rpms/selinux-policy/F-13 policy-F13.patch, 1.122, 1.123 selinux-policy.spec, 1.1024, 1.1025
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jun 8 15:37:31 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv6775
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
- Fixes for cmirrord policy
- Dontaudit xauth to list inotifyfs filesystem.
- Allow xserver to translate contexts.
- Allow kdumpgui domain sys_admin capability
- Allow vpnc to relabelfrom tun_socket
- Allow prelink_cron_system_t to signal
- Fixes for gitolite
- Allow virt domain to read symbolic links in device directories
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 2
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 164 +++
policy/modules/admin/accountsd.te | 64 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 2
policy/modules/admin/dmesg.te | 5
policy/modules/admin/firstboot.te | 7
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/mcelog.te | 2
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.fc | 2
policy/modules/admin/netutils.te | 21
policy/modules/admin/prelink.fc | 4
policy/modules/admin/prelink.if | 28
policy/modules/admin/prelink.te | 79 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 +++++++
policy/modules/admin/rpm.te | 110 +-
policy/modules/admin/shorewall.te | 6
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 136 ++
policy/modules/admin/shutdown.te | 63 +
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 12
policy/modules/admin/tmpreaper.te | 24
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 24
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.if | 20
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 3
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 86 +
policy/modules/apps/cpufreqselector.te | 4
policy/modules/apps/execmem.fc | 47
policy/modules/apps/execmem.if | 110 ++
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.fc | 2
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gitosis.te | 7
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 ++++++++
policy/modules/apps/gnome.te | 118 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 114 ++
policy/modules/apps/gpg.te | 157 ++
policy/modules/apps/irc.fc | 7
policy/modules/apps/irc.if | 37
policy/modules/apps/irc.te | 104 +
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 127 ++
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 5
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 29
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 391 +++++++
policy/modules/apps/nsplugin.te | 297 +++++
policy/modules/apps/openoffice.fc | 4
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.fc | 1
policy/modules/apps/pulseaudio.if | 57 +
policy/modules/apps/pulseaudio.te | 7
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 84 +
policy/modules/apps/qemu.te | 11
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 314 +++++
policy/modules/apps/sandbox.te | 385 +++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/telepathysofiasip.fc | 2
policy/modules/apps/telepathysofiasip.if | 69 +
policy/modules/apps/telepathysofiasip.te | 45
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 56 +
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 14
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 22
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 34
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 35
policy/modules/kernel/devices.fc | 9
policy/modules/kernel/devices.if | 216 +++
policy/modules/kernel/devices.te | 18
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 112 ++
policy/modules/kernel/files.fc | 27
policy/modules/kernel/files.if | 653 +++++++++++
policy/modules/kernel/files.te | 15
policy/modules/kernel/filesystem.if | 296 ++++-
policy/modules/kernel/filesystem.te | 11
policy/modules/kernel/kernel.if | 107 +
policy/modules/kernel/kernel.te | 36
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 22
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 3
policy/modules/roles/guest.te | 8
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 118 ++
policy/modules/roles/sysadm.te | 98 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 439 ++++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 79 +
policy/modules/services/abrt.fc | 17
policy/modules/services/abrt.if | 208 +++
policy/modules/services/abrt.te | 163 ++
policy/modules/services/afs.te | 5
policy/modules/services/aiccu.fc | 5
policy/modules/services/aiccu.if | 119 ++
policy/modules/services/aiccu.te | 44
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 118 ++
policy/modules/services/apache.fc | 18
policy/modules/services/apache.if | 203 +++
policy/modules/services/apache.te | 234 ++++
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 45
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 1
policy/modules/services/bluetooth.if | 21
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 97 +
policy/modules/services/bugzilla.fc | 4
policy/modules/services/bugzilla.if | 39
policy/modules/services/bugzilla.te | 57 +
policy/modules/services/cachefilesd.fc | 29
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 147 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 +++
policy/modules/services/certmonger.te | 75 +
policy/modules/services/cgroup.fc | 12
policy/modules/services/cgroup.if | 243 ++++
policy/modules/services/cgroup.te | 102 +
policy/modules/services/chronyd.if | 77 +
