rpms/selinux-policy/F-12 policy-20100106.patch, 1.19, 1.20 selinux-policy.spec, 1.1006, 1.1007
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 29 11:11:23 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23917
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Fix rpm_dontaudit_leaks
- Fix typo in rgmanager.if
- Fixes for nis policy
policy-20100106.patch:
modules/admin/rpm.if | 20 +++---
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 4 +
modules/apps/gnome.fc | 8 ++
modules/apps/gnome.if | 24 ++++----
modules/apps/gnome.te | 6 +-
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5 -
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/sandbox.if | 50 ++++++++++++++---
modules/apps/sandbox.te | 39 +++++++------
modules/apps/vmware.if | 18 ++++++
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 3 +
modules/kernel/devices.if | 36 ++++++++++++
modules/kernel/devices.te | 12 ++++
modules/kernel/files.if | 20 ++++++
modules/kernel/filesystem.if | 20 ++++++
modules/roles/unconfineduser.fc | 2
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.te | 4 +
modules/services/afs.te | 6 +-
modules/services/apache.fc | 1
modules/services/apache.if | 26 ++++++++
modules/services/apache.te | 7 ++
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 1
modules/services/avahi.fc | 2
modules/services/cron.te | 4 +
modules/services/cups.te | 2
modules/services/dovecot.te | 5 +
modules/services/fail2ban.if | 18 ++++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++++
modules/services/git.fc | 3 +
modules/services/git.if | 8 +-
modules/services/git.te | 5 +
modules/services/kerberos.if | 2
modules/services/ldap.fc | 6 ++
modules/services/ldap.te | 7 ++
modules/services/mailman.te | 1
modules/services/memcached.te | 14 +++-
modules/services/mysql.te | 2
modules/services/nagios.fc | 40 +++++++++++++
modules/services/nagios.te | 7 ++
modules/services/nis.fc | 5 +
modules/services/nis.te | 6 ++
modules/services/nx.if | 18 ++++++
modules/services/openvpn.te | 4 +
modules/services/plymouth.te | 28 +++++----
modules/services/policykit.te | 4 +
modules/services/postfix.te | 5 +
modules/services/prelude.te | 2
modules/services/rgmanager.if | 2
modules/services/samba.te | 5 +
modules/services/sendmail.te | 2
modules/services/snmp.te | 4 -
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 ++++++
modules/services/ssh.te | 80 +--------------------------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++++++++++++++++------------
modules/services/sssd.te | 14 +++-
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/virt.te | 4 +
modules/services/xserver.fc | 4 +
modules/services/xserver.te | 8 ++
modules/system/fstools.fc | 1
modules/system/hostname.te | 3 +
modules/system/hotplug.te | 4 +
modules/system/init.te | 5 +
modules/system/ipsec.te | 2
modules/system/iscsi.fc | 2
modules/system/iscsi.te | 4 +
modules/system/libraries.fc | 15 ++++-
modules/system/locallogin.te | 5 +
modules/system/miscfiles.if | 37 ++++++++++++
modules/system/mount.te | 5 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 ++++++
modules/system/xen.te | 7 ++
support/obj_perm_sets.spt | 2
users | 2
92 files changed, 835 insertions(+), 209 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -p -r1.19 -r1.20
--- policy-20100106.patch 27 Jan 2010 17:37:09 -0000 1.19
+++ policy-20100106.patch 29 Jan 2010 11:11:23 -0000 1.20
@@ -1,3 +1,39 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
+--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-01-18 18:24:22.567540216 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2010-01-29 10:12:23.130864561 +0100
+@@ -189,22 +189,22 @@
+ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+ ')
+
+- dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
+- dontaudit $1 rpm_t:tcp_socket rw_socket_perms;
+- dontaudit $1 rpm_t:unix_dgram_socket rw_socket_perms;
++ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 rpm_t:tcp_socket { read write };
++ dontaudit $1 rpm_t:unix_dgram_socket { read write };
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+
+ dontaudit $1 rpm_script_t:fd use;
+- dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
+
+- dontaudit $1 rpm_var_run_t:file write_file_perms;
++ dontaudit $1 rpm_var_run_t:file write;
+
+- dontaudit $1 rpm_tmp_t:file rw_file_perms;
++ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+- dontaudit $1 rpm_tmpfs_t:file write_file_perms;
+- dontaudit $1 rpm_script_tmp_t:file write_file_perms;
+- dontaudit $1 rpm_var_lib_t:file { read write };
+- dontaudit $1 rpm_var_cache_t:file { read write };
++ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
++ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
++ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
++ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 2010-01-18 18:24:22.573543214 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2010-01-25 11:03:49.548441857 +0100
@@ -596,6 +632,60 @@ diff -b -B --ignore-all-space --exclude-
type v4l_device_t;
dev_node(v4l_device_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2010-01-18 18:24:22.691530426 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-01-29 10:02:38.893864113 +0100
+@@ -5537,3 +5537,23 @@
+
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+ ')
++
++########################################
++## <summary>
++## Do not audit attempts to read or write
++## all leaked files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_leaks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file rw_inherited_file_perms;
++ dontaudit $1 file_type:lnk_file { read };
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-01-18 18:24:22.697530142 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-01-29 10:02:57.270864470 +0100
+@@ -4409,3 +4409,23 @@
+ write_files_pattern($1, cgroup_t, cgroup_t)
+ ')
+
++
++########################################
++## <summary>
++## Do not audit attempts to read or write
++## all leaked filesystems files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_leaks',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
++ dontaudit $1 filesystem_type:lnk_file { read };
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-18 18:27:02.752530994 +0100
@@ -802,6 +892,20 @@ diff -b -B --ignore-all-space --exclude-
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2010-01-18 18:24:22.769530360 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-01-29 09:59:49.239614360 +0100
+@@ -323,6 +323,10 @@
+ udev_read_db(crond_t)
+ ')
+
++optional_policy(`
++ mta_system_content(cron_var_run_t)
++')
++
+ ########################################
+ #
+ # System cron process domain
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-18 18:24:22.771540183 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-25 17:36:13.178435741 +0100
@@ -1145,7 +1249,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`allow_kerberos',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-01-26 14:30:08.546712216 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-01-29 10:17:34.113864636 +0100
@@ -2,6 +2,8 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
@@ -1155,6 +1259,43 @@ diff -b -B --ignore-all-space --exclude-
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
ifdef(`distro_debian',`
+@@ -10,8 +12,12 @@
+
+ /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+ /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
++
++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:slapd_log_t,s0)
+
+ /var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+ /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+ /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+ /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te
+--- nsaserefpolicy/policy/modules/services/ldap.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/ldap.te 2010-01-29 10:41:13.184864510 +0100
+@@ -28,6 +28,9 @@
+ type slapd_replog_t;
+ files_type(slapd_replog_t)
+
++type slapd_log_t;
++logging_log_file(slapd_log_t)
++
+ type slapd_tmp_t;
+ files_tmp_file(slapd_tmp_t)
+
+@@ -68,6 +71,10 @@
+ manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+ manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+
++manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
++manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
++logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
++
+ manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+ files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2010-01-18 18:24:22.808530642 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2010-01-22 17:16:41.576604913 +0100
@@ -1312,6 +1453,41 @@ diff -b -B --ignore-all-space --exclude-
######################################
#
# local policy for system check plugins
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc
+--- nsaserefpolicy/policy/modules/services/nis.fc 2010-01-18 18:24:22.826540614 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nis.fc 2010-01-29 09:57:02.171614102 +0100
+@@ -14,3 +14,8 @@
+ /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
+
+ /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
++
++/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
++/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
++/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
++/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.32/policy/modules/services/nis.te
