rpms/selinux-policy/F-12 policy-20100106.patch, 1.32, 1.33 selinux-policy.spec, 1.1017, 1.1018
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Feb 10 16:59:52 UTC 2010
- Previous message: rpms/gpscorrelate/devel gpscorrelate-1.6.0-stdc++.patch, NONE, 1.1 gpscorrelate.spec, 1.3, 1.4
- Next message: rpms/at-spi2-core/devel .cvsignore, 1.3, 1.4 at-spi2-core.spec, 1.3, 1.4 sources, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9757
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Fixes for ipsec policy
- Allow pppd to get attributes of the modem devices
- Add label for /usr/share/e16/misc directory
policy-20100106.patch:
modules/admin/dmesg.fc | 1
modules/admin/mcelog.fc | 2
modules/admin/mcelog.if | 20 +
modules/admin/mcelog.te | 31 ++
modules/admin/prelink.te | 1
modules/admin/readahead.te | 2
modules/admin/rpm.if | 20 -
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 6
modules/apps/cdrecord.te | 2
modules/apps/chrome.te | 3
modules/apps/firewallgui.te | 4
modules/apps/gnome.fc | 9
modules/apps/gnome.if | 81 +++++-
modules/apps/gnome.te | 8
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5
modules/apps/kdumpgui.te | 4
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/pulseaudio.fc | 2
modules/apps/pulseaudio.if | 4
modules/apps/pulseaudio.te | 8
modules/apps/sambagui.te | 4
modules/apps/sandbox.if | 50 +++
modules/apps/sandbox.te | 43 ++-
modules/apps/vmware.if | 18 +
modules/apps/vmware.te | 9
modules/apps/wine.if | 4
modules/apps/wine.te | 14 +
modules/kernel/corecommands.fc | 4
modules/kernel/corenetwork.if.in | 18 +
modules/kernel/corenetwork.te.in | 4
modules/kernel/devices.fc | 5
modules/kernel/devices.if | 109 ++++++++
modules/kernel/devices.te | 18 +
modules/kernel/files.if | 20 +
modules/kernel/filesystem.if | 58 ++++
modules/roles/unconfineduser.fc | 5
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.if | 5
modules/services/abrt.te | 14 +
modules/services/afs.te | 6
modules/services/aisexec.te | 8
modules/services/amavis.te | 1
modules/services/apache.fc | 5
modules/services/apache.if | 27 ++
modules/services/apache.te | 12
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 1
modules/services/avahi.fc | 2
modules/services/chronyd.fc | 2
modules/services/chronyd.te | 15 -
modules/services/corosync.te | 6
modules/services/cron.te | 4
modules/services/cups.te | 6
modules/services/dbus.if | 2
modules/services/djbdns.if | 2
modules/services/dovecot.te | 6
modules/services/fail2ban.if | 18 +
modules/services/ftp.if | 37 ++
modules/services/ftp.te | 114 +++++++++
modules/services/git.fc | 17 -
modules/services/git.if | 466 ++++++++++++++++++++++++++++---------
modules/services/git.te | 145 ++++++-----
modules/services/kerberos.if | 2
modules/services/ldap.fc | 8
modules/services/ldap.te | 7
modules/services/lircd.te | 7
modules/services/mailman.te | 1
modules/services/memcached.te | 14 -
modules/services/mta.if | 19 +
modules/services/mta.te | 1
modules/services/munin.te | 1
modules/services/mysql.te | 4
modules/services/nagios.fc | 42 +++
modules/services/nagios.if | 2
modules/services/nagios.te | 47 +++
modules/services/networkmanager.fc | 1
modules/services/networkmanager.te | 1
modules/services/nis.fc | 5
modules/services/nis.te | 6
modules/services/nx.if | 18 +
modules/services/openvpn.te | 4
modules/services/plymouth.te | 32 +-
modules/services/policykit.te | 8
modules/services/postfix.te | 5
modules/services/ppp.fc | 2
modules/services/ppp.te | 7
modules/services/prelude.te | 2