policy/modules/services/chronyd.te | 10
policy/modules/services/clamav.te | 21
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cmirrord.fc | 6
policy/modules/services/cmirrord.if | 118 ++
policy/modules/services/cmirrord.te | 63 +
policy/modules/services/cobbler.if | 4
policy/modules/services/cobbler.te | 14
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 38
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 126 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 101 +
policy/modules/services/cron.te | 100 +
policy/modules/services/cups.fc | 15
policy/modules/services/cups.te | 68 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 107 +
policy/modules/services/dbus.te | 21
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +
policy/modules/services/denyhosts.te | 76 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 101 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 6
policy/modules/services/dovecot.te | 48
policy/modules/services/exim.fc | 3
policy/modules/services/exim.if | 61 +
policy/modules/services/exim.te | 3
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 9
policy/modules/services/git.if | 526 +++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/gnomeclock.if | 21
policy/modules/services/gpsd.te | 5
policy/modules/services/hal.if | 22
policy/modules/services/hal.te | 37
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 5
policy/modules/services/ksmtuned.fc | 2
policy/modules/services/ksmtuned.te | 11
policy/modules/services/ldap.fc | 5
policy/modules/services/ldap.if | 81 +
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 23
policy/modules/services/milter.if | 20
policy/modules/services/milter.te | 8
policy/modules/services/modemmanager.te | 9
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 25
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 175 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 160 ++
policy/modules/services/nagios.te | 294 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 126 ++
policy/modules/services/networkmanager.te | 127 +-
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 81 +
policy/modules/services/nis.te | 23
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 29
policy/modules/services/nslcd.te | 2
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.te | 3
policy/modules/services/nut.te | 4
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.fc | 1
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openvpn.te | 7
policy/modules/services/pegasus.te | 28
policy/modules/services/piranha.fc | 21
policy/modules/services/piranha.if | 175 +++
policy/modules/services/piranha.te | 187 +++
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++
policy/modules/services/plymouthd.te | 109 ++
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 86 +
policy/modules/services/portreserve.fc | 3
policy/modules/services/portreserve.if | 55 +
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 3
policy/modules/services/postfix.if | 282 ++++-
policy/modules/services/postfix.te | 152 ++
policy/modules/services/ppp.te | 4
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.te | 26
policy/modules/services/psad.te | 1
policy/modules/services/puppet.te | 2
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/radius.te | 2
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 10
policy/modules/services/rgmanager.if | 141 ++
policy/modules/services/rgmanager.te | 223 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 424 +++++++
policy/modules/services/rhcs.te | 242 ++++
policy/modules/services/ricci.fc | 3
policy/modules/services/ricci.if | 62 +
policy/modules/services/ricci.te | 42
policy/modules/services/rlogin.fc | 3
policy/modules/services/rlogin.te | 1
policy/modules/services/rpc.if | 21
policy/modules/services/rpc.te | 15
policy/modules/services/rsync.if | 4
policy/modules/services/rsync.te | 26
policy/modules/services/rtkit.if | 21
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 123 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.fc | 2
policy/modules/services/sendmail.if | 84 +
policy/modules/services/sendmail.te | 20
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/smartmon.te | 2
policy/modules/services/smokeping.te | 2
policy/modules/services/snmp.te | 3
policy/modules/services/snort.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 6
policy/modules/services/ssh.if | 158 ++
policy/modules/services/ssh.te | 56 -
policy/modules/services/sssd.te | 3
policy/modules/services/sysstat.te | 4
policy/modules/services/tgtd.te | 6
policy/modules/services/tor.te | 3
policy/modules/services/tuned.te | 5
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 2
policy/modules/services/varnishd.if | 19
policy/modules/services/vhostmd.te | 2
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 59 -
policy/modules/services/virt.te | 95 +
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 61 -
policy/modules/services/xserver.if | 456 ++++++++
policy/modules/services/xserver.te | 424 ++++++-
policy/modules/system/application.te | 16
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 56 -
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 12
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 7
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 146 ++
policy/modules/system/init.te | 213 +++
policy/modules/system/ipsec.te | 17
policy/modules/system/iptables.fc | 9
