rpms/selinux-policy/F-13 policy-F13.patch, 1.135, 1.136 selinux-policy.spec, 1.1036, 1.1037
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jul 9 10:57:25 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv29492
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
- Add label for /bin/yash
- Fixes for rhcs and corosync policy
- Fixes for piranha-web policy
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 2
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 164 ++
policy/modules/admin/accountsd.te | 64 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 3
policy/modules/admin/dmesg.te | 6
policy/modules/admin/firstboot.te | 7
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/logwatch.fc | 7
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mcelog.te | 2
policy/modules/admin/mrtg.te | 1
policy/modules/admin/ncftool.fc | 2
policy/modules/admin/ncftool.if | 74 +
policy/modules/admin/ncftool.te | 79 +
policy/modules/admin/netutils.fc | 2
policy/modules/admin/netutils.if | 1
policy/modules/admin/netutils.te | 24
policy/modules/admin/prelink.fc | 4
policy/modules/admin/prelink.if | 28
policy/modules/admin/prelink.te | 79 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 ++++++
policy/modules/admin/rpm.te | 110 +
policy/modules/admin/sectoolm.te | 1
policy/modules/admin/shorewall.if | 45
policy/modules/admin/shorewall.te | 7
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 136 ++
policy/modules/admin/shutdown.te | 63 +
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 12
policy/modules/admin/tmpreaper.te | 24
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 25
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.if | 20
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 3
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 86 +
policy/modules/apps/cpufreqselector.te | 4
policy/modules/apps/execmem.fc | 47
policy/modules/apps/execmem.if | 110 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.fc | 2
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gitosis.te | 7
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 +++++++
policy/modules/apps/gnome.te | 118 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 114 +-
policy/modules/apps/gpg.te | 157 ++
policy/modules/apps/irc.fc | 7
policy/modules/apps/irc.if | 37
policy/modules/apps/irc.te | 104 +
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 127 ++
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 5
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 29
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 393 +++++++
policy/modules/apps/nsplugin.te | 297 +++++
policy/modules/apps/openoffice.fc | 4
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.if | 57 +
policy/modules/apps/pulseaudio.te | 11
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 84 +
policy/modules/apps/qemu.te | 11
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 314 +++++
policy/modules/apps/sandbox.te | 391 +++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/telepathysofiasip.fc | 2
policy/modules/apps/telepathysofiasip.if | 69 +
policy/modules/apps/telepathysofiasip.te | 45
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 56 +
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 14
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 22
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 41
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 37
policy/modules/kernel/devices.fc | 9
policy/modules/kernel/devices.if | 214 +++
policy/modules/kernel/devices.te | 18
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 113 ++
policy/modules/kernel/files.fc | 30
policy/modules/kernel/files.if | 671 +++++++++++-
policy/modules/kernel/files.te | 15
policy/modules/kernel/filesystem.if | 296 ++++-
policy/modules/kernel/filesystem.te | 11
policy/modules/kernel/kernel.if | 107 +
policy/modules/kernel/kernel.te | 36
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 22
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 3
policy/modules/roles/guest.te | 8
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 118 ++
policy/modules/roles/sysadm.te | 102 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 443 +++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 79 +
policy/modules/services/abrt.fc | 18
policy/modules/services/abrt.if | 226 +++-
policy/modules/services/abrt.te | 180 ++-
policy/modules/services/afs.te | 5
policy/modules/services/aiccu.fc | 6
policy/modules/services/aiccu.if | 118 ++
policy/modules/services/aiccu.te | 71 +
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 114 ++
policy/modules/services/apache.fc | 18
policy/modules/services/apache.if | 239 +++-
policy/modules/services/apache.te | 234 +++-
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 45
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 1
policy/modules/services/avahi.te | 4
