rpms/selinux-policy/F-12 policy-20100106.patch, 1.13, 1.14 selinux-policy.spec, 1.1002, 1.1003
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 22 16:37:44 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5726
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Add labeling for gitweb
- Allow plymouth to read and write the /dev/ptmx
- Fixes for sanbox
- Allow nagios_services_plugin_t to read snmpd libraries
policy-20100106.patch:
modules/apps/gnome.fc | 8 ++
modules/apps/gnome.if | 24 ++++----
modules/apps/gnome.te | 6 +-
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5 -
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/sandbox.if | 50 ++++++++++++++---
modules/apps/sandbox.te | 39 +++++++------
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 2
modules/kernel/devices.if | 18 ++++++
modules/kernel/devices.te | 6 ++
modules/roles/unconfineduser.fc | 2
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.te | 1
modules/services/afs.te | 6 +-
modules/services/apache.if | 26 ++++++++
modules/services/apache.te | 2
modules/services/apcupsd.te | 2
modules/services/avahi.fc | 2
modules/services/cups.te | 1
modules/services/dovecot.te | 4 +
modules/services/fail2ban.if | 18 ++++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++++
modules/services/git.fc | 3 +
modules/services/git.if | 8 +-
modules/services/git.te | 5 +
modules/services/kerberos.if | 2
modules/services/mailman.te | 1
modules/services/memcached.te | 14 +++-
modules/services/nagios.fc | 40 +++++++++++++
modules/services/nagios.te | 7 ++
modules/services/openvpn.te | 1
modules/services/plymouth.te | 27 +++++----
modules/services/postfix.te | 5 +
modules/services/samba.te | 5 +
modules/services/sendmail.te | 2
modules/services/snmp.te | 4 -
modules/services/spamassassin.if | 18 ++++++
modules/services/ssh.te | 80 +--------------------------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++++++++++++++++------------
modules/services/sssd.te | 14 +++-
modules/services/tftp.te | 1
modules/services/virt.te | 4 +
modules/services/xserver.fc | 4 +
modules/services/xserver.te | 3 +
modules/system/hotplug.te | 4 +
modules/system/init.te | 5 +
modules/system/iscsi.fc | 2
modules/system/iscsi.te | 4 +
modules/system/libraries.fc | 8 ++
modules/system/locallogin.te | 5 +
modules/system/miscfiles.if | 37 ++++++++++++
modules/system/mount.te | 1
modules/system/selinuxutil.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 ++++++
modules/system/xen.te | 6 ++
support/obj_perm_sets.spt | 2
users | 2
68 files changed, 641 insertions(+), 196 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -p -r1.13 -r1.14
--- policy-20100106.patch 21 Jan 2010 17:35:21 -0000 1.13
+++ policy-20100106.patch 22 Jan 2010 16:37:43 -0000 1.14
@@ -166,7 +166,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-18 18:27:02.742545576 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-22 15:41:50.752727640 +0100
@@ -45,9 +45,10 @@
allow sandbox_x_domain $1:process { sigchld signal };
allow sandbox_x_domain sandbox_x_domain:process signal;
@@ -191,7 +191,25 @@ diff -b -B --ignore-all-space --exclude-
')
type $1_t, sandbox_x_domain;
-@@ -163,10 +165,6 @@
+@@ -122,7 +124,7 @@
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+
+ # window manager
+- miscfiles_setattr_fonts_dirs($1_t)
++ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain;
+@@ -156,6 +158,8 @@
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
++ allow $1_client_t $1_t:unix_stream_socket connectto;
++ allow $1_t $1_client_t:unix_stream_socket connectto;
+
+ can_exec($1_client_t, $1_file_t)
+ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
+@@ -163,10 +167,6 @@
manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
@@ -202,7 +220,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -187,3 +185,39 @@
+@@ -187,3 +187,39 @@
allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
')
@@ -244,7 +262,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-18 18:27:02.743530757 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-22 15:41:56.778871235 +0100
@@ -10,14 +10,15 @@
#
@@ -282,7 +300,16 @@ diff -b -B --ignore-all-space --exclude-
gen_require(`
type usr_t, lib_t, locale_t;
-@@ -161,7 +158,7 @@
+@@ -132,7 +129,7 @@
+ allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
+ allow sandbox_x_domain self:shm create_shm_perms;
+ allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+-allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
++allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+ allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+ dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+@@ -161,14 +158,14 @@
auth_dontaudit_read_login_records(sandbox_x_domain)
auth_dontaudit_write_login_records(sandbox_x_domain)
@@ -291,7 +318,15 @@ diff -b -B --ignore-all-space --exclude-
auth_search_pam_console_data(sandbox_x_domain)
init_read_utmp(sandbox_x_domain)
-@@ -179,12 +176,20 @@
+ init_dontaudit_write_utmp(sandbox_x_domain)
+
+ miscfiles_read_localization(sandbox_x_domain)
+-miscfiles_dontaudit_setattr_fonts_dirs(sandbox_x_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
+ term_getattr_pty_fs(sandbox_x_domain)
+ term_use_ptmx(sandbox_x_domain)
