git.if | 8 +-
modules/services/git.te | 5 +
modules/services/kerberos.if | 2
modules/services/ldap.fc | 6 +
modules/services/ldap.te | 7 ++
modules/services/lircd.te | 7 +-
modules/services/mailman.te | 1
modules/services/memcached.te | 14 +++-
modules/services/mta.te | 1
modules/services/mysql.te | 2
modules/services/nagios.fc | 40 ++++++++++++
modules/services/nagios.te | 7 ++
modules/services/networkmanager.fc | 1
modules/services/networkmanager.te | 1
modules/services/nis.fc | 5 +
modules/services/nis.te | 6 +
modules/services/nx.if | 18 +++++
modules/services/openvpn.te | 4 +
modules/services/plymouth.te | 28 +++++----
modules/services/policykit.te | 8 ++
modules/services/postfix.te | 5 +
modules/services/ppp.fc | 2
modules/services/ppp.te | 6 +
modules/services/prelude.te | 2
modules/services/rgmanager.if | 2
modules/services/rhcs.fc | 8 +-
modules/services/samba.te | 7 +-
modules/services/sendmail.te | 2
modules/services/setroubleshoot.te | 4 +
modules/services/snmp.te | 4 -
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 +++++
modules/services/ssh.te | 80 +------------------------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 ++++++++++++++++-----------
modules/services/sssd.te | 14 +++-
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/tuned.fc | 3
modules/services/tuned.te | 9 ++
modules/services/usbmuxd.fc | 6 +
modules/services/usbmuxd.if | 64 ++++++++++++++++++++
modules/services/usbmuxd.te | 44 ++++++++++++++
modules/services/virt.te | 5 +
modules/services/xserver.fc | 7 ++
modules/services/xserver.te | 15 ++++
modules/system/application.te | 4 +
modules/system/fstools.fc | 1
modules/system/hostname.te | 3
modules/system/hotplug.te | 4 +
modules/system/init.if | 29 +++++++++
modules/system/init.te | 6 +
modules/system/ipsec.te | 2
modules/system/iptables.te | 2
modules/system/iscsi.fc | 3
modules/system/iscsi.te | 10 +++
modules/system/libraries.fc | 14 +++-
modules/system/locallogin.te | 5 +
modules/system/logging.fc | 2
modules/system/logging.te | 4 +
modules/system/miscfiles.if | 37 ++++++++++++
modules/system/mount.te | 11 +++
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.te | 1
modules/system/udev.te | 4 +
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 +++++
modules/system/xen.te | 7 ++
support/obj_perm_sets.spt | 3
users | 2
127 files changed, 1254 insertions(+), 232 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- policy-20100106.patch 2 Feb 2010 18:31:24 -0000 1.23
+++ policy-20100106.patch 3 Feb 2010 22:22:08 -0000 1.24
@@ -1,3 +1,75 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.32/policy/modules/admin/dmesg.fc
+--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2010-01-18 18:24:22.545542516 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/dmesg.fc 2010-02-03 20:56:22.897834567 +0100
+@@ -1,4 +1,3 @@
+
+ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+-/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.6.32/policy/modules/admin/mcelog.fc
+--- nsaserefpolicy/policy/modules/admin/mcelog.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/mcelog.fc 2010-02-03 17:54:52.841394806 +0100
+@@ -0,0 +1,2 @@
++
++/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.6.32/policy/modules/admin/mcelog.if
+--- nsaserefpolicy/policy/modules/admin/mcelog.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/mcelog.if 2010-02-03 17:55:31.442144688 +0100
+@@ -0,0 +1,20 @@
++
++## <summary>policy for mcelog</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run mcelog.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mcelog_domtrans',`
++ gen_require(`
++ type mcelog_t, mcelog_exec_t;
++ ')
++
++ domtrans_pattern($1, mcelog_exec_t, mcelog_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.6.32/policy/modules/admin/mcelog.te
+--- nsaserefpolicy/policy/modules/admin/mcelog.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/mcelog.te 2010-02-03 17:55:20.114145133 +0100
+@@ -0,0 +1,30 @@
++
++policy_module(mcelog,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mcelog_t;
++type mcelog_exec_t;
++application_domain(mcelog_t, mcelog_exec_t)
++cron_system_entry(mcelog_t, mcelog_exec_t)
++
++permissive mcelog_t;
++
++########################################
++#
++# mcelog local policy
++#
++
++kernel_read_system_state(mcelog_t)
++
++dev_read_raw_memory(mcelog_t)
++dev_read_kmsg(mcelog_t)
++
++files_read_etc_files(mcelog_t)
++
++miscfiles_read_localization(mcelog_t)
++
++logging_send_syslog_msg(mcelog_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-01-18 18:24:22.564530406 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-02-01 20:30:49.318160848 +0100