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 21
policy/modules/system/iscsi.if | 18
policy/modules/system/libraries.fc | 152 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 40
policy/modules/system/logging.fc | 16
policy/modules/system/logging.if | 43
policy/modules/system/logging.te | 23
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 21
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 3
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 163 ++
policy/modules/system/mount.te | 153 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 ++++++
policy/modules/system/selinuxutil.te | 246 +---
policy/modules/system/setrans.te | 1
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 131 ++
policy/modules/system/sosreport.te | 155 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 133 ++
policy/modules/system/sysnetwork.te | 29
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 13
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 11
policy/modules/system/userdomain.if | 1634 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 54
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 14
policy/support/misc_patterns.spt | 8
policy/support/obj_perm_sets.spt | 38
policy/users | 17
416 files changed, 23786 insertions(+), 2162 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.122
retrieving revision 1.123
diff -u -p -r1.122 -r1.123
--- policy-F13.patch 3 Jun 2010 14:59:23 -0000 1.122
+++ policy-F13.patch 8 Jun 2010 15:37:29 -0000 1.123
@@ -720,7 +720,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-05-28 09:41:59.956610558 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-06-08 14:47:28.309627171 +0200
@@ -21,8 +21,21 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -802,7 +802,7 @@ diff --exclude-from=exclude -N -u -r nsa
+#
+
+allow prelink_cron_system_t self:capability setuid;
-+allow prelink_cron_system_t self:process { setsched setfscreate };
++allow prelink_cron_system_t self:process { setsched setfscreate signal };
+
+allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
+allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
@@ -2255,13 +2255,13 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.19/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-05-28 09:41:59.969610893 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-06-08 14:44:13.503860559 +0200
@@ -31,7 +31,7 @@
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t self:tun_socket create;
-+allow vpnc_t self:tun_socket { create_socket_perms };
++allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
@@ -2779,6 +2779,15 @@ diff --exclude-from=exclude -N -u -r nsa
+ policykit_dbus_chat(firewallgui_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.7.19/policy/modules/apps/gitosis.fc
+--- nsaserefpolicy/policy/modules/apps/gitosis.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gitosis.fc 2010-06-08 14:54:39.156860589 +0200
+@@ -1,3 +1,5 @@
+ /usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
++/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+ /var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
++/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.19/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/gitosis.if 2010-05-28 09:41:59.975610499 +0200
@@ -2791,6 +2800,28 @@ diff --exclude-from=exclude -N -u -r nsa
')
######################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.7.19/policy/modules/apps/gitosis.te
+--- nsaserefpolicy/policy/modules/apps/gitosis.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gitosis.te 2010-06-08 14:54:39.156860589 +0200
+@@ -26,12 +26,17 @@
+ manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+
++kernel_read_system_state(gitosis_t)
++
+ corecmd_exec_bin(gitosis_t)
+ corecmd_exec_shell(gitosis_t)
+
+-kernel_read_system_state(gitosis_t)
++dev_read_urand(gitosis_t)
+
++files_read_etc_files(gitosis_t)
+ files_read_usr_files(gitosis_t)
+ files_search_var_lib(gitosis_t)
+
+ miscfiles_read_localization(gitosis_t)
++
++sysnet_read_config(gitosis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.19/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-05-28 09:41:59.976610853 +0200
@@ -4164,7 +4195,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te 2010-05-28 09:41:59.985610961 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te 2010-06-08 15:04:19.920622331 +0200
@@ -0,0 +1,68 @@
+policy_module(kdumpgui,1.0.0)
+
@@ -4183,7 +4214,7 @@ diff --exclude-from=exclude -N -u -r nsa
+# system-config-kdump local policy
+#
+
-+allow kdumpgui_t self:capability { net_admin sys_rawio };
++allow kdumpgui_t self:capability { sys_admin net_admin sys_rawio };
+allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
+
+allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -5736,8 +5767,8 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-05-28 09:41:59.998610877 +0200
-@@ -41,6 +41,7 @@
++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-06-08 14:18:19.967627028 +0200
+@@ -41,9 +41,11 @@
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs(pulseaudio_t)
@@ -5745,7 +5776,11 @@ diff --exclude-from=exclude -N -u -r nsa
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -128,6 +129,7 @@
++manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+
+ manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+@@ -128,6 +130,7 @@
')
optional_policy(`
@@ -5753,7 +5788,7 @@ diff --exclude-from=exclude -N -u -r nsa