+@@ -179,12 +176,24 @@
miscfiles_read_fonts(sandbox_x_domain)
optional_policy(`
@@ -300,6 +335,10 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
++ dbus_system_bus_client(sandbox_x_domain)
++')
++
++optional_policy(`
gnome_read_gconf_config(sandbox_x_domain)
')
@@ -314,16 +353,19 @@ diff -b -B --ignore-all-space --exclude-
')
userdom_dontaudit_use_user_terminals(sandbox_x_domain)
-@@ -207,7 +212,7 @@
+@@ -207,10 +216,8 @@
corenet_tcp_connect_ipp_port(sandbox_x_client_t)
-#auth_use_nsswitch(sandbox_x_client_t)
+auth_use_nsswitch(sandbox_x_client_t)
- dbus_system_bus_client(sandbox_x_client_t)
- dbus_read_config(sandbox_x_client_t)
-@@ -267,7 +272,7 @@
+-dbus_system_bus_client(sandbox_x_client_t)
+-dbus_read_config(sandbox_x_client_t)
+ selinux_get_fs_mount(sandbox_x_client_t)
+ selinux_validate_context(sandbox_x_client_t)
+ selinux_compute_access_vector(sandbox_x_client_t)
+@@ -267,7 +274,7 @@
corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
corenet_tcp_connect_speech_port(sandbox_web_client_t)
@@ -332,7 +374,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_bus_client(sandbox_web_client_t)
dbus_read_config(sandbox_web_client_t)
-@@ -310,7 +315,7 @@
+@@ -310,7 +317,7 @@
corenet_tcp_connect_all_ports(sandbox_net_client_t)
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
@@ -533,7 +575,7 @@ diff -b -B --ignore-all-space --exclude-
# AFS bossserver local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-18 18:27:02.756530665 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-22 17:15:37.455855038 +0100
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
@@ -551,6 +593,36 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`httpd_enable_cgi',`
+@@ -1167,6 +1170,29 @@
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+ ')
+
++#######################################
++## <summary>
++## dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`apache_dontaudit_leaks',`
++ gen_require(`
++ type httpd_t;
++ ')
++
++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 httpd_t:tcp_socket { read write };
++ dontaudit $1 httpd_t:unix_dgram_socket { read write };
++ dontaudit $1 httpd_t:unix_stream_socket { read write };
++')
++
++
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-18 18:30:54.720781297 +0100
@@ -828,17 +900,59 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2010-01-18 18:24:22.788540040 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/git.fc 2010-01-21 18:32:44.930612521 +0100
-@@ -1,5 +1,6 @@
++++ serefpolicy-3.6.32/policy/modules/services/git.fc 2010-01-22 12:32:18.191604638 +0100
+@@ -1,6 +1,9 @@
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-+/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
++/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++
/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
+ /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.32/policy/modules/services/git.if
+--- nsaserefpolicy/policy/modules/services/git.if 2010-01-18 18:24:22.789540167 +0100
++++ serefpolicy-3.6.32/policy/modules/services/git.if 2010-01-22 12:30:50.923622237 +0100
+@@ -104,7 +104,7 @@
+ ')
+
+ exec_files_pattern($1, git_data_t, git_data_t)
+- files_search_var($1)
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -126,7 +126,7 @@
+
+ manage_dirs_pattern($1, git_data_t, git_data_t)
+ manage_files_pattern($1, git_data_t, git_data_t)
+- files_search_var($1)
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -192,7 +192,7 @@
+
+ list_dirs_pattern($1, git_data_t, git_data_t)
+ read_files_pattern($1, git_data_t, git_data_t)
+- files_search_var($1)
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -214,7 +214,7 @@
+
+ relabel_dirs_pattern($1, git_data_t, git_data_t)
+ relabel_files_pattern($1, git_data_t, git_data_t)
+- files_search_var($1)
++ files_search_var_lib($1)
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2010-01-18 18:24:22.790540016 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-18 18:27:02.764531054 +0100
++++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-22 12:32:35.787604988 +0100
@@ -73,7 +73,7 @@
#
@@ -848,17 +962,36 @@ diff -b -B --ignore-all-space --exclude-
allow gitd_type self:udp_socket create_socket_perms;
allow gitd_type self:unix_dgram_socket create_socket_perms;
+@@ -171,3 +171,6 @@
+
+ apache_content_template(git)
+ git_read_data_content(httpd_git_script_t)
++
++files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-19 17:08:35.663632666 +0100
-@@ -86,6 +86,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-22 17:08:10.300604739 +0100
+@@ -85,7 +85,7 @@
+ seutil_dontaudit_read_file_contexts($1)
optional_policy(`
- sssd_read_config_files($1)
+- sssd_read_config_files($1)
+ sssd_read_public_files($1)
')
tunable_policy(`allow_kerberos',`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
+--- nsaserefpolicy/policy/modules/services/mailman.te 2010-01-18 18:24:22.808530642 +0100
++++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2010-01-22 17:16:41.576604913 +0100
+@@ -55,6 +55,7 @@
+ apache_search_sys_script_state(mailman_cgi_t)
+ apache_read_config(mailman_cgi_t)
+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
++ apache_dontaudit_leaks(mailman_cgi_t)
