rpms/selinux-policy/F-12 policy-20100106.patch, 1.15, 1.16 selinux-policy.spec, 1.1004, 1.1005
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 27 17:02:49 UTC 2010
- Previous message: rpms/samba/F-11 samba-3.4.5-CVE-2009-3297-mount_cifs.patch, NONE, 1.1 samba.spec, 1.197, 1.198
- Next message: rpms/GMT/devel .cvsignore,1.6,1.7 GMT.spec,1.16,1.17 sources,1.6,1.7
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31204
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Allow to openvpn to read utmp
- Allow xdm to read the video4linux devices
- Add labeling for /etc/openldap/slapd.d directory
- Allow tgtd to manage fixed disk device nodes
- Allow chsh to execute nxserver
- Allow abrt_helper to send system log messages
- Add labeling for /etc/zabbix/web directory
policy-20100106.patch:
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 4 +
modules/apps/gnome.fc | 8 ++
modules/apps/gnome.if | 24 ++++----
modules/apps/gnome.te | 6 +-
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5 -
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/sandbox.if | 50 ++++++++++++++---
modules/apps/sandbox.te | 39 +++++++------
modules/apps/vmware.if | 18 ++++++
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 3 +
modules/kernel/devices.if | 36 ++++++++++++
modules/kernel/devices.te | 12 ++++
modules/roles/unconfineduser.fc | 2
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.te | 4 +
modules/services/afs.te | 6 +-
modules/services/apache.fc | 1
modules/services/apache.if | 26 ++++++++
modules/services/apache.te | 7 ++
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 1
modules/services/avahi.fc | 2
modules/services/cups.te | 2
modules/services/dovecot.te | 5 +
modules/services/fail2ban.if | 18 ++++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++++
modules/services/git.fc | 3 +
modules/services/git.if | 8 +-
modules/services/git.te | 5 +
modules/services/kerberos.if | 2
modules/services/ldap.fc | 2
modules/services/mailman.te | 1
modules/services/memcached.te | 14 +++-
modules/services/mysql.te | 2
modules/services/nagios.fc | 40 +++++++++++++
modules/services/nagios.te | 7 ++
modules/services/nx.if | 18 ++++++
modules/services/openvpn.te | 4 +
modules/services/plymouth.te | 28 +++++----
modules/services/postfix.te | 5 +
modules/services/prelude.te | 2
modules/services/samba.te | 5 +
modules/services/sendmail.te | 2
modules/services/snmp.te | 4 -
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 ++++++
modules/services/ssh.te | 80 +--------------------------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++++++++++++++++------------
modules/services/sssd.te | 14 +++-
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/virt.te | 4 +
modules/services/xserver.fc | 4 +
modules/services/xserver.te | 4 +
modules/system/hotplug.te | 4 +
modules/system/init.te | 5 +
modules/system/ipsec.te | 2
modules/system/iscsi.fc | 2
modules/system/iscsi.te | 4 +
modules/system/libraries.fc | 15 ++++-
modules/system/locallogin.te | 5 +
modules/system/miscfiles.if | 37 ++++++++++++
modules/system/mount.te | 5 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 ++++++
modules/system/xen.te | 7 ++
support/obj_perm_sets.spt | 2
users | 2
81 files changed, 746 insertions(+), 198 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -p -r1.15 -r1.16
--- policy-20100106.patch 25 Jan 2010 17:00:28 -0000 1.15
+++ policy-20100106.patch 27 Jan 2010 17:02:49 -0000 1.16
@@ -10,6 +10,20 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(smoltclient_t)
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te
+--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-01-18 18:24:22.584530156 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2010-01-26 14:45:59.214713808 +0100
+@@ -122,6 +122,10 @@
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(chfn_t)
+
++optional_policy(`
++ nx_exec_server(chfn_t)
++')
++
+ ########################################
+ #
+ # Crack local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-01-21 18:31:02.867611919 +0100
@@ -484,8 +498,16 @@ diff -b -B --ignore-all-space --exclude-
network_port(dns, udp,53,s0, tcp,53,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-18 18:27:02.746530790 +0100
-@@ -162,6 +162,8 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-27 17:35:56.087613943 +0100
+@@ -103,6 +103,7 @@
+ /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+ /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0)
+ /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ ifdef(`distro_suse', `
+@@ -162,6 +163,8 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
@@ -496,8 +518,33 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-18 18:27:02.749530752 +0100
-@@ -3833,6 +3833,24 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-27 17:35:46.879614965 +0100
+@@ -3551,6 +3551,24 @@
+ rw_chr_files_pattern($1, device_t, usb_device_t)
+ ')
+
++######################################
++## <summary>
++## Read USB monitor devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_usbmon_dev',`
++ gen_require(`
++ type device_t, usbmon_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, usbmon_device_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Mount a usbfs filesystem.
