rpms/selinux-policy/devel booleans-targeted.conf, 1.55, 1.56 modules-minimum.conf, 1.47, 1.48 modules-targeted.conf, 1.156, 1.157 policy-F13.patch, 1.34, 1.35 selinux-policy.spec, 1.956, 1.957
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Jan 14 21:49:18 UTC 2010
- Previous message: rpms/389-adminutil/devel .cvsignore, 1.2, 1.3 389-adminutil.spec, 1.3, 1.4 sources, 1.3, 1.4
- Next message: rpms/xorg-x11-server/F-12 xserver-1.7.4-randr-unify-primary-compat.patch, NONE, 1.1 xorg-x11-server.spec, 1.520, 1.521
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/pkgs/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2534
Modified Files:
booleans-targeted.conf modules-minimum.conf
modules-targeted.conf policy-F13.patch selinux-policy.spec
Log Message:
* Thu Jan 7 2010 Dan Walsh <dwalsh at redhat.com> 3.7.7-2
- Turn on puppet policy
- Update to dgrift git policy
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -p -r1.55 -r1.56
--- booleans-targeted.conf 20 Nov 2009 16:31:53 -0000 1.55
+++ booleans-targeted.conf 14 Jan 2010 21:49:18 -0000 1.56
@@ -140,7 +140,11 @@ samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
-squid_connect_any = false
+squid_connect_any = true
+
+# Allow privoxy to connect to all ports, not justHTTP, FTP, and Gopher ports.
+#
+privoxy_connect_any = true
# Support NFS home directories
#
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.47
retrieving revision 1.48
diff -u -p -r1.47 -r1.48
--- modules-minimum.conf 11 Jan 2010 22:06:54 -0000 1.47
+++ modules-minimum.conf 14 Jan 2010 21:49:18 -0000 1.48
@@ -633,6 +633,12 @@ hddtemp = module
#
policykit = module
+# Layer: services
+# Module: puppet
+#
+# A network tool for managing many disparate systems
+#
+puppet = module
# Layer: apps
# Module: ptchown
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.156
retrieving revision 1.157
diff -u -p -r1.156 -r1.157
--- modules-targeted.conf 9 Jan 2010 14:08:52 -0000 1.156
+++ modules-targeted.conf 14 Jan 2010 21:49:18 -0000 1.157
@@ -633,6 +633,12 @@ hddtemp = module
#
policykit = module
+# Layer: services
+# Module: puppet
+#
+# A network tool for managing many disparate systems
+#
+puppet = module
# Layer: apps
# Module: ptchown
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 2
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.te | 5
policy/modules/admin/logrotate.te | 28
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 4
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 77 +
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 344 ++++++
policy/modules/admin/rpm.te | 98 +
policy/modules/admin/shorewall.fc | 5
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 64 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 12
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 35
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86 +
policy/modules/apps/chrome.te | 82 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 42
policy/modules/apps/execmem.if | 103 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 62 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 13
policy/modules/apps/gnome.if | 203 +++
policy/modules/apps/gnome.te | 113 +
policy/modules/apps/java.fc | 23
policy/modules/apps/java.if | 113 +
policy/modules/apps/java.te | 18
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 64 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 27
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 27
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 321 +++++
policy/modules/apps/nsplugin.te | 296 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 92 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 2
policy/modules/apps/ptchown.if | 24
policy/modules/apps/pulseaudio.fc | 3
policy/modules/apps/pulseaudio.if | 60 +
policy/modules/apps/pulseaudio.te | 19
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +++
policy/modules/apps/qemu.te | 83 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 61 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 223 +++
policy/modules/apps/sandbox.te | 343 ++++++
policy/modules/apps/screen.if | 1
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 118 ++
policy/modules/apps/seunshare.if | 2
policy/modules/apps/seunshare.te | 3
policy/modules/apps/slocate.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 118 ++
policy/modules/apps/wine.te | 50
policy/modules/kernel/corecommands.fc | 33
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 46
policy/modules/kernel/devices.fc | 6
policy/modules/kernel/devices.if | 90 +
policy/modules/kernel/devices.te | 12
policy/modules/kernel/domain.if | 174 ++-
policy/modules/kernel/domain.te | 103 +
policy/modules/kernel/files.fc | 9
policy/modules/kernel/files.if | 483 ++++++++
policy/modules/kernel/files.te | 12
policy/modules/kernel/filesystem.if | 232 ++++
policy/modules/kernel/filesystem.te | 8
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 27
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 1
policy/modules/kernel/terminal.if | 27
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 124 --
policy/modules/roles/sysadm.te | 125 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 +++++++++++
policy/modules/roles/unconfineduser.te | 445 +++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 72 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 139 ++