udev_read_db(pulseaudio_t)
')
-@@ -138,3 +140,7 @@
+@@ -138,3 +141,7 @@
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -7188,7 +7223,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.19/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-06-01 17:53:10.951411029 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-06-08 14:24:13.013626203 +0200
@@ -29,6 +29,10 @@
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
@@ -7213,16 +7248,18 @@ diff --exclude-from=exclude -N -u -r nsa
manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
-@@ -87,6 +97,8 @@
+@@ -87,7 +97,10 @@
manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+can_exec(vmware_host_t, vmware_host_exec_t)
+
kernel_read_kernel_sysctls(vmware_host_t)
++kernel_read_network_state(vmware_host_t)
kernel_read_system_state(vmware_host_t)
-@@ -114,6 +126,7 @@
+ corenet_all_recvfrom_unlabeled(vmware_host_t)
+@@ -114,6 +127,7 @@
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
@@ -7369,7 +7406,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-05-28 09:42:00.017610539 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-06-08 14:54:39.159871918 +0200
@@ -49,7 +49,8 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -7400,7 +7437,7 @@ diff --exclude-from=exclude -N -u -r nsa
#
# /usr
#
-@@ -217,10 +224,13 @@
+@@ -217,10 +224,15 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -7411,10 +7448,12 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +250,7 @@
+@@ -240,6 +252,7 @@
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7422,7 +7461,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -297,6 +308,7 @@
+@@ -297,6 +310,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -7430,7 +7469,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +343,21 @@
+@@ -331,3 +345,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7668,7 +7707,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-06-03 09:52:19.243160045 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-06-08 15:56:44.863609937 +0200
@@ -407,7 +407,7 @@
########################################
@@ -7754,7 +7793,32 @@ diff --exclude-from=exclude -N -u -r nsa
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
## </summary>
-@@ -711,6 +765,33 @@
+@@ -514,6 +568,24 @@
+ dontaudit $1 device_t:lnk_file setattr;
+ ')
+
++#######################################
++## <summary>
++## Read symbolic links in device directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_generic_symlinks',`
++ gen_require(`
++ type device_t;
++ ')
++
++ allow $1 device_t:lnk_file read_lnk_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Create symbolic links in device directories.
+@@ -711,6 +783,33 @@
########################################
## <summary>
@@ -7788,7 +7852,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Getattr on all block file device nodes.
## </summary>
## <param name="domain">
-@@ -934,6 +1015,42 @@
+@@ -934,6 +1033,42 @@
########################################
## <summary>
@@ -7831,7 +7895,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -2042,6 +2159,24 @@
+@@ -2042,6 +2177,24 @@
########################################
## <summary>
@@ -7856,7 +7920,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Read the lvm comtrol device.
## </summary>
## <param name="domain">
-@@ -2597,6 +2732,7 @@
+@@ -2597,6 +2750,7 @@
type mtrr_device_t;
')
@@ -7864,7 +7928,7 @@ diff --exclude-from=exclude -N -u -r nsa
dontaudit $1 mtrr_device_t:chr_file write;
')
-@@ -3440,6 +3576,24 @@
+@@ -3440,6 +3594,24 @@
########################################
## <summary>
@@ -7889,7 +7953,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3733,6 +3887,24 @@
+@@ -3733,6 +3905,24 @@
########################################
## <summary>
@@ -7914,7 +7978,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3905,6 +4077,26 @@
+@@ -3905,6 +4095,26 @@
########################################
## <summary>
@@ -9961,7 +10025,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-05-28 09:42:00.039611192 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-06-08 14:14:59.376610813 +0200
@@ -46,15 +46,6 @@
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -10012,7 +10076,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -270,6 +272,8 @@
+@@ -270,19 +272,29 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -10020,8 +10084,10 @@ diff --exclude-from=exclude -N -u -r nsa
+files_manage_generic_spool_dirs(kernel_t)
mcs_process_set_categories(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
-@@ -277,12 +281,18 @@
+ mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -10040,7 +10106,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -359,6 +369,10 @@
+@@ -359,6 +371,10 @@
unconfined_domain_noaudit(kernel_t)
')
@@ -15760,7 +15826,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-05-28 09:42:00.078610798 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-06-08 15:32:46.193610434 +0200
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -15806,14 +15872,16 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
-@@ -246,6 +259,12 @@
+@@ -246,6 +259,14 @@
mta_send_mail(clamscan_t)
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
++ allow clamscan_t self:process execmem;
+', `
+ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
+')
+
optional_policy(`
@@ -16116,8 +16184,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.7.19/policy/modules/services/cmirrord.te