@@ -100,8 +172,8 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-01-21 18:31:02.867611919 +0100
-@@ -3,6 +3,14 @@
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-02-03 10:39:06.085145272 +0100
+@@ -3,6 +3,15 @@
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -113,19 +185,20 @@ diff -b -B --ignore-all-space --exclude-
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++/root/\.Xdefaults -- gen_context(system_u:object_r:gnome_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-01-18 18:24:22.595534558 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-02-02 15:10:12.321068500 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-02-03 22:59:15.907072357 +0100
@@ -72,6 +72,24 @@
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
+#######################################
+## <summary>
-+## Dontaudit search gnome homedir content (.config)
++## Dontaudit search gnome homedir content
+## </summary>
+## <param name="user_domain">
+## <summary>
@@ -190,7 +263,7 @@ diff -b -B --ignore-all-space --exclude-
+#######################################
+## <summary>
-+## Read gnome homedir content (.config)
++## Read gnome homedir content
+## </summary>
+## <param name="user_domain">
+## <summary>
@@ -200,10 +273,10 @@ diff -b -B --ignore-all-space --exclude-
+#
+template(`gnome_list_home_config',`
+ gen_require(`
-+ type config_home_t;
++ type gnome_home_t;
+ ')
+
-+ allow $1 config_home_t:dir list_dir_perms;
++ allow $1 gnome_home_t:dir list_dir_perms;
+')
+
########################################
@@ -255,8 +328,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2010-01-18 18:24:22.596529936 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2010-01-21 18:31:15.086614286 +0100
-@@ -7,6 +7,7 @@
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2010-02-03 22:11:10.235822052 +0100
+@@ -7,11 +7,12 @@
#
attribute gnomedomain;
@@ -264,6 +337,12 @@ diff -b -B --ignore-all-space --exclude-
type gconf_etc_t;
files_config_file(gconf_etc_t)
+
+-type gconf_home_t;
++type gconf_home_t, gnome_home_type;
+ typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
+ typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+ typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -31,12 +32,15 @@
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
@@ -983,7 +1062,7 @@ diff -b -B --ignore-all-space --exclude-
######################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-27 15:33:53.900626544 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-02-03 15:45:55.176148406 +0100
@@ -96,6 +96,7 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
@@ -992,7 +1071,21 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_memory_dev(abrt_t)
-@@ -200,10 +201,13 @@
+@@ -176,6 +177,13 @@
+ sssd_stream_connect(abrt_t)
+ ')
+
++ifdef(`hide_broken_symptoms', `
++ gen_require(`
++ attribute domain;
++ ')
++ allow abrt_t domain:file write;
++')
++
+ permissive abrt_t;
+
+ ########################################
+@@ -200,10 +208,13 @@
files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)
@@ -1116,7 +1209,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-02 14:56:02.348068014 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-03 20:16:18.858822145 +0100
@@ -309,7 +309,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -1126,6 +1219,19 @@ diff -b -B --ignore-all-space --exclude-
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
+@@ -363,10 +363,10 @@
+ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+ files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
+
+-setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
++manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+ manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+ manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+-files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
++files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
+
+ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -400,6 +400,7 @@
dev_rw_crypto(httpd_t)
@@ -1229,13 +1335,13 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-01-18 18:24:22.769530360 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-01-29 09:59:49.239614360 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-02-03 21:39:39.157822554 +0100
@@ -323,6 +323,10 @@
udev_read_db(crond_t)
')
+optional_policy(`
-+ mta_system_content(cron_var_run_t)
++ mta_system_content(crond_var_run_t)
+')
+
########################################
@@ -2202,6 +2308,20 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-01-18 18:24:22.891530024 +0100