policy/modules/services/bind.if | 5
policy/modules/services/bitlbee.te | 7
policy/modules/services/bluetooth.if | 26
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 100 +
policy/modules/services/bugzilla.fc | 4
policy/modules/services/bugzilla.if | 39
policy/modules/services/bugzilla.te | 57 +
policy/modules/services/cachefilesd.fc | 29
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 147 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 218 +++
policy/modules/services/certmonger.te | 75 +
policy/modules/services/cgroup.fc | 12
policy/modules/services/cgroup.if | 244 ++++
policy/modules/services/cgroup.te | 102 +
policy/modules/services/chronyd.if | 86 +
policy/modules/services/chronyd.te | 10
policy/modules/services/clamav.te | 23
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cmirrord.fc | 6
policy/modules/services/cmirrord.if | 118 ++
policy/modules/services/cmirrord.te | 63 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 9
policy/modules/services/cobbler.te | 28
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 42
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 134 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 119 +-
policy/modules/services/cron.te | 100 +
policy/modules/services/cups.fc | 15
policy/modules/services/cups.if | 5
policy/modules/services/cups.te | 68 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 107 +
policy/modules/services/dbus.te | 21
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +
policy/modules/services/denyhosts.te | 77 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 101 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 6
policy/modules/services/dovecot.if | 5
policy/modules/services/dovecot.te | 54
policy/modules/services/exim.fc | 3
policy/modules/services/exim.if | 61 +
policy/modules/services/exim.te | 3
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 11
policy/modules/services/git.if | 526 +++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/gnomeclock.if | 21
policy/modules/services/gpsd.te | 5
policy/modules/services/hal.if | 22
policy/modules/services/hal.te | 38
policy/modules/services/icecast.te | 6
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 8
policy/modules/services/ksmtuned.fc | 2
policy/modules/services/ksmtuned.if | 4
policy/modules/services/ksmtuned.te | 13
policy/modules/services/ldap.fc | 5
policy/modules/services/ldap.if | 81 +
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 24
policy/modules/services/memcached.if | 1
policy/modules/services/milter.if | 20
policy/modules/services/milter.te | 8
policy/modules/services/modemmanager.te | 9
policy/modules/services/mpd.fc | 11
policy/modules/services/mpd.if | 295 +++++
policy/modules/services/mpd.te | 112 ++
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 28
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 175 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 160 ++
policy/modules/services/nagios.te | 294 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 125 ++
policy/modules/services/networkmanager.te | 134 ++
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 81 +
policy/modules/services/nis.te | 23
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 29
policy/modules/services/nslcd.te | 2
policy/modules/services/ntop.if | 156 ++
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.te | 3
policy/modules/services/nut.te | 4
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.fc | 1
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openvpn.te | 10
policy/modules/services/pegasus.te | 28
policy/modules/services/piranha.fc | 21
policy/modules/services/piranha.if | 175 +++
policy/modules/services/piranha.te | 198 +++
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++
policy/modules/services/plymouthd.te | 109 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 86 +
policy/modules/services/portreserve.fc | 3
policy/modules/services/portreserve.if | 55
policy/modules/services/portreserve.te | 5
policy/modules/services/postfix.fc | 3
policy/modules/services/postfix.if | 282 ++++-
policy/modules/services/postfix.te | 154 ++
policy/modules/services/ppp.te | 4
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.te | 26
policy/modules/services/psad.if | 26
policy/modules/services/psad.te | 1
policy/modules/services/puppet.te | 2
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/radius.te | 2
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 10
policy/modules/services/rgmanager.if | 141 ++
policy/modules/services/rgmanager.te | 223 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 439 +++++++
policy/modules/services/rhcs.te | 244 ++++
policy/modules/services/ricci.fc | 3
policy/modules/services/ricci.if | 62 +
policy/modules/services/ricci.te | 42
policy/modules/services/rlogin.fc | 3
policy/modules/services/rlogin.te | 1
policy/modules/services/rpc.if | 21