+@@ -3833,6 +3851,24 @@
write_chr_files_pattern($1, device_t, v4l_device_t)
')
@@ -524,8 +571,19 @@ diff -b -B --ignore-all-space --exclude-
## Read and write VMWare devices.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-18 18:27:02.751530797 +0100
-@@ -233,6 +233,12 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-27 17:34:18.787624215 +0100
+@@ -228,11 +228,23 @@
+ genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
+
+ #
++# usbmon_device_t is the type for /dev/usbmon
++#
++type usbmon_device_t;
++dev_node(usbmon_device_t)
++
++#
+ # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
+ #
type usb_device_t;
dev_node(usb_device_t)
@@ -576,7 +634,7 @@ diff -b -B --ignore-all-space --exclude-
gen_tunable(xguest_connect_network, true)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-18 18:27:02.754531109 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-27 15:33:53.900626544 +0100
@@ -96,6 +96,7 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
@@ -585,6 +643,20 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_memory_dev(abrt_t)
+@@ -200,10 +201,13 @@
+ files_read_etc_files(abrt_helper_t)
+ files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
++fs_getattr_all_fs(abrt_helper_t)
+ fs_list_inotifyfs(abrt_helper_t)
+
+ auth_use_nsswitch(abrt_helper_t)
+
++logging_send_syslog_msg(abrt_helper_t)
++
+ miscfiles_read_localization(abrt_helper_t)
+
+ userdom_dontaudit_use_user_terminals(abrt_helper_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.32/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2010-01-18 18:24:22.729540009 +0100
+++ serefpolicy-3.6.32/policy/modules/services/afs.te 2010-01-20 13:19:16.795611181 +0100
@@ -613,6 +685,17 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# AFS bossserver local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
+--- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-01-27 17:22:29.733863060 +0100
+@@ -12,6 +12,7 @@
+ /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+ /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+
+ /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-22 17:15:37.455855038 +0100
@@ -665,7 +748,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-18 18:30:54.720781297 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-26 15:36:27.882713495 +0100
@@ -309,7 +309,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -675,6 +758,18 @@ diff -b -B --ignore-all-space --exclude-
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
+@@ -612,6 +612,11 @@
+ avahi_dbus_chat(httpd_t)
+ ')
+ ')
++
++optional_policy(`
++ gitosis_read_var_lib(httpd_t)
++')
++
+ optional_policy(`
+ kerberos_keytab_template(httpd, httpd_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100
@@ -687,6 +782,17 @@ diff -b -B --ignore-all-space --exclude-
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te
+--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-01-18 18:24:22.741530430 +0100
++++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2010-01-27 17:37:31.626864275 +0100
+@@ -64,6 +64,7 @@
+ corenet_udp_sendrecv_all_ports(arpwatch_t)
+
+ dev_read_sysfs(arpwatch_t)
++dev_read_usbmon_dev(arpwatch_t)
+
+ fs_getattr_all_fs(arpwatch_t)
+ fs_search_auto_mountpoints(arpwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/avahi.fc 2010-01-19 21:19:40.967763409 +0100
@@ -717,8 +823,16 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-18 18:32:00.705531307 +0100
-@@ -277,6 +277,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-27 16:52:32.499864534 +0100
+@@ -82,6 +82,7 @@
+ manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+
+ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
++manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+
+@@ -277,6 +278,8 @@
')
tunable_policy(`use_nfs_home_dirs',`
@@ -727,7 +841,7 @@ diff -b -B --ignore-all-space --exclude-
fs_manage_nfs_files(dovecot_deliver_t)
fs_manage_nfs_symlinks(dovecot_deliver_t)
fs_manage_nfs_files(dovecot_t)
-@@ -284,6 +286,8 @@
+@@ -284,6 +287,8 @@
')
tunable_policy(`use_samba_home_dirs',`
@@ -1029,6 +1143,18 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`allow_kerberos',`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc
+--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-01-26 14:30:08.546712216 +0100