modules/services/rgmanager.if | 2
modules/services/rgmanager.te | 18 +
modules/services/rhcs.fc | 8
modules/services/rhcs.te | 47 ++-
modules/services/samba.te | 13 -
modules/services/sendmail.te | 4
modules/services/setroubleshoot.te | 4
modules/services/snmp.te | 4
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 +
modules/services/spamassassin.te | 6
modules/services/ssh.te | 80 ------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++---
modules/services/sssd.te | 14 -
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/tuned.fc | 3
modules/services/tuned.te | 9
modules/services/usbmuxd.fc | 6
modules/services/usbmuxd.if | 64 +++++
modules/services/usbmuxd.te | 44 +++
modules/services/virt.te | 5
modules/services/xserver.fc | 7
modules/services/xserver.te | 19 +
modules/system/application.te | 12
modules/system/daemontools.te | 10
modules/system/fstools.fc | 1
modules/system/hostname.te | 3
modules/system/hotplug.te | 4
modules/system/init.if | 33 ++
modules/system/init.te | 25 +
modules/system/ipsec.te | 11
modules/system/iptables.if | 7
modules/system/iptables.te | 6
modules/system/iscsi.fc | 3
modules/system/iscsi.te | 10
modules/system/libraries.fc | 16 +
modules/system/locallogin.te | 6
modules/system/logging.fc | 2
modules/system/logging.if | 18 +
modules/system/logging.te | 5
modules/system/miscfiles.if | 37 ++
modules/system/modutils.te | 1
modules/system/mount.te | 15 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.te | 1
modules/system/udev.te | 5
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 +
modules/system/xen.te | 7
support/obj_perm_sets.spt | 5
users | 2
146 files changed, 2058 insertions(+), 450 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -p -r1.32 -r1.33
--- policy-20100106.patch 9 Feb 2010 14:53:36 -0000 1.32
+++ policy-20100106.patch 10 Feb 2010 16:59:52 -0000 1.33
@@ -866,17 +866,19 @@ diff -b -B --ignore-all-space --exclude-
domain_mmap_low(wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-02-09 09:59:17.989881706 +0100
-@@ -219,7 +219,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-02-10 11:51:39.387858338 +0100
+@@ -218,8 +218,9 @@
+ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
-/usr/share/cluster/ocf-shellfunc -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
-@@ -237,6 +237,7 @@
+@@ -237,6 +238,7 @@
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -964,7 +966,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-02-09 09:59:21.541627154 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-02-10 13:59:22.783608332 +0100
@@ -1398,6 +1398,42 @@
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -1033,7 +1035,33 @@ diff -b -B --ignore-all-space --exclude-
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
-@@ -3551,6 +3605,24 @@
+@@ -2485,6 +2539,25 @@
+ rw_chr_files_pattern($1, device_t, mtrr_device_t)
+ ')
+
++#######################################
++## <summary>
++## Dontaudit write the memory type range registers (MTRR).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_write_mtrr',`
++ gen_require(`
++ type mtrr_device_t;
++ ')
++
++ dontaudit $1 mtrr_device_t:chr_file write;
++ dontaudit $1 mtrr_device_t:file write;
++')
++
+ ########################################
+ ## <summary>
+ ## Get the attributes of the network control device
+@@ -3551,6 +3624,24 @@
rw_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -1058,7 +1086,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Mount a usbfs filesystem.