policy/modules/services/abrt.te | 125 ++
policy/modules/services/afs.fc | 2
policy/modules/services/afs.te | 2
policy/modules/services/aiccu.fc | 5
policy/modules/services/aiccu.if | 119 ++
policy/modules/services/aiccu.te | 41
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 112 +
policy/modules/services/amavis.te | 1
policy/modules/services/apache.fc | 54
policy/modules/services/apache.if | 490 ++++++--
policy/modules/services/apache.te | 469 +++++++-
policy/modules/services/apm.te | 4
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 53
policy/modules/services/asterisk.te | 39
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 13
policy/modules/services/bind.if | 61 +
policy/modules/services/bluetooth.te | 1
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.fc | 1
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 +++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 7
policy/modules/services/cgroup.if | 35
policy/modules/services/cgroup.te | 87 +
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 +
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 5
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 9
policy/modules/services/cobbler.if | 186 +++
policy/modules/services/cobbler.te | 127 ++
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 23
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 108 +
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74 +
policy/modules/services/cron.te | 84 +
policy/modules/services/cups.fc | 14
policy/modules/services/cups.te | 57 -
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 53
policy/modules/services/dbus.te | 31
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 90 +
policy/modules/services/denyhosts.te | 72 +
policy/modules/services/devicekit.fc | 3
policy/modules/services/devicekit.if | 20
policy/modules/services/devicekit.te | 77 +
policy/modules/services/dhcp.if | 19
policy/modules/services/dnsmasq.fc | 1
policy/modules/services/dnsmasq.if | 38
policy/modules/services/dnsmasq.te | 19
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.te | 32
policy/modules/services/exim.te | 4
policy/modules/services/fail2ban.if | 58 +
policy/modules/services/fetchmail.te | 1
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 176 ++-
policy/modules/services/git.fc | 15
policy/modules/services/git.if | 536 +++++++++
policy/modules/services/git.te | 178 +++
policy/modules/services/gpsd.te | 2
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 51
policy/modules/services/howl.te | 2
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ksmtuned.fc | 5
policy/modules/services/ksmtuned.if | 76 +
policy/modules/services/ksmtuned.te | 44
policy/modules/services/ktalk.te | 1
policy/modules/services/ldap.fc | 2
policy/modules/services/ldap.if | 38
policy/modules/services/lircd.te | 18
policy/modules/services/mailman.fc | 8
policy/modules/services/memcached.te | 2
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 25
policy/modules/services/mta.te | 15
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 6
policy/modules/services/mysql.if | 38
policy/modules/services/mysql.te | 22
policy/modules/services/nagios.fc | 79 +
policy/modules/services/nagios.if | 126 ++
policy/modules/services/nagios.te | 195 ++-
policy/modules/services/networkmanager.fc | 16
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 120 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 23
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 34
policy/modules/services/ntp.te | 2
policy/modules/services/nut.fc | 16
policy/modules/services/nut.if | 58 +
policy/modules/services/nut.te | 188 +++
policy/modules/services/nx.fc | 10
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/openvpn.te | 7
policy/modules/services/pcscd.if | 38
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 322 +++++
policy/modules/services/plymouth.te | 98 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 67 -
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 144 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 60 +
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 17
policy/modules/services/prelude.te | 1
policy/modules/services/procmail.te | 12
policy/modules/services/puppet.te | 2
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rdisc.if | 19
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 186 +++
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 367 ++++++
policy/modules/services/rhcs.te | 410 +++++++
policy/modules/services/ricci.te | 31
policy/modules/services/rpc.fc | 4
policy/modules/services/rpc.if | 45
policy/modules/services/rpc.te | 27
policy/modules/services/rsync.fc | 1
policy/modules/services/rsync.if | 38
policy/modules/services/rsync.te | 28
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 109 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 19
policy/modules/services/sendmail.te | 17
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 83 +
policy/modules/services/snmp.if | 18
policy/modules/services/snort.te | 9
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 139 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 207 +++
policy/modules/services/ssh.te | 87 +
policy/modules/services/sssd.if | 38