--- nsaserefpolicy/policy/modules/services/cmirrord.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2010-05-28 12:25:06.226860459 +0200
-@@ -0,0 +1,60 @@
++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2010-06-04 07:40:07.080159214 +0200
+@@ -0,0 +1,63 @@
+
+policy_module(cmirrord,1.0.0)
+
@@ -16168,6 +16236,9 @@ diff --exclude-from=exclude -N -u -r nsa
+
+files_read_etc_files(cmirrord_t)
+
++storage_raw_read_fixed_disk(cmirrord_t)
++storage_raw_write_fixed_disk(cmirrord_t)
++
+libs_use_ld_so(cmirrord_t)
+libs_use_shared_libs(cmirrord_t)
+
@@ -18440,7 +18511,7 @@ diff --exclude-from=exclude -N -u -r nsa
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-05-28 09:42:00.105610536 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-06-08 14:51:46.576610409 +0200
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -18572,7 +18643,7 @@ diff --exclude-from=exclude -N -u -r nsa
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,11 +284,19 @@
+@@ -263,15 +284,24 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -18592,6 +18663,11 @@ diff --exclude-from=exclude -N -u -r nsa
fs_manage_cifs_files(dovecot_t)
fs_manage_cifs_symlinks(dovecot_t)
')
+
+ optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
++ mta_read_queue(dovecot_deliver_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.7.19/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/exim.fc 2010-05-28 09:42:00.105610536 +0200
@@ -29664,7 +29740,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-06-03 09:52:19.271161182 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-06-08 15:55:41.764860629 +0200
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -29876,7 +29952,15 @@ diff --exclude-from=exclude -N -u -r nsa
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -434,6 +489,7 @@
+@@ -427,6 +482,7 @@
+ corenet_tcp_bind_virt_migration_port(virt_domain)
+ corenet_tcp_connect_virt_migration_port(virt_domain)
+
++dev_read_generic_symlinks(virt_domain)
+ dev_read_rand(virt_domain)
+ dev_read_sound(virt_domain)
+ dev_read_urand(virt_domain)
+@@ -434,6 +490,7 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -29884,7 +29968,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_use_interactive_fds(virt_domain)
-@@ -445,6 +501,11 @@
+@@ -445,6 +502,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -29896,7 +29980,7 @@ diff --exclude-from=exclude -N -u -r nsa
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +523,13 @@
+@@ -462,8 +524,13 @@
')
optional_policy(`
@@ -30673,7 +30757,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-28 09:42:00.207610801 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-06-08 14:36:03.433610464 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -30854,7 +30938,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +293,63 @@
+@@ -250,30 +293,65 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -30868,6 +30952,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
++ userdom_dontaudit_write_user_tmp_files(iceauth_t)
+
+ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(iceauth_t)
@@ -30911,17 +30996,19 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(xauth_t)
+files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
+-
+-fs_getattr_xattr_fs(xauth_t)
+files_dontaudit_getattr_all_dirs(xauth_t)
+files_dontaudit_leaks(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
-
--fs_getattr_xattr_fs(xauth_t)
++
+fs_dontaudit_leaks(xauth_t)
++fs_dontaudit_list_inotifyfs(xauth_t)
+fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +359,36 @@
+@@ -283,17 +361,36 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -30958,7 +31045,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +400,33 @@
+@@ -305,20 +402,33 @@
# XDM Local policy
#
@@ -30995,7 +31082,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -326,32 +434,53 @@
+@@ -326,32 +436,53 @@
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -31054,7 +31141,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +488,13 @@
+@@ -359,10 +490,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -31068,7 +31155,7 @@ diff --exclude-from=exclude -N -u -r nsa
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +503,21 @@
+@@ -371,15 +505,21 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -31091,7 +31178,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +532,14 @@
+@@ -394,11 +534,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -31106,7 +31193,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +547,7 @@
+@@ -406,6 +549,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -31114,7 +31201,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +556,22 @@
+@@ -414,18 +558,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -31140,7 +31227,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +582,17 @@
+@@ -436,9 +584,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -31158,7 +31245,7 @@ diff --exclude-from=exclude -N -u -r nsa
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +601,19 @@
+@@ -447,14 +603,19 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -31178,7 +31265,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +624,12 @@
+@@ -465,10 +626,12 @@
logging_read_generic_logs(xdm_t)
@@ -31193,7 +31280,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +638,11 @@
+@@ -477,6 +640,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -31205,7 +31292,7 @@ diff --exclude-from=exclude -N -u -r nsa