+@@ -2,6 +2,8 @@
+ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+ /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
++/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
++
+ /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
+ ifdef(`distro_debian',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2010-01-18 18:24:22.808530642 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2010-01-22 17:16:41.576604913 +0100
@@ -1082,6 +1208,18 @@ diff -b -B --ignore-all-space --exclude-
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100
++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-01-26 14:38:16.349463228 +0100
+@@ -147,6 +147,8 @@
+ dontaudit mysqld_safe_t self:capability sys_ptrace;
+ allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
++allow mysqld_safe_t mysqld_t:process signal_perms;
++
+ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+
+ manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-18 18:27:02.765531460 +0100
@@ -1174,9 +1312,37 @@ diff -b -B --ignore-all-space --exclude-
######################################
#
# local policy for system check plugins
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
+--- nsaserefpolicy/policy/modules/services/nx.if 2010-01-18 18:24:22.840530591 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nx.if 2010-01-26 14:43:43.595472728 +0100
+@@ -18,6 +18,24 @@
+ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
+ ')
+
++#######################################
++## <summary>
++## Execute the NX server.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nx_exec_server',`
++ gen_require(`
++ type nx_server_exec_t;
++ ')
++
++ can_exec($1, nx_server_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read nx home directory content
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-18 18:27:02.767531435 +0100
++++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-26 14:19:37.820463477 +0100
@@ -85,6 +85,7 @@
corenet_udp_bind_generic_node(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
@@ -1185,9 +1351,19 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
+@@ -102,6 +103,9 @@
+
+ auth_use_pam(openvpn_t)
+
++init_read_utmp(openvpn_t)
++init_dontaudit_write_utmp(openvpn_t)
++
+ logging_send_syslog_msg(openvpn_t)
+
+ miscfiles_read_localization(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 2010-01-18 18:24:22.847540282 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-01-22 16:16:19.936882341 +0100
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-01-27 16:41:36.145614526 +0100
@@ -41,6 +41,19 @@
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
@@ -1227,8 +1403,11 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
-@@ -82,6 +83,8 @@
+@@ -80,8 +81,11 @@
+ allow plymouth_t self:fifo_file rw_file_perms;
+ allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
++kernel_read_system_state(plymouth_t)
kernel_stream_connect(plymouth_t)
+term_use_ptmx(plymouth_t)
@@ -1265,6 +1444,18 @@ diff -b -B --ignore-all-space --exclude-
# connect to master process
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te
+--- nsaserefpolicy/policy/modules/services/prelude.te 2010-01-18 18:24:22.861530469 +0100
++++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2010-01-26 15:37:38.488473779 +0100
+@@ -250,6 +250,8 @@
+ files_read_etc_files(prelude_lml_t)
+ files_read_etc_runtime_files(prelude_lml_t)
+
++fs_getattr_all_fs(prelude_lml_t)
++fs_list_inotifyfs(prelude_lml_t)
+ fs_rw_anon_inodefs_files(prelude_lml_t)
+
+ auth_use_nsswitch(prelude_lml_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-18 18:27:02.770531119 +0100
@@ -1321,6 +1512,17 @@ diff -b -B --ignore-all-space --exclude-
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te
+--- nsaserefpolicy/policy/modules/services/snort.te 2010-01-18 18:24:22.893530558 +0100
++++ serefpolicy-3.6.32/policy/modules/services/snort.te 2010-01-27 17:37:08.744613818 +0100
+@@ -78,6 +78,7 @@
+ dev_read_sysfs(snort_t)
+ dev_read_rand(snort_t)
+ dev_read_urand(snort_t)
++dev_read_usbmon_dev(snort_t)
+
+ domain_use_interactive_fds(snort_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-18 18:24:22.895529974 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-18 18:27:02.773531151 +0100
