rpms/selinux-policy/F-12 policy-20100106.patch, 1.33, 1.34 selinux-policy.spec, 1.1018, 1.1019
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Feb 11 19:42:33 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5075
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Fixes for sandbox
- Allow quota to set priority of kernel threads
- Fixes for svirt
policy-20100106.patch:
modules/admin/dmesg.fc | 1
modules/admin/mcelog.fc | 2
modules/admin/mcelog.if | 20 +
modules/admin/mcelog.te | 31 ++
modules/admin/prelink.te | 1
modules/admin/quota.te | 1
modules/admin/readahead.te | 2
modules/admin/rpm.if | 20 -
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 6
modules/apps/cdrecord.te | 2
modules/apps/chrome.te | 3
modules/apps/execmem.if | 5
modules/apps/firewallgui.te | 4
modules/apps/gnome.fc | 9
modules/apps/gnome.if | 81 +++++-
modules/apps/gnome.te | 8
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5
modules/apps/kdumpgui.te | 4
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/nsplugin.if | 36 ++
modules/apps/podsleuth.te | 1
modules/apps/pulseaudio.fc | 2
modules/apps/pulseaudio.if | 6
modules/apps/pulseaudio.te | 8
modules/apps/sambagui.te | 4
modules/apps/sandbox.if | 54 +++-
modules/apps/sandbox.te | 49 ++-
modules/apps/vmware.if | 18 +
modules/apps/vmware.te | 9
modules/apps/wine.if | 4
modules/apps/wine.te | 14 +
modules/kernel/corecommands.fc | 4
modules/kernel/corenetwork.if.in | 18 +
modules/kernel/corenetwork.te.in | 4
modules/kernel/devices.fc | 5
modules/kernel/devices.if | 109 ++++++++
modules/kernel/devices.te | 18 +
modules/kernel/files.if | 20 +
modules/kernel/filesystem.if | 118 ++++++++-
modules/kernel/filesystem.te | 12
modules/roles/staff.te | 16 -
modules/roles/sysadm.te | 4
modules/roles/unconfineduser.fc | 5
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.if | 5
modules/services/abrt.te | 14 +
modules/services/afs.te | 6
modules/services/aisexec.te | 8
modules/services/amavis.te | 1
modules/services/apache.fc | 5
modules/services/apache.if | 27 ++
modules/services/apache.te | 12
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 2
modules/services/avahi.fc | 2
modules/services/chronyd.fc | 2
modules/services/chronyd.te | 15 -
modules/services/corosync.te | 6
modules/services/cron.te | 9
modules/services/cups.te | 6
modules/services/dbus.if | 2
modules/services/djbdns.if | 38 +++
modules/services/djbdns.te | 8
modules/services/dovecot.te | 6
modules/services/fail2ban.if | 18 +
modules/services/ftp.if | 37 ++
modules/services/ftp.te | 114 +++++++++
modules/services/git.fc | 17 -
modules/services/git.if | 466 ++++++++++++++++++++++++++++---------
modules/services/git.te | 145 ++++++-----
modules/services/kerberos.if | 2
modules/services/ldap.fc | 8
modules/services/ldap.te | 7
modules/services/lircd.te | 7
modules/services/mailman.te | 1
modules/services/memcached.te | 14 -
modules/services/mta.if | 19 +
modules/services/mta.te | 1
modules/services/munin.te | 1
modules/services/mysql.te | 4
modules/services/nagios.fc | 42 +++
modules/services/nagios.if | 2
modules/services/nagios.te | 47 +++
modules/services/networkmanager.fc | 1
modules/services/networkmanager.te | 1
modules/services/nis.fc | 5
modules/services/nis.te | 6
modules/services/nx.if | 18 +
modules/services/openvpn.te | 4
modules/services/plymouth.te | 32 +-
modules/services/policykit.te | 8
modules/services/postfix.te | 5
modules/services/ppp.fc | 2
modules/services/ppp.te | 7
modules/services/prelude.te | 2
modules/services/rgmanager.if | 2
modules/services/rgmanager.te | 18 +
modules/services/rhcs.fc | 8
modules/services/rhcs.te | 47 ++-
modules/services/samba.te | 13 -
modules/services/sendmail.te | 4
modules/services/setroubleshoot.te | 4
modules/services/snmp.te | 4
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 +
modules/services/spamassassin.te | 6
modules/services/ssh.if | 2
modules/services/ssh.te | 81 ------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++---
modules/services/sssd.te | 14 -
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/tuned.fc | 3
modules/services/tuned.te | 9
modules/services/ucspitcp.te | 5
modules/services/usbmuxd.fc | 6
modules/services/usbmuxd.if | 64 +++++
modules/services/usbmuxd.te | 48 +++
modules/services/virt.if | 1
modules/services/virt.te | 10
modules/services/xserver.fc | 7