policy/modules/services/rpc.te | 15
policy/modules/services/rpcbind.if | 2
policy/modules/services/rpcbind.te | 4
policy/modules/services/rsync.if | 61 -
policy/modules/services/rsync.te | 26
policy/modules/services/rtkit.if | 21
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 134 ++
policy/modules/services/samba.te | 123 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.fc | 2
policy/modules/services/sendmail.if | 84 +
policy/modules/services/sendmail.te | 20
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/smartmon.te | 2
policy/modules/services/smokeping.te | 2
policy/modules/services/snmp.te | 3
policy/modules/services/snort.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 6
policy/modules/services/ssh.if | 158 ++
policy/modules/services/ssh.te | 56 -
policy/modules/services/sssd.te | 3
policy/modules/services/sysstat.te | 4
policy/modules/services/tftp.if | 19
policy/modules/services/tgtd.te | 6
policy/modules/services/tor.te | 3
policy/modules/services/tuned.te | 5
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 2
policy/modules/services/varnishd.if | 19
policy/modules/services/vhostmd.te | 2
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 78 +
policy/modules/services/virt.te | 97 +
policy/modules/services/w3c.te | 9
policy/modules/services/xserver.fc | 61 -
policy/modules/services/xserver.if | 456 +++++++-
policy/modules/services/xserver.te | 425 ++++++-
policy/modules/system/application.te | 16
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 56 -
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 12
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 7
policy/modules/system/hotplug.te | 2
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 148 ++
policy/modules/system/init.te | 214 +++
policy/modules/system/ipsec.fc | 1
policy/modules/system/ipsec.if | 72 +
policy/modules/system/ipsec.te | 52
policy/modules/system/iptables.fc | 7
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 26
policy/modules/system/iscsi.if | 18
policy/modules/system/iscsi.te | 2
policy/modules/system/libraries.fc | 157 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 40
policy/modules/system/logging.fc | 16
policy/modules/system/logging.if | 62 +
policy/modules/system/logging.te | 33
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 21
policy/modules/system/miscfiles.fc | 6
policy/modules/system/miscfiles.if | 3
policy/modules/system/modutils.if | 20
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 163 ++
policy/modules/system/mount.te | 155 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 +++++
policy/modules/system/selinuxutil.te | 246 +---
policy/modules/system/setrans.te | 1
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 131 ++
policy/modules/system/sosreport.te | 155 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 171 ++-
policy/modules/system/sysnetwork.te | 30
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 13
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 -------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 12
policy/modules/system/userdomain.if | 1667 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 58 -
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 15
policy/support/misc_patterns.spt | 8
policy/support/obj_perm_sets.spt | 38
policy/users | 17
446 files changed, 25203 insertions(+), 2243 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.135
retrieving revision 1.136
diff -u -p -r1.135 -r1.136
--- policy-F13.patch 1 Jul 2010 14:11:44 -0000 1.135
+++ policy-F13.patch 9 Jul 2010 10:57:23 -0000 1.136
@@ -2445,8 +2445,16 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-06-03 16:34:29.977161309 +0200
-@@ -209,6 +209,7 @@
++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-07-09 08:51:08.085135159 +0200
+@@ -199,6 +199,7 @@
+
+ term_use_all_ttys(groupadd_t)
+ term_use_all_ptys(groupadd_t)
++term_use_generic_ptys(groupadd_t)
+
+ init_use_fds(groupadd_t)
+ init_read_utmp(groupadd_t)
+@@ -209,6 +210,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
@@ -2454,7 +2462,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
corecmd_exec_bin(groupadd_t)
-@@ -256,7 +257,8 @@
+@@ -256,7 +258,8 @@
# Passwd local policy
#
@@ -2464,7 +2472,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
-@@ -294,6 +296,7 @@
+@@ -294,6 +297,7 @@
term_use_all_ttys(passwd_t)
term_use_all_ptys(passwd_t)
@@ -2472,7 +2480,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
-@@ -303,6 +306,9 @@
+@@ -303,6 +307,9 @@
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
@@ -2482,7 +2490,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_use_interactive_fds(passwd_t)
-@@ -333,6 +339,7 @@
+@@ -333,6 +340,7 @@
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2490,7 +2498,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -427,7 +434,7 @@
+@@ -427,7 +435,7 @@