++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2010-02-03 22:59:41.283821731 +0100
+@@ -177,6 +177,10 @@
+ userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+ optional_policy(`
++ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
++')
++
++optional_policy(`
+ rpm_signull(setroubleshoot_fixit_t)
+ rpm_read_db(setroubleshoot_fixit_t)
+ rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-19 14:20:15.303858953 +0100
@@ -2676,10 +2796,42 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(tgtd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc
+--- nsaserefpolicy/policy/modules/services/tuned.fc 2010-01-18 18:24:22.907534364 +0100
++++ serefpolicy-3.6.32/policy/modules/services/tuned.fc 2010-02-03 17:28:43.165143461 +0100
+@@ -3,4 +3,7 @@
+
+ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
++/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
++/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
++
+ /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2010-01-18 18:24:22.909530847 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-02 19:06:55.670067778 +0100
-@@ -36,7 +36,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-03 17:35:32.298159249 +0100
+@@ -13,6 +13,9 @@
+ type tuned_initrc_exec_t;
+ init_script_file(tuned_initrc_exec_t)
+
++type tuned_log_t;
++logging_log_file(tuned_log_t)
++
+ type tuned_var_run_t;
+ files_pid_file(tuned_var_run_t)
+
+@@ -26,6 +29,10 @@
+ dontaudit tuned_t self:capability { dac_override sys_tty_config };
+ allow tuned_t self:fifo_file rw_fifo_file_perms;
+
++manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
++manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
++logging_log_filetrans(tuned_t, tuned_log_t, file)
++
+ manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+ files_pid_filetrans(tuned_t, tuned_var_run_t, { file })
+
+@@ -36,7 +43,7 @@
kernel_read_system_state(tuned_t)
dev_read_sysfs(tuned_t)
@@ -2768,7 +2920,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-02-02 18:58:37.916068136 +0100
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-02-02 19:28:04.029318349 +0100
@@ -0,0 +1,44 @@
+
+policy_module(usbmuxd,1.0.0)
@@ -2793,7 +2945,7 @@ diff -b -B --ignore-all-space --exclude-
+#
+
+allow usbmuxd_t self:capability { kill setgid setuid };
-+allow usbmuxd_t self:process { fork signal signull };
++allow usbmuxd_t self:process { fork };
+
+# Init script handling
+domain_use_interactive_fds(usbmuxd_t)
@@ -2845,7 +2997,7 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-02-01 14:37:29.435332322 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-02-03 14:24:48.062145095 +0100
@@ -65,6 +65,8 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -2863,7 +3015,7 @@ diff -b -B --ignore-all-space --exclude-
/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
-@@ -116,6 +119,9 @@
+@@ -116,7 +119,11 @@
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -2871,11 +3023,13 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+ /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-01 17:25:59.218331954 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-03 10:39:48.878145130 +0100
@@ -301,6 +301,9 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
@@ -2886,7 +3040,7 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
-@@ -309,7 +312,10 @@
+@@ -309,8 +312,12 @@
files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
files_dontaudit_getattr_all_dirs(xauth_t)
@@ -2895,9 +3049,11 @@ diff -b -B --ignore-all-space --exclude-
+fs_dontaudit_leaks(xauth_t)
fs_getattr_all_fs(xauth_t)
++fs_read_nfs_symlinks(xauth_t)
fs_search_auto_mountpoints(xauth_t)
-@@ -506,6 +512,7 @@
+ # cjp: why?
+@@ -506,6 +513,7 @@
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
@@ -2905,7 +3061,7 @@ diff -b -B --ignore-all-space --exclude-
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
dev_read_sound(xdm_t)
-@@ -582,6 +589,7 @@
+@@ -582,6 +590,7 @@
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
userdom_stream_connect(xdm_t)
@@ -2913,7 +3069,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -668,6 +676,7 @@
+@@ -668,6 +677,7 @@
optional_policy(`
gnome_read_gconf_config(xdm_t)
@@ -2921,7 +3077,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -675,6 +684,10 @@
+@@ -675,6 +685,10 @@
')
optional_policy(`
@@ -2932,7 +3088,7 @@ diff -b -B --ignore-all-space --exclude-
loadkeys_exec(xdm_t)
')
-@@ -712,6 +725,7 @@
+@@ -712,6 +726,7 @@
optional_policy(`
pulseaudio_exec(xdm_t)
pulseaudio_dbus_chat(xdm_t)
@@ -2940,6 +3096,20 @@ diff -b -B --ignore-all-space --exclude-
')
# On crash gdm execs gdb to dump stack
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te