modules/services/xserver.if | 2
modules/services/xserver.te | 19 +
modules/system/application.te | 12
modules/system/daemontools.if | 62 ++++
modules/system/daemontools.te | 26 +-
modules/system/fstools.fc | 1
modules/system/hostname.te | 3
modules/system/hotplug.te | 4
modules/system/init.if | 33 ++
modules/system/init.te | 25 +
modules/system/ipsec.te | 11
modules/system/iptables.if | 7
modules/system/iptables.te | 6
modules/system/iscsi.fc | 3
modules/system/iscsi.te | 10
modules/system/libraries.fc | 16 +
modules/system/locallogin.te | 6
modules/system/logging.fc | 2
modules/system/logging.if | 18 +
modules/system/logging.te | 9
modules/system/miscfiles.if | 37 ++
modules/system/modutils.te | 1
modules/system/mount.te | 15 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.te | 1
modules/system/udev.te | 5
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 +
modules/system/xen.te | 7
support/obj_perm_sets.spt | 5
users | 2
158 files changed, 2327 insertions(+), 479 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -p -r1.33 -r1.34
--- policy-20100106.patch 10 Feb 2010 16:59:52 -0000 1.33
+++ policy-20100106.patch 11 Feb 2010 19:42:32 -0000 1.34
@@ -82,6 +82,17 @@ diff -b -B --ignore-all-space --exclude-
userdom_manage_user_home_content(prelink_t)
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.6.32/policy/modules/admin/quota.te
+--- nsaserefpolicy/policy/modules/admin/quota.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/admin/quota.te 2010-02-11 17:52:39.497458571 +0100
+@@ -39,6 +39,7 @@
+ kernel_list_proc(quota_t)
+ kernel_read_proc_symlinks(quota_t)
+ kernel_read_kernel_sysctls(quota_t)
++kernel_setsched(quota_t)
+
+ dev_read_sysfs(quota_t)
+ dev_getattr_all_blk_files(quota_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2010-01-18 18:24:22.565530533 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/readahead.te 2010-02-09 10:21:28.868615982 +0100
@@ -190,6 +201,21 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if
+--- nsaserefpolicy/policy/modules/apps/execmem.if 2010-01-18 18:24:22.590539929 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2010-02-11 17:58:09.307708740 +0100
+@@ -74,6 +74,11 @@
+ ')
+
+ optional_policy(`
++ nsplugin_rw_shm($1_execmem_t)
++ nsplugin_rw_semaphores($1_execmem_t)
++ ')
++
++ optional_policy(`
+ xserver_common_app($1_execmem_t)
+ xserver_role($2, $1_execmem_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 2010-01-18 18:24:22.593530742 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2010-02-02 18:41:27.873067758 +0100
@@ -455,6 +481,49 @@ diff -b -B --ignore-all-space --exclude-
HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
+--- nsaserefpolicy/policy/modules/apps/nsplugin.if 2010-01-18 18:24:22.627530248 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2010-02-11 17:58:29.270708387 +0100
+@@ -321,3 +321,39 @@
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+ ')
++
++########################################
++## <summary>
++## Read and write to nsplugin shared memory.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`nsplugin_rw_shm',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:shm rw_shm_perms;
++')
++
++#####################################
++## <summary>
++## Allow read and write access to nsplugin semaphores.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsplugin_rw_semaphores',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:sem rw_sem_perms;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-01-18 18:24:22.631540185 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2010-01-19 11:53:14.080857057 +0100
@@ -475,7 +544,16 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-01-18 18:24:22.632542198 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2010-02-01 17:25:51.033096867 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2010-02-11 17:58:33.409458697 +0100
+@@ -29,7 +29,7 @@
+ ps_process_pattern($2, pulseaudio_t)
+
+ allow pulseaudio_t $2:process { signal signull };
+- allow $2 pulseaudio_t:process { signal signull };
++ allow $2 pulseaudio_t:process { signal signull sigkill };
+ ps_process_pattern(pulseaudio_t, $2)
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
@@ -137,10 +137,10 @@
#
interface(`pulseaudio_stream_connect',`
@@ -530,7 +608,25 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-22 15:41:50.752727640 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-02-11 17:41:13.265459296 +0100
