rpms/selinux-policy/F-12 policy-20100106.patch, 1.7, 1.8 selinux-policy.spec, 1.996, 1.997
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jan 19 11:39:00 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26495
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Fixes for memcached from Dan Walsh
- Allow podsleuth to read user tmpfs files
- Allow tftpd to read system state information in proc
policy-20100106.patch:
modules/apps/gpg.fc | 2
modules/apps/mozilla.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/sandbox.if | 46 +++++++++++++--
modules/apps/sandbox.te | 29 +++++----
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 2
modules/kernel/devices.if | 18 ++++++
modules/kernel/devices.te | 6 ++
modules/roles/unconfineduser.fc | 2
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.te | 1
modules/services/apache.if | 3 +
modules/services/apache.te | 2
modules/services/apcupsd.te | 2
modules/services/avahi.fc | 2
modules/services/cups.te | 1
modules/services/dovecot.te | 4 +
modules/services/fail2ban.if | 18 ++++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++++
modules/services/git.te | 2
modules/services/memcached.te | 14 +++-
modules/services/nagios.fc | 40 +++++++++++++
modules/services/nagios.te | 3 +
modules/services/openvpn.te | 1
modules/services/postfix.te | 5 +
modules/services/samba.te | 5 +
modules/services/sendmail.te | 2
modules/services/snmp.te | 2
modules/services/spamassassin.if | 18 ++++++
modules/services/ssh.te | 80 +--------------------------
modules/services/sssd.if | 19 ++++++
modules/services/tftp.te | 1
modules/services/virt.te | 4 +
modules/services/xserver.fc | 4 +
modules/services/xserver.te | 2
modules/system/hotplug.te | 4 +
modules/system/init.te | 5 +
modules/system/iscsi.fc | 2
modules/system/iscsi.te | 4 +
modules/system/libraries.fc | 7 ++
modules/system/miscfiles.if | 19 ++++++
modules/system/mount.te | 1
modules/system/selinuxutil.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 ++++++
modules/system/xen.te | 6 ++
support/obj_perm_sets.spt | 2
users | 2
54 files changed, 481 insertions(+), 112 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- policy-20100106.patch 15 Jan 2010 17:09:02 -0000 1.7
+++ policy-20100106.patch 19 Jan 2010 11:38:59 -0000 1.8
@@ -1,6 +1,17 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.32/policy/modules/apps/gpg.fc
+--- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/gpg.fc 2010-01-19 12:03:52.541857693 +0100
+@@ -1,5 +1,7 @@
+ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
++/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
++
+ /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+ /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+ /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
---- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-11 18:21:26.000000000 +0100
+--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-18 18:24:22.616539953 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-18 18:27:02.741544960 +0100
@@ -11,6 +11,7 @@
/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -9,9 +20,20 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
+--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-01-18 18:24:22.631540185 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2010-01-19 11:53:14.080857057 +0100
+@@ -73,6 +73,7 @@
+
+ sysnet_dns_name_resolve(podsleuth_t)
+
++userdom_read_user_tmpfs_files(podsleuth_t)
+ userdom_signal_unpriv_users(podsleuth_t)
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
---- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-11 13:38:03.000000000 +0100
+--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-18 18:27:02.742545576 +0100
@@ -45,9 +45,10 @@
allow sandbox_x_domain $1:process { sigchld signal };
allow sandbox_x_domain sandbox_x_domain:process signal;
@@ -88,8 +110,8 @@ diff -b -B --ignore-all-space --exclude-
+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
---- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-11 13:38:03.000000000 +0100
+--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-18 18:27:02.743530757 +0100
@@ -10,14 +10,15 @@
#
@@ -187,8 +209,8 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_bus_client(sandbox_net_client_t)
dbus_read_config(sandbox_net_client_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
---- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-01-11 16:01:58.000000000 +0100
+--- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-18 18:24:22.657540000 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-01-18 18:27:02.744541291 +0100
@@ -143,6 +143,10 @@
userdom_unpriv_usertype($1, $1_wine_t)
userdom_manage_tmpfs_role($2, $1_wine_t)
@@ -201,8 +223,8 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`mmap_low_allowed',`
domain_mmap_low($1_wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te
---- nsaserefpolicy/policy/modules/apps/wine.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2010-01-11 16:01:03.000000000 +0100