+--- nsaserefpolicy/policy/modules/system/application.te 2010-01-18 18:24:22.925530368 +0100
++++ serefpolicy-3.6.32/policy/modules/system/application.te 2010-02-03 15:31:03.649144986 +0100
+@@ -15,6 +15,10 @@
+ files_dontaudit_search_all_dirs(application_domain_type)
+
+ optional_policy(`
++ afs_rw_udp_sockets(application_domain_type)
++')
++
++optional_policy(`
+ ssh_sigchld(application_domain_type)
+ ssh_rw_stream_sockets(application_domain_type)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-01-18 18:24:22.930540014 +0100
+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2010-01-27 18:13:10.349614395 +0100
@@ -2989,8 +3159,51 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-02-02 15:33:20.194067768 +0100
-@@ -1686,3 +1686,25 @@
++++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-02-03 22:20:50.365821844 +0100
+@@ -165,6 +165,7 @@
+ type init_t;
+ role system_r;
+ attribute daemon;
++ attribute initrc_transition_domain;
+ ')
+
+ typeattribute $1 daemon;
+@@ -180,6 +181,7 @@
+ # Handle upstart direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:process siginh;
++ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+
+ # daemons started from init will
+ # inherit fds from init for the console
+@@ -273,6 +275,7 @@
+ gen_require(`
+ type initrc_t;
+ role system_r;
++ attribute initrc_transition_domain;
+ ')
+
+ application_domain($1,$2)
+@@ -281,6 +284,7 @@
+
+ domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
++ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+@@ -775,8 +779,10 @@
+ interface(`init_labeled_script_domtrans',`
+ gen_require(`
+ type initrc_t;
++ attribute initrc_transition_domain;
+ ')
+
++ typeattribute $1 initrc_transition_domain;
+ domtrans_pattern($1, $2, initrc_t)
+ files_search_etc($1)
+ ')
+@@ -1686,3 +1692,26 @@
allow $1 initrc_t:sem rw_sem_perms;
')
@@ -3010,6 +3223,7 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ dontaudit $1 initrc_t:tcp_socket { read write };
++ dontaudit $1 initrc_t:udp_socket { read write };
+ dontaudit $1 initrc_t:unix_dgram_socket { read write };
+ dontaudit $1 initrc_t:unix_stream_socket { read write };
+ dontaudit $1 initrc_t:shm rw_shm_perms;
@@ -3018,8 +3232,16 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-18 18:27:02.782531248 +0100
-@@ -212,6 +212,10 @@
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-03 22:20:55.858821762 +0100
+@@ -40,6 +40,7 @@
+ attribute init_script_domain_type;
+ attribute init_script_file_type;
+ attribute init_run_all_scripts_domain;
++attribute initrc_transition_domain;
+
+ # Mark process types as daemons
+ attribute daemon;
+@@ -212,6 +213,10 @@
')
optional_policy(`
@@ -3030,7 +3252,7 @@ diff -b -B --ignore-all-space --exclude-
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
# the directory. But we do not want to allow this.
-@@ -872,6 +876,7 @@
+@@ -872,6 +877,7 @@
optional_policy(`
unconfined_domain(initrc_t)
@@ -3316,6 +3538,20 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_kernel_sysctls(dhcpc_t)
kernel_request_load_module(dhcpc_t)
kernel_use_fds(dhcpc_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
+--- nsaserefpolicy/policy/modules/system/udev.te 2010-01-18 18:24:22.973540245 +0100
++++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-03 14:37:00.939144600 +0100
+@@ -273,6 +273,10 @@
+ ')
+
+ optional_policy(`
++ usbmuxd_domtrans(udev_t)
++')
++
++optional_policy(`
+ vbetool_domtrans(udev_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1010
retrieving revision 1.1011
diff -u -p -r1.1010 -r1.1011
--- selinux-policy.spec 2 Feb 2010 18:31:25 -0000 1.1010
+++ selinux-policy.spec 3 Feb 2010 22:22:08 -0000 1.1011
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 81%{?dist}
+Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -454,6 +454,12 @@ exit 0
%endif
%changelog
+* Wed Feb 3 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-82
+- Add label for /root/.Xdefaults
+- Allow xauth to read symbolic links on a NFS filesystem
+- Add label for /var/run/slim.lock
+- Add mcelog policy
+
* Tue Feb 2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-81
- Allow policykit-auth to set attributes on fonts cache directory
- Add label for RealPlayer plugins
- Previous message: rpms/translate-toolkit/F-12 translate-toolkit-1.5.3-stoplist.patch, NONE, 1.1 .cvsignore, 1.22, 1.23 sources, 1.23, 1.24 translate-toolkit.spec, 1.41, 1.42 translate-toolkit-1.2.1-stoplist.patch, 1.1, NONE
- Next message: rpms/selinux-policy/F-12 policy-20100106.patch,1.24,1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list