# Useradd local policy
#
@@ -2499,7 +2507,7 @@ diff --exclude-from=exclude -N -u -r nsa
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -450,6 +457,7 @@
+@@ -450,6 +458,7 @@
corecmd_exec_bin(useradd_t)
domain_use_interactive_fds(useradd_t)
@@ -2507,7 +2515,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -498,12 +506,8 @@
+@@ -498,12 +507,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -2521,7 +2529,7 @@ diff --exclude-from=exclude -N -u -r nsa
mta_manage_spool(useradd_t)
-@@ -527,6 +531,12 @@
+@@ -527,6 +532,12 @@
')
optional_policy(`
@@ -5126,8 +5134,8 @@ diff --exclude-from=exclude -N -u -r nsa
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.19/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.if 2010-05-28 09:41:59.993610716 +0200
-@@ -0,0 +1,391 @@
++++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.if 2010-07-09 08:54:14.254135234 +0200
+@@ -0,0 +1,393 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -5245,6 +5253,8 @@ diff --exclude-from=exclude -N -u -r nsa
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
++ allow $2 nsplugin_config_t:process { getattr ptrace signal_perms };
++
+ # Connect to pulseaudit server
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect(nsplugin_t, $2)
@@ -6690,8 +6700,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-06-28 14:07:11.618192152 +0200
-@@ -0,0 +1,389 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-07-09 09:45:47.464135449 +0200
+@@ -0,0 +1,391 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -7000,12 +7010,14 @@ diff --exclude-from=exclude -N -u -r nsa
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
++files_dontaudit_list_mnt(sandbox_web_type)
+
+#fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+fs_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+storage_dontaudit_rw_fuse(sandbox_web_type)
++storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
+
+auth_use_nsswitch(sandbox_web_type)
+
@@ -7743,8 +7755,16 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-06-30 14:38:26.006616726 +0200
-@@ -49,7 +49,8 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-07-09 09:51:15.133135220 +0200
+@@ -11,6 +11,7 @@
+ /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ #
+@@ -49,7 +50,8 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -7754,7 +7774,7 @@ diff --exclude-from=exclude -N -u -r nsa
/etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -70,6 +71,12 @@
+@@ -70,6 +72,12 @@
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7767,7 +7787,7 @@ diff --exclude-from=exclude -N -u -r nsa
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -147,6 +154,9 @@
+@@ -147,6 +155,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -7777,7 +7797,7 @@ diff --exclude-from=exclude -N -u -r nsa
#
# /usr
#
-@@ -189,7 +199,8 @@
+@@ -189,7 +200,8 @@
/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -7787,7 +7807,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-@@ -217,10 +228,15 @@
+@@ -217,10 +229,15 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -7803,7 +7823,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +256,7 @@
+@@ -240,6 +257,7 @@
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7811,7 +7831,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -297,6 +314,7 @@
+@@ -297,6 +315,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -7819,7 +7839,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +349,21 @@
+@@ -331,3 +350,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -8802,7 +8822,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-28 09:42:00.031611018 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-07-09 09:46:06.705385324 +0200
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9145,7 +9165,32 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -3520,6 +3747,64 @@
+@@ -3156,6 +3383,24 @@
+ allow $1 mnt_t:dir list_dir_perms;
+ ')
+
++#######################################
++## <summary>
++## dontaudit List the contents of /mnt.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_list_mnt',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ dontaudit $1 mnt_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Mount a filesystem on /mnt.
+@@ -3520,6 +3765,64 @@
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -9210,7 +9255,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Allow the specified type to associate
-@@ -3705,6 +3990,32 @@
+@@ -3705,6 +4008,32 @@
########################################
## <summary>
@@ -9243,7 +9288,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3918,6 +4229,13 @@
+@@ -3918,6 +4247,13 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -9257,7 +9302,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -4013,6 +4331,24 @@
+@@ -4013,6 +4349,24 @@
########################################
## <summary>
@@ -9282,7 +9327,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Delete generic files in /usr in the caller domain.