+--- nsaserefpolicy/policy/modules/apps/wine.te 2010-01-18 18:24:22.664530344 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2010-01-18 18:27:02.745530942 +0100
@@ -6,6 +6,15 @@
# Declarations
#
@@ -231,9 +253,23 @@ diff -b -B --ignore-all-space --exclude-
domain_mmap_low_type(wine_t)
tunable_policy(`mmap_low_allowed',`
domain_mmap_low(wine_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:10:56.565608631 +0100
+@@ -92,8 +92,8 @@
+ network_port(dbskkd, tcp,1178,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dccm, tcp,5679,s0, udp,5679,s0)
+-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0)
+-network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
++network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
++network_port(dhcpd, udp,67,s0, udp,547,s0, tcp,547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+ network_port(dict, tcp,2628,s0)
+ network_port(distccd, tcp,3632,s0)
+ network_port(dns, udp,53,s0, tcp,53,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
---- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-09 20:39:30.000000000 +0100
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-18 18:27:02.746530790 +0100
@@ -162,6 +162,8 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
@@ -244,8 +280,8 @@ diff -b -B --ignore-all-space --exclude-
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-09 20:40:52.000000000 +0100
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-18 18:27:02.749530752 +0100
@@ -3833,6 +3833,24 @@
write_chr_files_pattern($1, device_t, v4l_device_t)
')
@@ -272,8 +308,8 @@ diff -b -B --ignore-all-space --exclude-
## <summary>
## Read and write VMWare devices.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
---- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-09 20:38:38.000000000 +0100
+--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-18 18:27:02.751530797 +0100
@@ -233,6 +233,12 @@
type usb_device_t;
dev_node(usb_device_t)
@@ -288,8 +324,8 @@ diff -b -B --ignore-all-space --exclude-
dev_node(v4l_device_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
---- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-12 13:41:16.000000000 +0100
+--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-18 18:27:02.752530994 +0100
@@ -2,7 +2,7 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -300,8 +336,8 @@ diff -b -B --ignore-all-space --exclude-
/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
---- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-01-12 13:42:23.000000000 +0100
+--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-01-18 18:27:02.753530981 +0100
@@ -39,6 +39,8 @@
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
@@ -312,8 +348,8 @@ diff -b -B --ignore-all-space --exclude-
domain_user_exemption_target(unconfined_t)
allow system_r unconfined_r;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
---- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-01-14 20:12:41.000000000 +0100
+--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-18 18:24:22.724546986 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-01-18 18:27:02.754531109 +0100
@@ -15,7 +15,7 @@
## <desc>
@@ -324,8 +360,8 @@ diff -b -B --ignore-all-space --exclude-
## </desc>
gen_tunable(xguest_connect_network, true)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
---- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-08 14:42:10.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-18 18:27:02.754531109 +0100
@@ -96,6 +96,7 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
@@ -335,8 +371,8 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_memory_dev(abrt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
---- nsaserefpolicy/policy/modules/services/apache.if 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-10 20:47:24.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-18 18:27:02.756530665 +0100
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
@@ -354,9 +390,21 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`httpd_enable_cgi',`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-18 18:30:54.720781297 +0100
+@@ -309,7 +309,7 @@
+ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+-files_var_filetrans(httpd_t, httpd_cache_t, dir)
++files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+
+ # Allow the httpd_t to read the web servers config files
+ allow httpd_t httpd_config_t:dir list_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-06 13:06:31.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100
@@ -31,7 +31,7 @@
#
@@ -366,9 +414,18 @@ diff -b -B --ignore-all-space --exclude-
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc
+--- nsaserefpolicy/policy/modules/services/avahi.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/avahi.fc 2010-01-19 11:57:43.789607625 +0100
+@@ -6,4 +6,4 @@
+
+ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
+
+-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
