rpms/selinux-policy/F-12 policy-20100106.patch, 1.2, 1.3 selinux-policy.spec, 1.992, 1.993
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 11 11:43:44 UTC 2010
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5203
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Fixes for iscsid
policy-20100106.patch:
kernel/devices.fc | 2 ++
kernel/devices.if | 18 ++++++++++++++++++
kernel/devices.te | 6 ++++++
services/abrt.te | 1 +
services/apache.if | 3 +++
services/apcupsd.te | 2 +-
services/cups.te | 1 +
services/dovecot.te | 6 ++++++
services/fail2ban.if | 18 ++++++++++++++++++
services/nagios.fc | 37 +++++++++++++++++++++++++++++++++++--
services/nagios.te | 4 ++++
services/postfix.te | 5 ++++-
services/samba.te | 5 +++++
services/sendmail.te | 2 ++
services/snmp.te | 2 +-
services/spamassassin.if | 18 ++++++++++++++++++
services/virt.te | 2 ++
services/xserver.fc | 4 ++++
services/xserver.te | 2 ++
system/iscsi.fc | 2 ++
system/iscsi.te | 4 ++++
system/libraries.fc | 6 ++++++
system/miscfiles.if | 19 +++++++++++++++++++
system/unconfined.if | 2 ++
system/userdomain.fc | 1 +
system/xen.te | 6 ++++++
26 files changed, 173 insertions(+), 5 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- policy-20100106.patch 8 Jan 2010 20:06:51 -0000 1.2
+++ policy-20100106.patch 11 Jan 2010 11:43:43 -0000 1.3
@@ -1,3 +1,59 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-09 20:39:30.000000000 +0100
+@@ -162,6 +162,8 @@
+ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+
++/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
++
+ /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-09 20:40:52.000000000 +0100
+@@ -3833,6 +3833,24 @@
+ write_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
++#####################################
++## <summary>
++## Read or write userio device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_userio_dev',`
++ gen_require(`
++ type device_t, userio_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, userio_device_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write VMWare devices.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-09 20:38:38.000000000 +0100
+@@ -233,6 +233,12 @@
+ type usb_device_t;
+ dev_node(usb_device_t)
+
++#
++# userio_device_t is the type for /dev/uio[0-9]+
++#
++type userio_device_t;
++dev_node(userio_device_t)
++
+ type v4l_device_t;
+ dev_node(v4l_device_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-08 14:42:10.000000000 +0100
@@ -11,12 +67,12 @@ diff -b -B --ignore-all-space --exclude-
dev_dontaudit_read_memory_dev(abrt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-06 15:16:37.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-10 20:47:24.000000000 +0100
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
-+ type httpd_sys_content_t;
++ type httpd_sys_content_t;
')
#This type is for webpages
type httpd_$1_content_t;
@@ -54,7 +110,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-08 14:24:25.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-10 20:48:24.000000000 +0100
@@ -276,7 +276,11 @@
mta_manage_spool(dovecot_deliver_t)
')
@@ -62,8 +118,8 @@ diff -b -B --ignore-all-space --exclude-
+
+
tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(dovecot_deliver_t)
-+ fs_manage_nfs_dirs(dovecot_t)
++ fs_manage_nfs_dirs(dovecot_deliver_t)
++ fs_manage_nfs_dirs(dovecot_t)
fs_manage_nfs_files(dovecot_deliver_t)
fs_manage_nfs_symlinks(dovecot_deliver_t)
fs_manage_nfs_files(dovecot_t)
@@ -71,8 +127,8 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(dovecot_deliver_t)
-+ fs_manage_cifs_dirs(dovecot_t)
++ fs_manage_cifs_dirs(dovecot_deliver_t)
++ fs_manage_cifs_dirs(dovecot_t)
fs_manage_cifs_files(dovecot_deliver_t)
fs_manage_cifs_symlinks(dovecot_deliver_t)
fs_manage_cifs_files(dovecot_t)
@@ -106,79 +162,79 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-08 15:00:18.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-11 12:00:51.000000000 +0100
@@ -27,26 +27,59 @@
# check disk plugins
/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
# system plugins
-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
# services plugins
/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-08 15:01:28.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-11 11:32:18.000000000 +0100
@@ -118,6 +118,10 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
+# neede by rpcinfo
-+corenet_dontaudit_tcp_bind_all_ports(nagios_t)
-+corenet_dontaudit_udp_bind_all_ports(nagios_t)
++corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
+
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
@@ -345,6 +401,40 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
+--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-09 20:37:29.000000000 +0100
+@@ -1,3 +1,5 @@
++
++/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+ /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
+--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-01-09 20:37:11.000000000 +0100
+@@ -35,10 +35,13 @@
+ allow iscsid_t self:unix_dgram_socket create_socket_perms;
+ allow iscsid_t self:sem create_sem_perms;
+ allow iscsid_t self:shm create_shm_perms;
++allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow iscsid_t self:netlink_socket create_socket_perms;
+ allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow iscsid_t self:tcp_socket create_stream_socket_perms;
+
++can_exec(iscsid_t, iscsid_exec_t)
++
+ manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+ files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
+
+@@ -67,6 +70,7 @@
+ corenet_tcp_connect_isns_port(iscsid_t)
+
+ dev_rw_sysfs(iscsid_t)
++dev_rw_userio_dev(iscsid_t)
+
+ domain_use_interactive_fds(iscsid_t)
+ domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-08 20:06:50.000000000 +0100
@@ -419,8 +509,8 @@ diff -b -B --ignore-all-space --exclude-
HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-08 14:14:45.000000000 +0100
-@@ -248,10 +248,11 @@
++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-09 20:35:37.000000000 +0100
+@@ -248,6 +248,7 @@
#
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
@@ -428,11 +518,6 @@ diff -b -B --ignore-all-space --exclude-
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
--allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
-+allow xenconsoled_t xen_devpts_t:chr_file manage_term_perms;
-
- # pid file
- manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
@@ -268,6 +269,7 @@
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
@@ -452,15 +537,3 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Xen store local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-08 20:35:13.000000000 +0100
-@@ -310,7 +310,7 @@
- #
- define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
- define(`rw_term_perms', `{ open rw_inherited_term_perms }')
--
-+define(`manage_term_perms',`{ create open setattr rename link unlink rw_inherited_term_perms }')
- #
- # Sockets
- #
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.992
retrieving revision 1.993
diff -u -p -r1.992 -r1.993
--- selinux-policy.spec 8 Jan 2010 20:06:51 -0000 1.992
+++ selinux-policy.spec 11 Jan 2010 11:43:43 -0000 1.993
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 68%{?dist}
+Release: 69%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -451,6 +451,9 @@ exit 0
%endif
%changelog
+* Mon Jan 11 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-69
+- Fixes for iscsid
+
* Fri Jan 8 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-68
- Fixes for xenconsoled
- Allow xauth to connectto xserver_t unix_stream_socket
More information about the scm-commits
mailing list