## </summary>
## <param name="domain">
-@@ -4026,7 +4362,7 @@
+@@ -4026,7 +4380,7 @@
type usr_t;
')
@@ -9291,7 +9336,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -4107,6 +4443,24 @@
+@@ -4107,6 +4461,24 @@
########################################
## <summary>
@@ -9316,7 +9361,7 @@ diff --exclude-from=exclude -N -u -r nsa
## dontaudit write of /usr files
## </summary>
## <param name="domain">
-@@ -5032,6 +5386,25 @@
+@@ -5032,6 +5404,25 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -9342,7 +9387,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Do not audit attempts to search
-@@ -5091,6 +5464,24 @@
+@@ -5091,6 +5482,24 @@
########################################
## <summary>
@@ -9367,7 +9412,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Create an object in the process ID directory, with a private type.
## </summary>
## <desc>
-@@ -5238,6 +5629,7 @@
+@@ -5238,6 +5647,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -9375,7 +9420,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -5306,6 +5698,24 @@
+@@ -5306,6 +5716,24 @@
########################################
## <summary>
@@ -9400,7 +9445,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -5494,12 +5904,15 @@
+@@ -5494,12 +5922,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -9417,7 +9462,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -5520,3 +5933,229 @@
+@@ -5520,3 +5951,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -13661,7 +13706,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-06-25 15:40:57.982387846 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-07-09 09:33:54.638134829 +0200
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -14031,7 +14076,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1327,44 @@
+@@ -1202,12 +1327,62 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -14076,6 +14121,24 @@ diff --exclude-from=exclude -N -u -r nsa
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
++')
++
++#######################################
++## <summary>
++## Allow getattr of suexec
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`apache_getattr_suexec',`
++ gen_require(`
++ type httpd_suexec_exec_t;
++ ')
++
++ allow $1 httpd_suexec_exec_t:file getattr;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
@@ -15089,8 +15152,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-06-28 16:33:50.749151175 +0200
-@@ -0,0 +1,98 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-07-09 10:05:19.736135219 +0200
+@@ -0,0 +1,100 @@
+
+policy_module(boinc,1.0.0)
+
@@ -15174,6 +15237,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
+domain_read_all_domains_state(boinc_t)
+
++files_dontaudit_getattr_boot_dirs(boinc_t)
++
+files_read_etc_files(boinc_t)
+files_read_usr_files(boinc_t)
+
@@ -17248,8 +17313,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-06-21 21:25:04.135155585 +0200
-@@ -0,0 +1,122 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-07-09 09:07:32.569134985 +0200
+@@ -0,0 +1,134 @@
+
+policy_module(corosync,1.0.0)
+
@@ -17258,6 +17323,13 @@ diff --exclude-from=exclude -N -u -r nsa
+# Declarations
+#
+
++## <desc>
++## <p>
++## Allow corosync to read and write generic tmpfs files.