-@@ -3833,6 +3905,24 @@
+@@ -3833,6 +3924,24 @@
write_chr_files_pattern($1, device_t, v4l_device_t)
')
@@ -1396,8 +1424,13 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(amavis_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-01-27 17:22:29.733863060 +0100
-@@ -12,6 +12,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-02-10 11:49:16.515609331 +0100
+@@ -8,10 +8,12 @@
+ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+ /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+ /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
++/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+ /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
@@ -1405,6 +1438,16 @@ diff -b -B --ignore-all-space --exclude-
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -71,6 +73,9 @@
+ /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++
++/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++
+ /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+ /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-02-01 15:06:59.560081274 +0100
@@ -1690,6 +1733,18 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_search_admin_dir($1)
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if
+--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/djbdns.if 2010-02-10 16:28:56.322607977 +0100
+@@ -26,6 +26,8 @@
+ daemontools_read_svc(djbdns_$1_t)
+
+ allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
++ allow djbdns_$1_t self:process signal;
++ allow djbdns_$1_t self:fifo_file rw_fifo_file_perms;
+ allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
+ allow djbdns_$1_t self:udp_socket create_socket_perms;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-02-08 11:55:25.971336166 +0100
@@ -3447,7 +3502,7 @@ diff -b -B --ignore-all-space --exclude-
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 18:24:22.860530341 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-02-01 17:54:50.906099781 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-02-10 13:44:03.868859469 +0100
@@ -71,7 +71,7 @@
# PPPD Local policy
#
@@ -3457,7 +3512,15 @@ diff -b -B --ignore-all-space --exclude-
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process signal;
allow pppd_t self:fifo_file rw_fifo_file_perms;
-@@ -192,6 +192,10 @@
+@@ -122,6 +122,7 @@
+ kernel_read_network_state(pppd_t)
+ kernel_request_load_module(pppd_t)
+
++dev_getattr_modem_dev(pppd_t)
+ dev_read_urand(pppd_t)
+ dev_search_sysfs(pppd_t)
+ dev_read_sysfs(pppd_t)
+@@ -192,6 +193,10 @@
')
optional_policy(`
@@ -4544,7 +4607,7 @@ diff -b -B --ignore-all-space --exclude-
/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-09 10:08:14.902615674 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-10 13:42:43.220607710 +0100
@@ -253,6 +253,7 @@
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -4553,17 +4616,19 @@ diff -b -B --ignore-all-space --exclude-
fs_search_auto_mountpoints(iceauth_t)
-@@ -301,6 +302,9 @@
+@@ -301,6 +302,11 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
++stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
++
+domain_dontaudit_leaks(xauth_t)
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
-@@ -309,8 +313,12 @@
+@@ -309,8 +315,12 @@
files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
files_dontaudit_getattr_all_dirs(xauth_t)
@@ -4576,7 +4641,15 @@ diff -b -B --ignore-all-space --exclude-
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -506,6 +514,7 @@
+@@ -341,6 +351,7 @@
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
++ fs_list_inotifyfs(xauth_t)
+ ')
+
+ optional_policy(`
+@@ -506,6 +517,7 @@
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
@@ -4584,7 +4657,7 @@ diff -b -B --ignore-all-space --exclude-
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
dev_read_sound(xdm_t)
-@@ -582,6 +591,7 @@
+@@ -582,6 +594,7 @@
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
userdom_stream_connect(xdm_t)
@@ -4592,7 +4665,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -668,6 +678,7 @@
+@@ -668,6 +681,7 @@
optional_policy(`
gnome_read_gconf_config(xdm_t)
@@ -4600,7 +4673,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -675,6 +686,10 @@
+@@ -675,6 +689,10 @@
')