policy/modules/services/sssd.te | 9
policy/modules/services/sysstat.te | 5
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.if | 38
policy/modules/services/tgtd.if | 17
policy/modules/services/tor.te | 13
policy/modules/services/tuned.te | 1
policy/modules/services/uucp.te | 5
policy/modules/services/vhostmd.fc | 6
policy/modules/services/vhostmd.if | 228 ++++
policy/modules/services/vhostmd.te | 84 +
policy/modules/services/virt.fc | 17
policy/modules/services/virt.if | 210 +++
policy/modules/services/virt.te | 297 ++++-
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 49
policy/modules/services/xserver.if | 362 ++++++
policy/modules/services/xserver.te | 366 +++++-
policy/modules/services/zebra.if | 20
policy/modules/system/application.te | 7
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 210 +++
policy/modules/system/authlogin.te | 11
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 5
policy/modules/system/getty.te | 7
policy/modules/system/hotplug.te | 4
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 164 ++
policy/modules/system/init.te | 304 ++++-
policy/modules/system/ipsec.fc | 4
policy/modules/system/ipsec.if | 65 -
policy/modules/system/ipsec.te | 29
policy/modules/system/iptables.fc | 9
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.fc | 4
policy/modules/system/iscsi.te | 14
policy/modules/system/libraries.fc | 218 +++
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 20
policy/modules/system/logging.te | 38
policy/modules/system/lvm.te | 10
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 52
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.te | 20
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 59 +
policy/modules/system/mount.te | 91 +
policy/modules/system/raid.te | 2
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 +++++
policy/modules/system/selinuxutil.te | 230 +---
policy/modules/system/sysnetwork.fc | 14
policy/modules/system/sysnetwork.if | 116 +-
policy/modules/system/sysnetwork.te | 79 +
policy/modules/system/udev.if | 1
policy/modules/system/udev.te | 12
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 445 -------
policy/modules/system/unconfined.te | 224 ---
policy/modules/system/userdomain.fc | 9
policy/modules/system/userdomain.if | 1696 +++++++++++++++++++++++-------
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.if | 19
policy/modules/system/xen.te | 19
policy/support/obj_perm_sets.spt | 25
policy/users | 17
379 files changed, 21066 insertions(+), 2765 deletions(-)
View full diff with command:
/usr/bin/cvs -n -f diff -kk -u -p -N -r 1.34 -r 1.35 policy-F13.patchIndex: policy-F13.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/policy-F13.patch,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -p -r1.34 -r1.35
--- policy-F13.patch 11 Jan 2010 22:06:54 -0000 1.34
+++ policy-F13.patch 14 Jan 2010 21:49:18 -0000 1.35
@@ -7601,7 +7601,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.7/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/kernel/filesystem.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/kernel/filesystem.te 2010-01-14 15:44:55.000000000 -0500
@@ -29,6 +29,7 @@
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
@@ -9798,7 +9798,16 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.7/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/roles/xguest.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/roles/xguest.te 2010-01-14 13:49:32.000000000 -0500
+@@ -15,7 +15,7 @@
+
+ ## <desc>
+ ## <p>
+-## Allow xguest to configure Network Manager
++## Allow xguest to configure Network Manager and connect to apache ports
+ ## </p>
+ ## </desc>
+ gen_tunable(xguest_connect_network, true)
@@ -30,11 +30,29 @@
role xguest_r;
@@ -10092,7 +10101,7 @@ diff --exclude-from=exclude -N -u -r nsa
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.7/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/abrt.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/abrt.te 2010-01-14 16:10:21.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -14895,7 +14904,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.7/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/cups.fc 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/cups.fc 2010-01-14 09:44:37.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -14944,7 +14953,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.7/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/cups.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/cups.te 2010-01-14 09:43:53.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -16180,10 +16189,58 @@ diff --exclude-from=exclude -N -u -r nsa
+ policykit_dbus_chat_auth(fprintd_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.7/policy/modules/services/ftp.if
+--- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.7/policy/modules/services/ftp.if 2010-01-14 14:06:25.000000000 -0500
+@@ -115,6 +115,44 @@
+ role $2 types ftpdctl_t;
+ ')
+
++#######################################
++## <summary>
++## Allow domain dyntransition to sftpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ftp_dyntransition_sftpd',`
++ gen_require(`
++ type sftpd_t;
++ ')
++
++ allow $1 sftpd_t:process dyntransition;
++ allow sftpd_t $1:process sigchld;
++')
++