+@@ -29,7 +29,7 @@
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
+ allow sandbox_domain $1:process sigchld;
+- allow sandbox_domain $1:fifo_file rw_fifo_file_perms;
++ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+@@ -37,7 +37,7 @@
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
+- dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms;
++ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ allow sandbox_xserver_t $1:unix_stream_socket { read write };
@@ -45,9 +45,10 @@
allow sandbox_x_domain $1:process { sigchld signal };
allow sandbox_x_domain sandbox_x_domain:process signal;
@@ -626,7 +722,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-02-01 20:25:27.706170172 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-02-11 17:45:05.778708766 +0100
@@ -10,14 +10,15 @@
#
@@ -733,21 +829,43 @@ diff -b -B --ignore-all-space --exclude-
kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
dev_read_rand(sandbox_web_client_t)
-+dev_read_sound(sandbox_web_client_t)
+dev_write_sound(sandbox_web_client_t)
++dev_read_sound(sandbox_web_client_t)
# Browse the web, connect to printer
corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
-@@ -267,7 +276,7 @@
+@@ -249,14 +258,19 @@
+ corenet_raw_sendrecv_all_nodes(sandbox_web_client_t)
+ corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
+ corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
++corenet_tcp_connect_flash_port(sandbox_web_client_t)
+ corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
+ corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
++corenet_tcp_connect_streaming_port(sandbox_web_client_t)
++corenet_tcp_connect_pulseaudio_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
+ corenet_tcp_connect_http_port(sandbox_web_client_t)
+ corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
+ corenet_tcp_connect_ftp_port(sandbox_web_client_t)
+ corenet_tcp_connect_ipp_port(sandbox_web_client_t)
+ corenet_tcp_connect_generic_port(sandbox_web_client_t)
+ corenet_tcp_connect_soundd_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
+ corenet_sendrecv_http_client_packets(sandbox_web_client_t)
+ corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
+ corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
+@@ -265,9 +279,8 @@
+ # Should not need other ports
+ corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
- corenet_tcp_connect_speech_port(sandbox_web_client_t)
+-corenet_tcp_connect_speech_port(sandbox_web_client_t)
-#auth_use_nsswitch(sandbox_web_client_t)
+auth_use_nsswitch(sandbox_web_client_t)
dbus_system_bus_client(sandbox_web_client_t)
dbus_read_config(sandbox_web_client_t)
-@@ -279,6 +288,8 @@
+@@ -279,6 +292,8 @@
selinux_compute_user_contexts(sandbox_web_client_t)
seutil_read_default_contexts(sandbox_web_client_t)
@@ -756,7 +874,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
nsplugin_read_rw_files(sandbox_web_client_t)
nsplugin_rw_exec(sandbox_web_client_t)
-@@ -310,7 +321,7 @@
+@@ -310,7 +325,7 @@
corenet_tcp_connect_all_ports(sandbox_net_client_t)
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
@@ -1180,8 +1298,70 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-01-18 18:24:22.697530142 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-02-09 09:59:39.756615405 +0100
-@@ -3496,6 +3496,24 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-02-11 20:29:48.903440849 +0100
+@@ -1632,6 +1632,36 @@
+
+ ########################################
+ ## <summary>
++## Create an object in a hugetlbfs filesystem, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++#
++interface(`fs_hugetlbfs_filetrans',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $2 hugetlbfs_t:filesystem associate;
++ filetrans_pattern($1, hugetlbfs_t, $2, $3)
++')
++
++########################################
++## <summary>
+ ## Search inotifyfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1668,6 +1698,24 @@
+
+ ########################################
+ ## <summary>
++## Dontaudit List inotifyfs filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_list_inotifyfs',`
++ gen_require(`
++ type inotifyfs_t;
++ ')
++
++ dontaudit $1 inotifyfs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Mount an iso9660 filesystem, which
+ ## is usually used on CDs.