optional_policy(`
@@ -4611,7 +4684,7 @@ diff -b -B --ignore-all-space --exclude-
loadkeys_exec(xdm_t)
')
-@@ -712,6 +727,7 @@
+@@ -712,6 +730,7 @@
optional_policy(`
pulseaudio_exec(xdm_t)
pulseaudio_dbus_chat(xdm_t)
@@ -4651,6 +4724,43 @@ diff -b -B --ignore-all-space --exclude-
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.6.32/policy/modules/system/daemontools.te
+--- nsaserefpolicy/policy/modules/system/daemontools.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/daemontools.te 2010-02-10 17:52:29.728608954 +0100
+@@ -65,6 +65,8 @@
+
+ kernel_read_system_state(svc_run_t)
+
++dev_read_urand(svc_run_t)
++
+ corecmd_exec_bin(svc_run_t)
+ corecmd_exec_shell(svc_run_t)
+
+@@ -93,10 +95,14 @@
+
+ allow svc_start_t self:fifo_file rw_fifo_file_perms;
+ allow svc_start_t self:capability kill;
++allow svc_start_t self:tcp_socket create_stream_socket_perms;
+ allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+ can_exec(svc_start_t, svc_start_exec_t)
+
++kernel_read_kernel_sysctls(svc_start_t)
++kernel_read_system_state(svc_start_t)
++
+ corecmd_exec_bin(svc_start_t)
+ corecmd_exec_shell(svc_start_t)
+
+@@ -105,5 +111,9 @@
+ files_search_var(svc_start_t)
+ files_search_pids(svc_start_t)
+
++logging_send_syslog_msg(svc_start_t)
++
++miscfiles_read_localization(svc_start_t)
++
+ daemontools_domtrans_run(svc_start_t)
+ daemontools_manage_svc(svc_start_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-01-18 18:24:22.930540014 +0100
+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2010-01-27 18:13:10.349614395 +0100
@@ -4784,7 +4894,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-09 15:33:01.072616199 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-10 12:35:56.244868320 +0100
@@ -40,6 +40,7 @@
attribute init_script_domain_type;
attribute init_script_file_type;
@@ -4818,7 +4928,19 @@ diff -b -B --ignore-all-space --exclude-
fs_rw_tmpfs_chr_files(init_t)
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
-@@ -212,6 +215,11 @@
+@@ -204,6 +207,11 @@
+ ')
+
+ optional_policy(`
++ # webmin seems to cause this.
++ apache_search_sys_content(daemon)
++')
++
++optional_policy(`
+ auth_rw_login_records(init_t)
+ ')
+
+@@ -212,6 +220,11 @@
')
optional_policy(`
@@ -4830,7 +4952,7 @@ diff -b -B --ignore-all-space --exclude-
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
# the directory. But we do not want to allow this.
-@@ -224,6 +232,10 @@
+@@ -224,6 +237,10 @@
')
optional_policy(`
@@ -4841,7 +4963,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domain(init_t)
')
-@@ -312,6 +324,7 @@
+@@ -312,6 +329,7 @@
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -4849,7 +4971,7 @@ diff -b -B --ignore-all-space --exclude-
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
dev_rw_sysfs(initrc_t)
-@@ -531,6 +544,7 @@
+@@ -531,6 +549,7 @@
# Needs to cp localtime to /var dirs
files_write_var_dirs(initrc_t)
@@ -4857,7 +4979,7 @@ diff -b -B --ignore-all-space --exclude-
fs_rw_tmpfs_chr_files(initrc_t)
storage_manage_fixed_disk(initrc_t)
-@@ -872,6 +886,7 @@
+@@ -872,6 +891,7 @@
optional_policy(`
unconfined_domain(initrc_t)
@@ -4865,7 +4987,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -885,6 +900,9 @@
+@@ -885,6 +905,9 @@
# Allow SELinux aware applications to request rpm_script_t execution
rpm_transition_script(initrc_t)
@@ -4877,8 +4999,31 @@ diff -b -B --ignore-all-space --exclude-
gen_require(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-01-18 18:24:22.939530053 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-01-27 17:43:20.027613211 +0100
-@@ -215,6 +215,8 @@
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-02-10 13:41:21.003609488 +0100
+@@ -182,9 +182,9 @@
+ # ipsec_mgmt Local policy
+ #
+
+-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap };
++allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+ dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+-allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
++allow ipsec_mgmt_t self:process { getsched signal setrlimit ptrace };
+ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+@@ -206,6 +206,10 @@
+ allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+ files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