++#######################################
++## <summary>
++## Allow domain dyntransition to sftpd_anon domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ftp_dyntransition_sftpd_anon',`
++ gen_require(`
++ type sftpd_anon_t;
++ ')
++
++ allow $1 sftpd_anon_t:process dyntransition;
++ allow sftpd_anon_t $1:process sigchld;
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.7/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/ftp.te 2010-01-11 09:53:58.000000000 -0500
-@@ -41,6 +41,13 @@
++++ serefpolicy-3.7.7/policy/modules/services/ftp.te 2010-01-14 16:27:16.000000000 -0500
+@@ -41,11 +41,51 @@
## <desc>
## <p>
@@ -16197,7 +16254,45 @@ diff --exclude-from=exclude -N -u -r nsa
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
-@@ -78,12 +85,20 @@
+ gen_tunable(ftp_home_dir, false)
+
++## <desc>
++## <p>
++## Allow anon internal-sftp to upload files, used for
++## public file transfer services. Directories must be labeled
++## public_content_rw_t.
++## </p>
++## </desc>
++gen_tunable(sftpd_anon_write, false)
++
++## <desc>
++## <p>
++## Allow sftp-internal to login to local users and
++## read/write all files on the system, governed by DAC.
++## </p>
++## </desc>
++gen_tunable(sftpd_full_access, false)
++
++## <desc>
++## <p>
++## Allow interlnal-sftp to read and write files
++## in the user ssh home directories.
++## </p>
++## </desc>
++gen_tunable(sftpd_write_ssh_home, false)
++
++## <desc>
++## <p>
++## Allow sftp-internal to read and write files
++## in the user home directories
++## </p>
++## </desc>
++gen_tunable(sftpd_enable_homedirs, false)
++
+ type ftpd_t;
+ type ftpd_exec_t;
+ init_daemon_domain(ftpd_t, ftpd_exec_t)
+@@ -78,12 +118,28 @@
type xferlog_t;
logging_log_file(xferlog_t)
@@ -16209,6 +16304,14 @@ diff --exclude-from=exclude -N -u -r nsa
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+')
+
++type sftpd_t;
++domain_type(sftpd_t)
++role system_r types sftpd_t;
++
++type sftpd_anon_t;
++domain_type(sftpd_anon_t)
++role system_r types sftpd_anon_t;
++
########################################
#
# ftpd local policy
@@ -16219,7 +16322,7 @@ diff --exclude-from=exclude -N -u -r nsa
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
-@@ -92,6 +107,8 @@
+@@ -92,6 +148,8 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
@@ -16228,7 +16331,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -121,8 +138,7 @@
+@@ -121,8 +179,7 @@
[...1793 lines suppressed...]
+ init_use_script_ptys(load_policy_t)
++init_write_script_pipes(load_policy_t)
+
+ miscfiles_read_localization(load_policy_t)
+
+@@ -191,15 +205,6 @@
')
')
@@ -31458,7 +31890,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# Newrole local policy
-@@ -217,7 +221,7 @@
+@@ -217,7 +222,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -31467,7 +31899,7 @@ diff --exclude-from=exclude -N -u -r nsa
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -270,12 +274,14 @@
+@@ -270,12 +275,14 @@
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)
@@ -31482,7 +31914,7 @@ diff --exclude-from=exclude -N -u -r nsa
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
-@@ -313,6 +319,8 @@
+@@ -313,6 +320,8 @@
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -31491,7 +31923,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -336,6 +344,8 @@
+@@ -336,6 +345,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -31500,7 +31932,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -354,7 +364,7 @@
+@@ -354,7 +365,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -31509,7 +31941,7 @@ diff --exclude-from=exclude -N -u -r nsa
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +393,6 @@
+@@ -383,7 +394,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -31517,7 +31949,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -406,6 +415,10 @@
+@@ -406,6 +416,10 @@
')
')
@@ -31528,7 +31960,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -421,61 +434,22 @@
+@@ -421,61 +435,22 @@
# semodule local policy
#
@@ -31598,7 +32030,7 @@ diff --exclude-from=exclude -N -u -r nsa
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +458,23 @@
+@@ -484,12 +459,23 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -31622,7 +32054,7 @@ diff --exclude-from=exclude -N -u -r nsa
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,111 +484,43 @@
+@@ -499,111 +485,43 @@
userdom_read_user_tmp_files(semanage_t)
')
@@ -32288,7 +32720,7 @@ diff --exclude-from=exclude -N -u -r nsa
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.7/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/system/unconfined.if 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/unconfined.if 2010-01-13 14:39:35.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -32360,7 +32792,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -111,16 +123,16 @@
+@@ -111,16 +123,15 @@
## </param>
#
interface(`unconfined_domain',`
@@ -32373,7 +32805,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`allow_execheap',`
auditallow $1 self:process execheap;
')
-
+-
-# Turn off this audit for FC5
-# tunable_policy(`allow_execmem',`
-# auditallow $1 self:process execmem;
@@ -32381,7 +32813,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -173,411 +185,3 @@
+@@ -173,411 +184,3 @@
refpolicywarn(`$0($1) has been deprecated.')