+ ## </summary>
+@@ -3496,6 +3544,24 @@
########################################
## <summary>
@@ -1206,7 +1386,52 @@ diff -b -B --ignore-all-space --exclude-
## Read and write generic tmpfs files.
## </summary>
## <param name="domain">
-@@ -4297,6 +4315,26 @@
+@@ -3722,7 +3788,7 @@
+
+ ########################################
+ ## <summary>
+-## Mount a XENFS filesystem.
++## Search the XENFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3730,17 +3796,17 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_mount_xenfs',`
++interface(`fs_search_xenfs',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+- allow $1 xenfs_t:filesystem mount;
++ allow $1 xenfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the XENFS filesystem.
++## Mount a XENFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3748,12 +3814,12 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_search_xenfs',`
++interface(`fs_mount_xenfs',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+- allow $1 xenfs_t:dir search_dir_perms;
++ allow $1 xenfs_t:filesystem mount;
+ ')
+
+ ########################################
+@@ -4297,6 +4363,26 @@
########################################
## <summary>
@@ -1233,7 +1458,7 @@ diff -b -B --ignore-all-space --exclude-
## Read and write files on cgroup
## file systems.
## </summary>
-@@ -4409,3 +4447,23 @@
+@@ -4409,3 +4495,23 @@
write_files_pattern($1, cgroup_t, cgroup_t)
')
@@ -1257,6 +1482,86 @@ diff -b -B --ignore-all-space --exclude-
+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+ dontaudit $1 filesystem_type:lnk_file { read };
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-01-18 18:24:22.705531020 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2010-02-11 20:29:53.802696084 +0100
+@@ -1,5 +1,5 @@
+
+-policy_module(filesystem, 1.12.0)
++policy_module(filesystem, 1.12.1)
+
+ ########################################
+ #
+@@ -178,6 +178,11 @@
+
+ allow tmpfs_t noxattrfs:filesystem associate;
+
++type xenfs_t;
++fs_noxattr_type(xenfs_t)
++files_mountpoint(xenfs_t)
++genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
++
+ ##############################
+ #
+ # Filesystems without extended attribute support
+@@ -260,11 +265,6 @@
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+
+-type xenfs_t;
+-fs_noxattr_type(xenfs_t)
+-files_mountpoint(xenfs_t)
+-genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
+-
+ ########################################
+ #
+ # Rules for all filesystem types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te
+--- nsaserefpolicy/policy/modules/roles/staff.te 2010-01-18 18:24:22.718544267 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-02-11 17:58:37.444708661 +0100
+@@ -76,20 +76,20 @@
+ webadm_role_change(staff_r)
+ ')
+
+-domain_read_all_domains_state(staff_t)
+-domain_getattr_all_domains(staff_t)
++domain_read_all_domains_state(staff_usertype)
++domain_getattr_all_domains(staff_usertype)
+ domain_obj_id_change_exemption(staff_t)
+
+-files_read_kernel_modules(staff_t)
++files_read_kernel_modules(staff_usertype)
+
+-kernel_read_fs_sysctls(staff_t)
++kernel_read_fs_sysctls(staff_usertype)
+
+-modutils_read_module_config(staff_t)
+-modutils_read_module_deps(staff_t)
++modutils_read_module_config(staff_usertype)
++modutils_read_module_deps(staff_usertype)
+
+-miscfiles_read_hwdata(staff_t)
++miscfiles_read_hwdata(staff_usertype)
+
+-term_use_unallocated_ttys(staff_t)
++term_use_unallocated_ttys(staff_usertype)
+
+ optional_policy(`
+ gnomeclock_dbus_chat(staff_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te
+--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-01-18 18:24:22.719529727 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2010-02-11 14:08:45.869618803 +0100
+@@ -129,6 +129,10 @@
+ ')
+
+ optional_policy(`
++ daemonstools_run_start(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ dcc_run_cdcc(sysadm_t, sysadm_r)
+ dcc_run_client(sysadm_t, sysadm_r)
+ dcc_run_dbclean(sysadm_t, sysadm_r)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-02-02 10:47:12.668175161 +0100
@@ -1565,12 +1870,13 @@ diff -b -B --ignore-all-space --exclude-
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-01-18 18:24:22.741530430 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2010-01-27 17:37:31.626864275 +0100