++/var/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-08 20:32:23.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-18 18:24:22.771540183 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-18 18:27:02.758531199 +0100
@@ -555,6 +555,7 @@
logging_send_syslog_msg(cupsd_lpd_t)
@@ -378,21 +435,18 @@ diff -b -B --ignore-all-space --exclude-
cups_stream_connect(cupsd_lpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-10 20:48:24.000000000 +0100
-@@ -276,7 +276,11 @@
- mta_manage_spool(dovecot_deliver_t)
+--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-18 18:32:00.705531307 +0100
+@@ -277,6 +277,8 @@
')
-+
-+
tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(dovecot_deliver_t)
+ fs_manage_nfs_dirs(dovecot_t)
fs_manage_nfs_files(dovecot_deliver_t)
fs_manage_nfs_symlinks(dovecot_deliver_t)
fs_manage_nfs_files(dovecot_t)
-@@ -284,6 +288,8 @@
+@@ -284,6 +286,8 @@
')
tunable_policy(`use_samba_home_dirs',`
@@ -402,8 +456,8 @@ diff -b -B --ignore-all-space --exclude-
fs_manage_cifs_symlinks(dovecot_deliver_t)
fs_manage_cifs_files(dovecot_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
---- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-08 16:30:32.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-18 18:24:22.784531151 +0100
++++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-18 18:27:02.761531161 +0100
@@ -138,6 +138,24 @@
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
@@ -431,7 +485,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/ftp.if 2010-01-15 12:37:45.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ftp.if 2010-01-18 18:27:02.762530869 +0100
@@ -115,6 +115,43 @@
role $2 types ftpdctl_t;
')
@@ -477,8 +531,8 @@ diff -b -B --ignore-all-space --exclude-
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
---- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-01-15 12:44:47.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-18 18:24:22.787539983 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-01-18 18:27:02.763531066 +0100
@@ -53,6 +53,39 @@
## </desc>
gen_tunable(ftp_home_dir, false)
@@ -612,8 +666,8 @@ diff -b -B --ignore-all-space --exclude-
+ fs_read_nfs_symlinks(ftpd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
---- nsaserefpolicy/policy/modules/services/git.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-14 20:34:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/git.te 2010-01-18 18:24:22.790540016 +0100
++++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-18 18:27:02.764531054 +0100
@@ -73,7 +73,7 @@
#
@@ -623,9 +677,51 @@ diff -b -B --ignore-all-space --exclude-
allow gitd_type self:udp_socket create_socket_perms;
allow gitd_type self:unix_dgram_socket create_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
+--- nsaserefpolicy/policy/modules/services/memcached.te 2010-01-18 18:24:22.809536705 +0100
++++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2010-01-19 11:45:44.999857263 +0100
+@@ -1,5 +1,5 @@
+
+-policy_module(memcached, 1.1.0)
++policy_module(memcached, 1.1.1)
+
+ ########################################
+ #
+@@ -22,9 +22,12 @@
+ #
+
+ allow memcached_t self:capability { setuid setgid };
++dontaudit memcached_t self:capability sys_tty_config;
++allow memcached_t self:process { fork setrlimit signal_perms };
+ allow memcached_t self:tcp_socket create_stream_socket_perms;
+ allow memcached_t self:udp_socket { create_socket_perms listen };
+ allow memcached_t self:fifo_file rw_fifo_file_perms;
++allow memcached_t self:unix_stream_socket create_stream_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(memcached_t)
+ corenet_udp_sendrecv_generic_if(memcached_t)
+@@ -42,12 +45,15 @@
+ manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+ files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
+
+-files_read_etc_files(memcached_t)
+-
++kernel_read_kernel_sysctls(memcached_t)
+ kernel_read_system_state(memcached_t)
+
++files_read_etc_files(memcached_t)
++
+ auth_use_nsswitch(memcached_t)
+
+ miscfiles_read_localization(memcached_t)
+
+-sysnet_dns_name_resolve(memcached_t)
++term_dontaudit_use_all_user_ptys(memcached_t)
++term_dontaudit_use_all_user_ttys(memcached_t)
++term_dontaudit_use_console(memcached_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
---- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-11 12:37:36.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-18 18:27:02.765531460 +0100
@@ -27,26 +27,62 @@
# check disk plugins
@@ -692,8 +788,8 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
---- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-11 12:27:10.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-18 18:27:02.766531099 +0100
@@ -118,6 +118,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
@@ -705,8 +801,8 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(nagios_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
---- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-11 15:49:03.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100