+--- nsaserefpolicy/policy/modules/services/nis.te 2010-01-18 18:24:22.828542614 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nis.te 2010-01-29 09:57:06.796318812 +0100
+@@ -47,6 +47,9 @@
+ type ypxfr_exec_t;
+ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+
++type ypxfr_var_run_t;
++files_pid_file(ypxfr_var_run_t)
++
+ type nis_initrc_exec_t;
+ init_script_file(nis_initrc_exec_t)
+
+@@ -312,6 +315,9 @@
+
+ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+
++manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
++files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
++
+ corenet_all_recvfrom_unlabeled(ypxfr_t)
+ corenet_all_recvfrom_netlabel(ypxfr_t)
+ corenet_tcp_sendrecv_generic_if(ypxfr_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2010-01-18 18:24:22.840530591 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nx.if 2010-01-26 14:43:43.595472728 +0100
@@ -1415,6 +1591,20 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(plymouth_t)
files_read_etc_files(plymouth_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
+--- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-01-29 10:12:36.454864455 +0100
+@@ -89,6 +89,10 @@
+ ')
+ ')
+
++optional_policy(`
++ gnome_read_config(policykit_t)
++')
++
+ ########################################
+ #
+ # polkit_auth local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100
@@ -1456,6 +1646,18 @@ diff -b -B --ignore-all-space --exclude-
fs_rw_anon_inodefs_files(prelude_lml_t)
auth_use_nsswitch(prelude_lml_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if
+--- nsaserefpolicy/policy/modules/services/rgmanager.if 2010-01-18 18:24:22.870539995 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2010-01-29 10:16:32.195864190 +0100
+@@ -16,7 +16,7 @@
+ ')
+
+ corecmd_search_bin($1)
+- domrans_pattern($1,rgmanager_exec_t,rgmanager_t)
++ domtrans_pattern($1,rgmanager_exec_t,rgmanager_t)
+
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-18 18:27:02.770531119 +0100
@@ -2022,17 +2224,29 @@ diff -b -B --ignore-all-space --exclude-
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-26 14:27:29.964713815 +0100
-@@ -301,6 +301,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-29 10:03:15.438864683 +0100
+@@ -301,6 +301,9 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
++domain_dontaudit_leaks(xauth_t)
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
-@@ -506,6 +508,7 @@
+@@ -309,7 +312,10 @@
+ files_read_usr_files(xauth_t)
+ files_search_pids(xauth_t)
+ files_dontaudit_getattr_all_dirs(xauth_t)
++files_dontaudit_leaks(xauth_t)
++files_var_lib_filetrans(xauth_t, xauth_home_t, file)
+
++fs_dontaudit_leaks(xauth_t)
+ fs_getattr_all_fs(xauth_t)
+ fs_search_auto_mountpoints(xauth_t)
+
+@@ -506,6 +512,7 @@
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
@@ -2040,7 +2254,7 @@ diff -b -B --ignore-all-space --exclude-
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
dev_read_sound(xdm_t)
-@@ -668,6 +671,7 @@
+@@ -668,6 +675,7 @@
optional_policy(`
gnome_read_gconf_config(xdm_t)
@@ -2059,6 +2273,28 @@ diff -b -B --ignore-all-space --exclude-
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.32/policy/modules/system/hostname.te
+--- nsaserefpolicy/policy/modules/system/hostname.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/hostname.te 2010-01-29 10:03:19.733864870 +0100
+@@ -27,15 +27,18 @@
+
+ dev_read_sysfs(hostname_t)
+
++domain_dontaudit_leaks(hostname_t)
+ domain_use_interactive_fds(hostname_t)
+
+ files_read_etc_files(hostname_t)
++files_dontaudit_leaks(hostname_t)
+ files_dontaudit_search_var(hostname_t)
+ # for when /usr is not mounted:
+ files_dontaudit_search_isid_type_dirs(hostname_t)
+
+ fs_getattr_xattr_fs(hostname_t)
+ fs_search_auto_mountpoints(hostname_t)
++fs_dontaudit_leaks(hostname_t)
+ fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
+
+ term_dontaudit_use_console(hostname_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-18 18:27:02.780542727 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1006
retrieving revision 1.1007
diff -u -p -r1.1006 -r1.1007
--- selinux-policy.spec 27 Jan 2010 17:30:57 -0000 1.1006
+++ selinux-policy.spec 29 Jan 2010 11:11:23 -0000 1.1007
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 78%{?dist}
+Release: 79%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -456,6 +456,11 @@ exit 0
%endif
%changelog
+* Fri Jan 29 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-79
+- Fix rpm_dontaudit_leaks
+- Fix typo in rgmanager.if
+- Fixes for nis policy
+
* Wed Jan 27 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-78
- Allow to openvpn to read utmp
- Allow xdm to read the video4linux devices
More information about the scm-commits
mailing list