@@ -1758,6 +1960,17 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_kernel_sysctls(tftpd_t)
kernel_list_proc(tftpd_t)
kernel_read_proc_symlinks(tftpd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.6.32/policy/modules/services/tgtd.te
+--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-01-18 18:24:22.905534669 +0100
++++ serefpolicy-3.6.32/policy/modules/services/tgtd.te 2010-01-26 14:33:27.943463104 +0100
+@@ -63,6 +63,7 @@
+ files_read_etc_files(tgtd_t)
+
+ storage_getattr_fixed_disk_dev(tgtd_t)
++storage_manage_fixed_disk(tgtd_t)
+
+ logging_send_syslog_msg(tgtd_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-18 18:27:02.776530834 +0100
@@ -1809,7 +2022,7 @@ diff -b -B --ignore-all-space --exclude-
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-21 18:31:22.661610918 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-26 14:27:29.964713815 +0100
@@ -301,6 +301,8 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
@@ -1819,7 +2032,15 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
-@@ -668,6 +670,7 @@
+@@ -506,6 +508,7 @@
+ dev_dontaudit_rw_misc(xdm_t)
+ dev_getattr_video_dev(xdm_t)
+ dev_setattr_video_dev(xdm_t)
++dev_read_video_dev(xdm_t)
+ dev_getattr_scanner_dev(xdm_t)
+ dev_setattr_scanner_dev(xdm_t)
+ dev_read_sound(xdm_t)
+@@ -668,6 +671,7 @@
optional_policy(`
gnome_read_gconf_config(xdm_t)
@@ -1863,6 +2084,18 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
+--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-01-18 18:24:22.939530053 +0100
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-01-27 17:43:20.027613211 +0100
+@@ -215,6 +215,8 @@
+ allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
+ allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+
++dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
++
+ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
+
+ manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-18 18:27:02.783531305 +0100
@@ -1899,21 +2132,39 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-22 12:18:15.477855412 +0100
-@@ -245,6 +245,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-27 14:59:22.372614529 +0100
+@@ -245,8 +245,12 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -433,8 +434,15 @@
+ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -396,10 +400,8 @@
+ /usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -433,8 +435,17 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/real/RealPlayer/plugins/theorarend\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/real/RealPlayer/plugins/oggfformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -2023,6 +2274,17 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(load_policy_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-01-18 18:24:22.971530073 +0100
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-01-27 17:25:30.275614148 +0100
+@@ -87,6 +87,7 @@
+
+ kernel_read_system_state(dhcpc_t)
+ kernel_read_network_state(dhcpc_t)
++kernel_read_net_sysctls(dhcpc_t)
+ kernel_read_kernel_sysctls(dhcpc_t)
+ kernel_request_load_module(dhcpc_t)
+ kernel_use_fds(dhcpc_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1004
retrieving revision 1.1005
diff -u -p -r1.1004 -r1.1005
--- selinux-policy.spec 25 Jan 2010 17:00:28 -0000 1.1004
+++ selinux-policy.spec 27 Jan 2010 17:02:49 -0000 1.1005
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 77%{?dist}
+Release: 78%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -456,6 +456,15 @@ exit 0
%endif
%changelog
+* Wed Jan 27 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-78
+- Allow to openvpn to read utmp
+- Allow xdm to read the video4linux devices
+- Add labeling for /etc/openldap/slapd.d directory
+- Allow tgtd to manage fixed disk device nodes
+- Allow chsh to execute nxserver
+- Allow abrt_helper to send system log messages
+- Add labeling for /etc/zabbix/web directory
+
* Mon Jan 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-77
- Allow xenstored to manage files on on a XENFS filesystem
- Allow cupsd to setattr on a fonts cache directory
- Previous message: rpms/samba/F-11 samba-3.4.5-CVE-2009-3297-mount_cifs.patch, NONE, 1.1 samba.spec, 1.197, 1.198
- Next message: rpms/GMT/devel .cvsignore,1.6,1.7 GMT.spec,1.16,1.17 sources,1.6,1.7
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list