++++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-18 18:27:02.767531435 +0100
@@ -85,6 +85,7 @@
corenet_udp_bind_generic_node(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
@@ -716,8 +812,8 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-08 20:27:51.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
++++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100
@@ -443,6 +443,7 @@
optional_policy(`
@@ -745,8 +841,8 @@ diff -b -B --ignore-all-space --exclude-
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-06 13:55:09.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-18 18:27:02.770531119 +0100
@@ -286,6 +286,8 @@
allow smbd_t winbind_t:process { signal signull };
@@ -774,8 +870,8 @@ diff -b -B --ignore-all-space --exclude-
allow swat_t nmbd_exec_t:file mmap_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
---- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-08 16:31:13.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-18 18:24:22.889530888 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-18 18:27:02.771531176 +0100
@@ -136,6 +136,8 @@
optional_policy(`
@@ -786,8 +882,8 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
---- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-06 15:41:37.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100
++++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-18 18:27:02.772530814 +0100
@@ -27,7 +27,7 @@
#
allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
@@ -798,8 +894,8 @@ diff -b -B --ignore-all-space --exclude-
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
---- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-06 15:40:10.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-18 18:24:22.895529974 +0100
++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-18 18:27:02.773531151 +0100
@@ -267,6 +267,24 @@
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
')
@@ -826,8 +922,8 @@ diff -b -B --ignore-all-space --exclude-
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
---- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-15 12:33:14.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 18:24:22.899530064 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-18 18:27:02.774530790 +0100
@@ -8,31 +8,6 @@
## <desc>
@@ -934,8 +1030,8 @@ diff -b -B --ignore-all-space --exclude-
- fs_manage_cifs_files(sftpd_t)
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
---- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-11 13:46:50.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-18 18:24:22.901529830 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-18 18:27:02.775542370 +0100
@@ -95,6 +95,25 @@
files_search_var_lib($1)
')
@@ -962,9 +1058,20 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Read sssd lib files.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te
+--- nsaserefpolicy/policy/modules/services/tftp.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/tftp.te 2010-01-19 12:02:02.773609654 +0100
+@@ -50,6 +50,7 @@
+ manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
+ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+
++kernel_read_system_state(tftpd_t)
+ kernel_read_kernel_sysctls(tftpd_t)
+ kernel_list_proc(tftpd_t)
+ kernel_read_proc_symlinks(tftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
---- nsaserefpolicy/policy/modules/services/virt.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-11 13:32:35.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-18 18:27:02.776530834 +0100
@@ -226,7 +226,7 @@
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
@@ -984,8 +1091,8 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
---- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-01-08 14:49:31.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-01-18 18:27:02.777542764 +0100
@@ -65,6 +65,8 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -1012,8 +1119,8 @@ diff -b -B --ignore-all-space --exclude-
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
---- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-08 14:07:19.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-18 18:27:02.779530727 +0100
@@ -301,6 +301,8 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
@@ -1025,7 +1132,7 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_xserver_misc(xauth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-14 20:30:58.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-18 18:27:02.780542727 +0100
@@ -125,6 +125,10 @@
')
@@ -1038,8 +1145,8 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-15 12:26:30.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-18 18:27:02.782531248 +0100
@@ -212,6 +212,10 @@
')
@@ -1061,7 +1168,7 @@ diff -b -B --ignore-all-space --exclude-
# system-config-services causes avc messages that should be dontaudited
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-09 20:37:29.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-18 18:27:02.783531305 +0100
@@ -1,3 +1,5 @@
+