-@@ -64,6 +64,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2010-02-11 20:25:58.833441037 +0100
+@@ -64,6 +64,8 @@
corenet_udp_sendrecv_all_ports(arpwatch_t)
dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
++dev_rw_generic_usb_dev(arpwatch_t)
fs_getattr_all_fs(arpwatch_t)
fs_search_auto_mountpoints(arpwatch_t)
@@ -1668,8 +1974,20 @@ diff -b -B --ignore-all-space --exclude-
ccs_read_config(corosync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-01-18 18:24:22.769530360 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-02-03 21:39:39.157822554 +0100
-@@ -323,6 +323,10 @@
++++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-02-11 12:37:32.141868288 +0100
+@@ -268,6 +268,11 @@
+ ')
+
+ optional_policy(`
++ djbdns_search_key_tinydns(crond_t)
++ djbdns_link_key_tinydns(crond_t)
++')
++
++optional_policy(`
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
+ ')
+@@ -323,6 +328,10 @@
udev_read_db(crond_t)
')
@@ -1735,7 +2053,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/djbdns.if 2010-02-10 16:28:56.322607977 +0100
++++ serefpolicy-3.6.32/policy/modules/services/djbdns.if 2010-02-11 12:35:57.243619172 +0100
@@ -26,6 +26,8 @@
daemontools_read_svc(djbdns_$1_t)
@@ -1745,6 +2063,61 @@ diff -b -B --ignore-all-space --exclude-
allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
allow djbdns_$1_t self:udp_socket create_socket_perms;
+@@ -50,3 +52,39 @@
+
+ files_search_var(djbdns_$1_t)
+ ')
++
++######################################
++## <summary>
++## Allow search the djbdns-tinydns key ring.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`djbdns_search_key_tinydns',`
++ gen_require(`
++ type djbdns_tinydns_t;
++ ')
++
++ allow $1 djbdns_tinydns_t:key search;
++')
++
++######################################
++## <summary>
++## Allow link to the djbdns-tinydns key ring.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`djbdns_link_key_tinydns',`
++ gen_require(`
++ type djbdns_tinydn_t;
++ ')
++
++ allow $1 djbdns_tinydn_t:key link;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.6.32/policy/modules/services/djbdns.te
+--- nsaserefpolicy/policy/modules/services/djbdns.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/djbdns.te 2010-02-11 14:26:09.789868676 +0100
+@@ -42,3 +42,11 @@
+ files_search_var(djbdns_axfrdns_t)
+
+ ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
++
++#####################################
++#
++# Local policy for djbdns_tinydns_t
++#
++
++init_dontaudit_use_script_fds(djbdns_tinydns_t)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-02-08 11:55:25.971336166 +0100
@@ -3954,9 +4327,28 @@ diff -b -B --ignore-all-space --exclude-
exim_manage_spool_dirs(spamd_t)
exim_manage_spool_files(spamd_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if
+--- nsaserefpolicy/policy/modules/services/ssh.if 2010-01-18 18:24:22.898539086 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2010-02-11 17:58:41.983708667 +0100
+@@ -393,6 +393,7 @@
+ logging_send_syslog_msg($1_ssh_agent_t)
+
+ miscfiles_read_localization($1_ssh_agent_t)
++ miscfiles_read_certs($1_ssh_agent_t)
+
+ seutil_dontaudit_read_config($1_ssh_agent_t)
+
+@@ -400,6 +401,7 @@
+ userdom_use_user_terminals($1_ssh_agent_t)
+
+ # for the transition back to normal privs upon exec
++ userdom_search_user_home_content($1_ssh_agent_t)
+ userdom_user_home_domtrans($1_ssh_agent_t, $3)
+ allow $3 $1_ssh_agent_t:fd use;
+ allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 18:24:22.899530064 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-02-08 00:22:54.835167354 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-02-11 18:35:06.034708401 +0100
@@ -8,31 +8,6 @@
## <desc>
@@ -4000,7 +4392,15 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
-@@ -365,6 +337,11 @@
+@@ -209,6 +180,7 @@
+ # needs to read krb tgt
+ userdom_read_user_tmp_files(ssh_t)
+ userdom_read_user_home_content_symlinks(ssh_t)
++userdom_write_user_tmp_files(ssh_t)
+
+ tunable_policy(`allow_ssh_keysign',`
+ domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+@@ -365,6 +338,11 @@
')
optional_policy(`
@@ -4012,7 +4412,7 @@ diff -b -B --ignore-all-space --exclude-
xserver_getattr_xauth(sshd_t)
')
-@@ -468,49 +445,3 @@
+@@ -468,49 +446,3 @@
udev_read_db(ssh_keygen_t)
')
@@ -4418,6 +4818,18 @@ diff -b -B --ignore-all-space --exclude-