')
@@ -33027,12 +33459,13 @@ diff --exclude-from=exclude -N -u -r nsa
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.7/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/system/userdomain.fc 2010-01-11 09:53:58.000000000 -0500
-@@ -1,4 +1,10 @@
++++ serefpolicy-3.7.7/policy/modules/system/userdomain.fc 2010-01-14 09:22:34.000000000 -0500
+@@ -1,4 +1,11 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-
++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
@@ -35549,7 +35982,7 @@ diff --exclude-from=exclude -N -u -r nsa
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.7/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/system/xen.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/xen.te 2010-01-12 10:27:16.000000000 -0500
@@ -85,6 +85,7 @@
type xenconsoled_t;
type xenconsoled_exec_t;
@@ -35602,7 +36035,7 @@ diff --exclude-from=exclude -N -u -r nsa
storage_raw_read_fixed_disk(xenstored_t)
storage_raw_write_fixed_disk(xenstored_t)
storage_raw_read_removable_device(xenstored_t)
-@@ -421,6 +431,12 @@
+@@ -421,7 +431,14 @@
xen_stream_connect_xenstore(xm_t)
optional_policy(`
@@ -35613,9 +36046,11 @@ diff --exclude-from=exclude -N -u -r nsa
+
+optional_policy(`
virt_manage_images(xm_t)
++ virt_manage_config(xm_t)
virt_stream_connect(xm_t)
')
-@@ -438,6 +454,8 @@
+
+@@ -438,6 +455,8 @@
fs_manage_xenfs_dirs(xm_ssh_t)
fs_manage_xenfs_files(xm_ssh_t)
@@ -35626,7 +36061,16 @@ diff --exclude-from=exclude -N -u -r nsa
files_search_mnt(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.7/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.7/policy/support/obj_perm_sets.spt 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/support/obj_perm_sets.spt 2010-01-14 09:16:41.000000000 -0500
+@@ -28,7 +28,7 @@
+ #
+ # All socket classes.
+ #
+-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
+
+ #
@@ -199,12 +199,14 @@
#
define(`getattr_file_perms',`{ getattr }')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.956
retrieving revision 1.957
diff -u -p -r1.956 -r1.957
--- selinux-policy.spec 11 Jan 2010 22:06:55 -0000 1.956
+++ selinux-policy.spec 14 Jan 2010 21:49:18 -0000 1.957
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.7
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -455,6 +455,10 @@ exit 0
%endif
%changelog
+* Thu Jan 7 2010 Dan Walsh <dwalsh at redhat.com> 3.7.7-2
+- Turn on puppet policy
+- Update to dgrift git policy
+
* Mon Jan 7 2010 Dan Walsh <dwalsh at redhat.com> 3.7.7-1
- Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
- Previous message: rpms/389-adminutil/devel .cvsignore, 1.2, 1.3 389-adminutil.spec, 1.3, 1.4 sources, 1.3, 1.4
- Next message: rpms/xorg-x11-server/F-12 xserver-1.7.4-randr-unify-primary-compat.patch, NONE, 1.1 xorg-x11-server.spec, 1.520, 1.521
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list