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
@@ -1069,8 +1176,8 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
---- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-01-09 20:37:11.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-18 18:24:22.943530492 +0100
++++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-01-18 18:27:02.783531305 +0100
@@ -35,10 +35,13 @@
allow iscsid_t self:unix_dgram_socket create_socket_perms;
allow iscsid_t self:sem create_sem_perms;
@@ -1094,8 +1201,8 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(iscsid_t)
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-08 20:06:50.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-19 12:16:16.415620342 +0100
@@ -245,6 +245,7 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -1104,7 +1211,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -433,8 +434,13 @@
+@@ -433,8 +434,14 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -1118,9 +1225,10 @@ diff -b -B --ignore-all-space --exclude-
+
+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/local/MATHWORKS_R2009B/bin/glnxa64/libtbb.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
---- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-08 20:32:11.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-18 18:27:02.787531116 +0100
@@ -618,3 +618,22 @@
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -1145,8 +1253,8 @@ diff -b -B --ignore-all-space --exclude-
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
---- nsaserefpolicy/policy/modules/system/mount.te 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-11 15:53:37.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-18 18:27:02.788530824 +0100
@@ -181,6 +181,7 @@
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
@@ -1156,8 +1264,8 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-15 12:28:55.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-18 18:27:02.789530951 +0100
@@ -190,6 +190,7 @@
init_use_script_fds(load_policy_t)
@@ -1167,8 +1275,8 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(load_policy_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
---- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-08 16:35:49.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100
++++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100
@@ -21,6 +21,8 @@
allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
@@ -1179,8 +1287,8 @@ diff -b -B --ignore-all-space --exclude-
allow $1 self:process transition;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
---- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-07 16:46:35.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-18 18:24:22.977540055 +0100
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-18 18:27:02.791532114 +0100
@@ -6,4 +6,5 @@
/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
@@ -1188,8 +1296,8 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-01-11 13:53:41.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-01-18 18:27:02.794530889 +0100
@@ -3631,6 +3631,24 @@
########################################
@@ -1216,8 +1324,8 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
---- nsaserefpolicy/policy/modules/system/xen.te 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-09 20:35:37.000000000 +0100
+--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100
++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-18 18:27:02.796530655 +0100
@@ -248,6 +248,7 @@
#
@@ -1246,8 +1354,8 @@ diff -b -B --ignore-all-space --exclude-
#
# Xen store local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-15 12:24:53.000000000 +0100
+--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100
++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-18 18:27:02.798533004 +0100
@@ -28,7 +28,7 @@
#
# All socket classes.
@@ -1258,8 +1366,8 @@ diff -b -B --ignore-all-space --exclude-
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
---- nsaserefpolicy/policy/users 2010-01-06 11:05:51.000000000 +0100
-+++ serefpolicy-3.6.32/policy/users 2010-01-12 13:48:30.000000000 +0100
+--- nsaserefpolicy/policy/users 2010-01-18 18:24:22.989541023 +0100
++++ serefpolicy-3.6.32/policy/users 2010-01-18 18:27:02.799531176 +0100
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.996
retrieving revision 1.997
diff -u -p -r1.996 -r1.997
--- selinux-policy.spec 15 Jan 2010 17:09:02 -0000 1.996
+++ selinux-policy.spec 19 Jan 2010 11:38:59 -0000 1.997
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 71%{?dist}
+Release: 72%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -456,6 +456,11 @@ exit 0
%endif
%changelog
+* Tue Jan 19 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-72
+- Fixes for memcached from Dan Walsh
+- Allow podsleuth to read user tmpfs files
+- Allow tftpd to read system state information in proc
+
* Fri Jan 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-71
- Allow hotplug to transition to brctl domain
- Fixes for sftpd
More information about the scm-commits
mailing list