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.6.32/policy/modules/services/ucspitcp.te
+--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/ucspitcp.te 2010-02-11 14:18:05.345868624 +0100
+@@ -92,3 +92,8 @@
+ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+ daemontools_read_svc(ucspitcp_t)
+ ')
++
++optional_policy(`
++ daemontools_sigchld_run(ucspitcp_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc 2010-02-02 19:00:16.333067308 +0100
@@ -4498,8 +4910,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-02-02 19:28:04.029318349 +0100
-@@ -0,0 +1,44 @@
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-02-11 18:39:18.455708622 +0100
+@@ -0,0 +1,48 @@
+
+policy_module(usbmuxd,1.0.0)
+
@@ -4537,6 +4949,10 @@ diff -b -B --ignore-all-space --exclude-
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
++kernel_read_system_state(usbmuxd_t)
++
++dev_rw_generic_usb_dev(usbmuxd_t)
++
+files_read_etc_files(usbmuxd_t)
+
+miscfiles_read_localization(usbmuxd_t)
@@ -4544,9 +4960,27 @@ diff -b -B --ignore-all-space --exclude-
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
+--- nsaserefpolicy/policy/modules/services/virt.if 2010-01-18 18:24:22.913542181 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-02-11 20:29:58.819441475 +0100
+@@ -194,6 +194,7 @@
+
+ files_search_var_lib($1)
+ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-02-01 17:46:33.611080298 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-02-11 20:30:04.756691338 +0100
+@@ -1,5 +1,5 @@
+
+-policy_module(virt, 1.2.1)
++policy_module(virt, 1.3.0)
+
+ ########################################
+ #
@@ -226,7 +226,7 @@
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
@@ -4556,7 +4990,15 @@ diff -b -B --ignore-all-space --exclude-
userdom_getattr_all_users(virtd_t)
userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
-@@ -370,6 +370,7 @@
+@@ -337,6 +337,7 @@
+ allow svirt_t svirt_image_t:dir search_dir_perms;
+ manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+ manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
++fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+
+ list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+@@ -370,6 +371,7 @@
tunable_policy(`virt_use_fusefs',`
fs_read_fusefs_files(svirt_t)
@@ -4564,15 +5006,21 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`virt_use_nfs',`
-@@ -430,6 +431,8 @@
+@@ -429,11 +431,13 @@
+ corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
- dev_read_sound(virt_domain)
+dev_read_rand(virt_domain)
+ dev_read_sound(virt_domain)
+-dev_write_sound(virt_domain)
+dev_read_urand(virt_domain)
- dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
+ dev_rw_qemu(virt_domain)
++dev_write_sound(virt_domain)
+
+ domain_use_interactive_fds(virt_domain)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-02-03 14:24:48.062145095 +0100
@@ -4605,6 +5053,18 @@ diff -b -B --ignore-all-space --exclude-
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if 2010-01-18 18:24:22.920530710 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2010-02-11 17:58:46.499708705 +0100
+@@ -49,7 +49,7 @@
+ allow xserver_t $2:shm rw_shm_perms;
+
+ domtrans_pattern($2, xserver_exec_t, xserver_t)
+- allow xserver_t $2:process signal;
++ allow xserver_t $2:process { getpgid signal };
+
+ allow xserver_t $2:shm rw_shm_perms;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-10 13:42:43.220607710 +0100
@@ -4724,19 +5184,129 @@ diff -b -B --ignore-all-space --exclude-
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.6.32/policy/modules/system/daemontools.if
+--- nsaserefpolicy/policy/modules/system/daemontools.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/daemontools.if 2010-02-11 14:55:16.780616974 +0100
+@@ -71,6 +71,32 @@
+ domtrans_pattern($1, svc_start_exec_t, svc_start_t)
+ ')
+
++#######################################
++## <summary>
++## Execute svc_start in the svc_start domain, and
++## allow the specified role the svc_start domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the svc_start domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`daemonstools_run_start',`
++ gen_require(`
++ type svc_start_t;
++ ')
++
++ daemontools_domtrans_start($1)
++ role $2 types svc_start_t;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute in the svc_run_t domain.