++## </p>
++## </desc>
++gen_tunable(allow_corosync_rw_tmpfs, false)
++
+type corosync_t;
+type corosync_exec_t;
+init_daemon_domain(corosync_t, corosync_exec_t)
@@ -17354,6 +17426,10 @@ diff --exclude-from=exclude -N -u -r nsa
+userdom_delete_user_tmpfs_files(corosync_t)
+userdom_rw_user_tmpfs_files(corosync_t)
+
++tunable_policy(`allow_corosync_rw_tmpfs',`
++ fs_rw_tmpfs_files(corosync_t)
++')
++
+optional_policy(`
+ ccs_read_config(corosync_t)
+')
@@ -17366,6 +17442,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
++ rhcs_stream_connect_cluster(corosync_t)
+')
+
+optional_policy(`
@@ -19170,7 +19247,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.19/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.fc 2010-05-28 09:42:00.104610534 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.fc 2010-07-08 14:31:14.740152947 +0200
@@ -3,6 +3,7 @@
# /etc
#
@@ -19184,9 +19261,9 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
++/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
++/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
#
@@ -19222,7 +19299,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-06-08 14:51:46.576610409 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-07-08 14:54:56.727152638 +0200
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -19337,7 +19414,7 @@ diff --exclude-from=exclude -N -u -r nsa
postfix_search_spool(dovecot_auth_t)
')
-@@ -234,6 +252,8 @@
+@@ -234,18 +252,27 @@
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
@@ -19346,7 +19423,18 @@ diff --exclude-from=exclude -N -u -r nsa
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-@@ -246,6 +266,7 @@
++allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
++
++can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
++
+ kernel_read_all_sysctls(dovecot_deliver_t)
+ kernel_read_system_state(dovecot_deliver_t)
+
++corecmd_exec_bin(dovecot_deliver_t)
++
+ files_read_etc_files(dovecot_deliver_t)
+ files_read_etc_runtime_files(dovecot_deliver_t)
+
auth_use_nsswitch(dovecot_deliver_t)
logging_send_syslog_msg(dovecot_deliver_t)
@@ -19354,7 +19442,7 @@ diff --exclude-from=exclude -N -u -r nsa
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,15 +284,24 @@
+@@ -263,15 +290,24 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -21594,8 +21682,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te
--- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-06-28 14:07:11.656151016 +0200
-@@ -0,0 +1,111 @@
++++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-07-09 09:35:18.424385283 +0200
+@@ -0,0 +1,112 @@
+
+policy_module(mpd,1.0.0)
+
@@ -21673,6 +21761,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+corenet_sendrecv_pulseaudio_client_packets(mpd_t)
+corenet_tcp_connect_http_port(mpd_t)
++corenet_tcp_connect_http_cache_port(mpd_t)
+corenet_tcp_connect_pulseaudio_port(mpd_t)
+corenet_tcp_bind_mpd_port(mpd_t)
+corenet_tcp_bind_soundd_port(mpd_t)
@@ -24617,8 +24706,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te
--- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-05-28 09:42:00.149610331 +0200
-@@ -0,0 +1,187 @@
++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-07-09 09:34:16.430135505 +0200
+@@ -0,0 +1,198 @@
+
+policy_module(piranha,1.0.0)
+
@@ -24647,6 +24736,9 @@ diff --exclude-from=exclude -N -u -r nsa
+
+piranha_domain_template(web)
+
++type piranha_web_tmpfs_t;
++files_tmpfs_file(piranha_web_tmpfs_t)
++
+permissive piranha_fos_t;
+permissive piranha_lvs_t;
+permissive piranha_pulse_t;
@@ -24677,6 +24769,9 @@ diff --exclude-from=exclude -N -u -r nsa
+# piranha-gui local policy
+#
+
++# bug #584451
++allow piranha_web_t self:capability dac_override;
++
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal ptrace };
+allow piranha_web_t self:rawip_socket create_socket_perms;
@@ -24691,6 +24786,10 @@ diff --exclude-from=exclude -N -u -r nsa
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
+
++manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
++manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
++fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
++
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
@@ -24706,6 +24805,7 @@ diff --exclude-from=exclude -N -u -r nsa
+consoletype_exec(piranha_web_t)
+
+optional_policy(`
++ apache_getattr_suexec(piranha_web_t)
+ apache_exec_modules(piranha_web_t)
+ apache_exec(piranha_web_t)
+')
@@ -25641,7 +25741,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.19/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/portreserve.te 2010-05-28 09:42:00.155610840 +0200