+
++manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
++manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
++files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
++
+ # _realsetup needs to be able to cat /var/run/pluto.pid,
+ # run ps on that pid, and delete the file
+ read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+@@ -215,6 +219,8 @@
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
@@ -4887,6 +5032,14 @@ diff -b -B --ignore-all-space --exclude-
allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+@@ -241,6 +247,7 @@
+
+ files_read_kernel_symbol_table(ipsec_mgmt_t)
+ files_getattr_kernel_modules(ipsec_mgmt_t)
++files_read_usr_files(ipsec_mgmt_t)
+
+ # the default updown script wants to run route
+ # the ipsec wrapper wants to run /usr/bin/logger (should we put
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2010-01-18 18:24:22.941530168 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2010-02-09 10:36:30.616615893 +0100
@@ -4906,7 +5059,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-18 18:24:22.941530168 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-02 15:25:03.135335306 +0100
++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-10 13:59:49.976859557 +0100
@@ -52,6 +52,7 @@
kernel_use_fds(iptables_t)
@@ -4923,6 +5076,17 @@ diff -b -B --ignore-all-space --exclude-
init_use_fds(iptables_t)
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
+@@ -87,6 +89,10 @@
+ userdom_use_user_terminals(iptables_t)
+ userdom_use_all_users_fds(iptables_t)
+
++ifdef(`hide_broken_symptoms',`
++ dev_dontaudit_write_mtrr(iptables_t)
++')
++
+ optional_policy(`
+ fail2ban_append_log(iptables_t)
+ fail2ban_dontaudit_leaks(iptables_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-02-02 15:17:13.812067843 +0100
@@ -4982,7 +5146,7 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-02 10:45:09.949162869 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-10 12:10:25.609868564 +0100
@@ -245,8 +245,12 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -5007,9 +5171,12 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -433,8 +435,16 @@
+@@ -432,9 +434,19 @@
+
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/autodesk/maya2010-x64/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -5026,8 +5193,16 @@ diff -b -B --ignore-all-space --exclude-
+/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-01-18 18:24:22.948530849 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-01-21 14:31:52.834862007 +0100
-@@ -207,7 +207,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-02-10 11:55:45.380624491 +0100
+@@ -74,6 +74,7 @@
+ dev_setattr_power_mgmt_dev(local_login_t)
+ dev_getattr_sound_dev(local_login_t)
+ dev_setattr_sound_dev(local_login_t)
++dev_read_video_dev(local_login_t)
+ dev_rw_generic_usb_dev(local_login_t)
+ dev_dontaudit_getattr_apm_bios_dev(local_login_t)
+ dev_dontaudit_setattr_apm_bios_dev(local_login_t)
+@@ -207,7 +208,7 @@
allow sulogin_t self:capability dac_override;
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
@@ -5036,7 +5211,7 @@ diff -b -B --ignore-all-space --exclude-
allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto;
-@@ -241,6 +241,9 @@
+@@ -241,6 +242,9 @@
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1017
retrieving revision 1.1018
diff -u -p -r1.1017 -r1.1018
--- selinux-policy.spec 9 Feb 2010 14:53:36 -0000 1.1017
+++ selinux-policy.spec 10 Feb 2010 16:59:52 -0000 1.1018
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 86%{?dist}
+Release: 87%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Wed Feb 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-87
+- Fixes for ipsec policy
+- Allow pppd to get attributes of the modem devices
+- Add label for /usr/share/e16/misc directory
+
* Tue Feb 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-86
- Allow mysql ipc_lock capability
- Allow passwd sys_nice capability
- Previous message: rpms/gpscorrelate/devel gpscorrelate-1.6.0-stdc++.patch, NONE, 1.1 gpscorrelate.spec, 1.3, 1.4
- Next message: rpms/at-spi2-core/devel .cvsignore, 1.3, 1.4 at-spi2-core.spec, 1.3, 1.4 sources, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list