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2010-01-18 18:24:22.809536705 +0100
+++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2010-01-19 11:45:44.999857263 +0100
@@ -971,7 +1104,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-18 18:27:02.766531099 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-22 16:03:19.932604694 +0100
@@ -118,6 +118,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
@@ -982,6 +1115,17 @@ diff -b -B --ignore-all-space --exclude-
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
+@@ -315,6 +318,10 @@
+ mysql_stream_connect(nagios_services_plugin_t)
+ ')
+
++optional_policy(`
++ snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
++')
++
+ ######################################
+ #
+ # local policy for system check plugins
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100
+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-18 18:27:02.767531435 +0100
@@ -993,6 +1137,57 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
+--- nsaserefpolicy/policy/modules/services/plymouth.te 2010-01-18 18:24:22.847540282 +0100
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-01-22 16:16:19.936882341 +0100
+@@ -41,6 +41,19 @@
+ allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+ allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
++manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
++files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
++
++manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
++manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
++files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
++
++manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
++manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
++manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
++files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
++
+ kernel_read_system_state(plymouthd_t)
+ kernel_request_load_module(plymouthd_t)
+ kernel_change_ring_buffer_level(plymouthd_t)
+@@ -58,18 +71,6 @@
+ miscfiles_read_localization(plymouthd_t)
+ miscfiles_read_fonts(plymouthd_t)
+
+-manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+-manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+-files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
+-
+-manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+-manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+-files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+-
+-manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+-manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+-manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+-files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
+
+ ########################################
+ #
+@@ -82,6 +83,8 @@
+
+ kernel_stream_connect(plymouth_t)
+
++term_use_ptmx(plymouth_t)
++
+ domain_use_interactive_fds(plymouth_t)
+
+ files_read_etc_files(plymouth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100
@@ -1656,7 +1851,7 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-19 12:16:16.415620342 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-22 12:18:15.477855412 +0100
@@ -245,6 +245,7 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -1665,7 +1860,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -433,8 +434,14 @@
+@@ -433,8 +434,15 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -1678,8 +1873,9 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/local/MATHWORKS_R2009B/bin/glnxa64/libtbb.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-01-18 18:24:22.948530849 +0100
+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-01-21 14:31:52.834862007 +0100
@@ -1704,8 +1900,8 @@ diff -b -B --ignore-all-space --exclude-
',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-18 18:27:02.787531116 +0100
-@@ -618,3 +618,22 @@
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100
+@@ -618,3 +618,40 @@
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -1727,7 +1923,25 @@ diff -b -B --ignore-all-space --exclude-
+
+ allow $1 fonts_cache_t:dir setattr;
+')
-+
++
++#######################################
++## <summary>
++## Dontaudit attempts to set the attributes on a fonts cache directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
++ gen_require(`
++ type fonts_cache_t;
++ ')
++
++ allow $1 fonts_cache_t:dir setattr;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-18 18:27:02.788530824 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1002
retrieving revision 1.1003
diff -u -p -r1.1002 -r1.1003
--- selinux-policy.spec 21 Jan 2010 13:37:03 -0000 1.1002
+++ selinux-policy.spec 22 Jan 2010 16:37:43 -0000 1.1003
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 75%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -456,6 +456,12 @@ exit 0
%endif
%changelog
+* Fri Jan 22 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-76
+- Add labeling for gitweb
+- Allow plymouth to read and write the /dev/ptmx
+- Fixes for sanbox
+- Allow nagios_services_plugin_t to read snmpd libraries
+
* Thu Jan 21 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-75
- Allow sulogin to talk to console and tty_device_t
More information about the scm-commits
mailing list