+@@ -127,6 +153,24 @@
+ allow $1 svc_svc_t:file read_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Search svc_svc_t directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`daemontools_search_svc_dir',`
++ gen_require(`
++ type svc_svc_t;
++ ')
++
++ allow $1 svc_svc_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow a domain to create svc_svc_t files.
+@@ -148,3 +192,21 @@
+ allow $1 svc_svc_t:file manage_file_perms;
+ allow $1 svc_svc_t:lnk_file { read create };
+ ')
++
++#####################################
++## <summary>
++## Send a SIGCHLD signal to svc_run domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`daemontools_sigchld_run',`
++ gen_require(`
++ type svc_run_t;
++ ')
++
++ allow $1 svc_run_t:process sigchld;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.6.32/policy/modules/system/daemontools.te
--- nsaserefpolicy/policy/modules/system/daemontools.te 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/system/daemontools.te 2010-02-10 17:52:29.728608954 +0100
-@@ -65,6 +65,8 @@
++++ serefpolicy-3.6.32/policy/modules/system/daemontools.te 2010-02-11 14:40:01.632617547 +0100
+@@ -39,7 +39,10 @@
+ # multilog creates /service/*/log/status
+ manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+
++term_write_console(svc_multilog_t)
++
+ init_use_fds(svc_multilog_t)
++init_dontaudit_use_script_fds(svc_multilog_t)
+
+ # writes to /var/log/*/*
+ logging_manage_generic_logs(svc_multilog_t)
+@@ -53,7 +56,7 @@
+ # ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+ #
+
+-allow svc_run_t self:capability { setgid setuid chown fsetid };
++allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource};
+ allow svc_run_t self:process setrlimit;
+ allow svc_run_t self:fifo_file rw_fifo_file_perms;
+ allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+@@ -65,6 +68,10 @@
kernel_read_system_state(svc_run_t)
+dev_read_urand(svc_run_t)
+
++term_write_console(svc_run_t)
++
corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)
-@@ -93,10 +95,14 @@
+@@ -89,21 +96,36 @@
+ # ie svc, svscan, supervise ...
+ #
+
+-allow svc_start_t svc_run_t:process signal;
++allow svc_start_t svc_run_t:process { signal setrlimit };
allow svc_start_t self:fifo_file rw_fifo_file_perms;
allow svc_start_t self:capability kill;
@@ -4745,13 +5315,21 @@ diff -b -B --ignore-all-space --exclude-
can_exec(svc_start_t, svc_start_exec_t)
++mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
++
+kernel_read_kernel_sysctls(svc_start_t)
+kernel_read_system_state(svc_start_t)
+
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
-@@ -105,5 +111,9 @@
++corenet_tcp_bind_generic_node(svc_start_t)
++corenet_tcp_bind_generic_port(svc_start_t)
++
++term_write_console(svc_start_t)
++
+ files_read_etc_files(svc_start_t)
+ files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)
@@ -5260,7 +5838,7 @@ diff -b -B --ignore-all-space --exclude-
## Read all log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-18 18:24:22.951535142 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-09 15:09:42.278616082 +0100
++++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-11 12:06:40.363618975 +0100
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
@@ -5280,6 +5858,17 @@ diff -b -B --ignore-all-space --exclude-
postgresql_stream_connect(syslogd_t)
')
+@@ -497,6 +502,10 @@
+ ')
+
+ optional_policy(`
++ daemontools_search_svc_dir(syslogd_t)
++')
++
++optional_policy(`
+ udev_read_db(syslogd_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1018
retrieving revision 1.1019
diff -u -p -r1.1018 -r1.1019
--- selinux-policy.spec 10 Feb 2010 16:59:52 -0000 1.1018
+++ selinux-policy.spec 11 Feb 2010 19:42:32 -0000 1.1019
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 87%{?dist}
+Release: 88%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Thu Feb 11 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-88
+- Fixes for sandbox
+- Allow quota to set priority of kernel threads
+- Fixes for svirt
+
* Wed Feb 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-87
- Fixes for ipsec policy
- Allow pppd to get attributes of the modem devices
More information about the scm-commits
mailing list