++++ serefpolicy-3.7.19/policy/modules/services/portreserve.te 2010-07-09 09:55:59.073135212 +0200
@@ -10,6 +10,9 @@
type portreserve_exec_t;
init_daemon_domain(portreserve_t, portreserve_exec_t)
@@ -25652,6 +25752,12 @@ diff --exclude-from=exclude -N -u -r nsa
type portreserve_etc_t;
files_type(portreserve_etc_t)
+@@ -48,3 +51,5 @@
+ corenet_udp_bind_all_ports(portreserve_t)
+
+ files_read_etc_files(portreserve_t)
++
++userdom_dontaudit_search_user_home_content(portreserve_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.19/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/postfix.fc 2010-05-28 09:42:00.155610840 +0200
@@ -27658,8 +27764,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-06-15 18:40:09.967767835 +0200
-@@ -0,0 +1,415 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-07-09 10:11:12.956385549 +0200
+@@ -0,0 +1,439 @@
+## <summary>RHCS - Red Hat Cluster Suite</summary>
+
+#######################################
@@ -27677,6 +27783,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ gen_require(`
+ attribute cluster_domain;
+ attribute cluster_tmpfs;
++ attribute cluster_pid;
+ ')
+
+ ##############################
@@ -27694,7 +27801,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ type $1_var_log_t;
+ logging_log_file($1_var_log_t)
+
-+ type $1_var_run_t;
++ type $1_var_run_t, cluster_pid;
+ files_pid_file($1_var_run_t)
+
+ ##############################
@@ -28021,6 +28128,8 @@ diff --exclude-from=exclude -N -u -r nsa
+ manage_lnk_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+')
+
++
++
+####################################
+## <summary>
+## Read and write access to cluster domains semaphores.
@@ -28039,6 +28148,27 @@ diff --exclude-from=exclude -N -u -r nsa
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
+')
+
++#####################################
++## <summary>
++## Connect to cluster domains over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_stream_connect_cluster',`
++ gen_require(`
++ attribute cluster_domain;
++ attribute cluster_pid;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
++')
++
+######################################
+## <summary>
+## Execute a domain transition to run qdiskd.
@@ -28077,8 +28207,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-06-15 18:40:09.968779078 +0200
-@@ -0,0 +1,243 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-07-09 09:10:00.586383981 +0200
+@@ -0,0 +1,244 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -28096,6 +28226,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+attribute cluster_domain;
+attribute cluster_tmpfs;
++attribute cluster_pid;
+
+rhcs_domain_template(dlm_controld)
+
@@ -34698,7 +34829,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.19/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-06-16 22:25:36.553110244 +0200
++++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-07-09 08:48:44.651135331 +0200
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -34766,15 +34897,20 @@ diff --exclude-from=exclude -N -u -r nsa
logging_send_syslog_msg(iptables_t)
-@@ -91,6 +99,7 @@
+@@ -90,7 +98,12 @@
+ userdom_use_all_users_fds(iptables_t)
optional_policy(`
++ abrt_append_cache_files(iptables_t)
++')
++
++optional_policy(`
fail2ban_append_log(iptables_t)
+ fail2ban_dontaudit_leaks(iptables_t)
')
optional_policy(`
-@@ -113,6 +122,7 @@
+@@ -113,6 +126,7 @@
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -34821,7 +34957,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-06-21 21:50:18.833156519 +0200
++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-07-09 09:48:32.034135375 +0200
@@ -131,13 +131,13 @@
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -34870,7 +35006,7 @@ diff --exclude-from=exclude -N -u -r nsa
') dnl end distro_redhat
#
-@@ -319,14 +316,150 @@
+@@ -319,14 +316,152 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -35019,6 +35155,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/selinux-policy.spec,v
retrieving revision 1.1036
retrieving revision 1.1037
diff -u -p -r1.1036 -r1.1037
--- selinux-policy.spec 1 Jul 2010 14:11:44 -0000 1.1036
+++ selinux-policy.spec 9 Jul 2010 10:57:25 -0000 1.1037
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 34%{?dist}
+Release: 35%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Fri Jul 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-35
+- Add label for /bin/yash
+- Fixes for rhcs and corosync policy
+- Fixes for piranha-web policy
+
* Thu Jul 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-34
- Fix ipsec-mgmt inteface
More information about the scm-commits
mailing list