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -508,11 +674,17 @@
+@@ -508,11 +676,17 @@
')
optional_policy(`
@@ -31223,7 +31310,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -520,12 +692,50 @@
+@@ -520,12 +694,50 @@
')
optional_policy(`
@@ -31274,7 +31361,7 @@ diff --exclude-from=exclude -N -u -r nsa
hostname_exec(xdm_t)
')
-@@ -543,20 +753,59 @@
+@@ -543,20 +755,59 @@
')
optional_policy(`
@@ -31336,7 +31423,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +814,6 @@
+@@ -565,7 +816,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -31344,7 +31431,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +824,10 @@
+@@ -576,6 +826,10 @@
')
optional_policy(`
@@ -31355,7 +31442,7 @@ diff --exclude-from=exclude -N -u -r nsa
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +852,9 @@
+@@ -600,10 +854,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -31367,7 +31454,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +866,18 @@
+@@ -615,6 +868,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -31386,7 +31473,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +897,19 @@
+@@ -634,12 +899,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -31408,7 +31495,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +943,6 @@
+@@ -673,7 +945,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -31416,7 +31503,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +952,12 @@
+@@ -683,9 +954,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -31430,7 +31517,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +972,13 @@
+@@ -700,8 +974,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -31444,7 +31531,7 @@ diff --exclude-from=exclude -N -u -r nsa
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1000,14 @@
+@@ -723,11 +1002,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -31459,7 +31546,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1059,24 @@
+@@ -779,12 +1061,28 @@
')
optional_policy(`
@@ -31473,6 +31560,10 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
- unconfined_domain_noaudit(xserver_t)
++ setrans_translate_context(xserver_t)
++')
++
++optional_policy(`
+ sandbox_rw_xserver_tmpfs_files(xserver_t)
+')
+
@@ -31485,7 +31576,7 @@ diff --exclude-from=exclude -N -u -r nsa
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1103,7 @@
+@@ -811,7 +1109,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -31494,7 +31585,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1124,14 @@
+@@ -832,9 +1130,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -31509,7 +31600,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1146,14 @@
+@@ -849,11 +1152,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -31526,7 +31617,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -999,3 +1299,33 @@
+@@ -999,3 +1305,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -33926,7 +34017,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-28 09:42:00.510610814 +0200
++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-06-08 14:39:55.422610327 +0200
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -33976,7 +34067,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,30 +71,50 @@
+@@ -47,30 +71,51 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -34017,6 +34108,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_search_all(mount_t)
files_read_etc_files(mount_t)
++files_delete_etc_files(mount_t)
files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
@@ -34029,7 +34121,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -80,15 +124,18 @@
+@@ -80,15 +125,18 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -34051,7 +34143,7 @@ diff --exclude-from=exclude -N -u -r nsa
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -99,6 +146,7 @@
+@@ -99,6 +147,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -34059,7 +34151,7 @@ diff --exclude-from=exclude -N -u -r nsa
term_use_all_terms(mount_t)
-@@ -107,6 +155,8 @@
+@@ -107,6 +156,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -34068,7 +34160,7 @@ diff --exclude-from=exclude -N -u -r nsa
logging_send_syslog_msg(mount_t)
-@@ -117,6 +167,12 @@
+@@ -117,6 +168,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -34081,7 +34173,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,10 +188,17 @@
+@@ -132,10 +189,17 @@
')
')
@@ -34099,7 +34191,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -165,6 +228,8 @@
+@@ -165,6 +229,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -34108,7 +34200,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -172,6 +237,25 @@
+@@ -172,6 +238,25 @@
')
optional_policy(`
@@ -34134,7 +34226,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +263,11 @@
+@@ -179,6 +264,11 @@
')
')
@@ -34146,7 +34238,7 @@ diff --exclude-from=exclude -N -u -r nsa
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +275,19 @@
+@@ -186,6 +276,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -34166,7 +34258,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -194,6 +296,42 @@
+@@ -194,6 +297,42 @@
#
optional_policy(`
@@ -35553,7 +35645,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-05-28 09:42:00.519610844 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-06-08 15:28:13.716610680 +0200
@@ -1,5 +1,5 @@
-policy_module(sysnetwork, 1.10.3)
@@ -35571,15 +35663,16 @@ diff --exclude-from=exclude -N -u -r nsa
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -58,6 +61,7 @@
+@@ -58,6 +61,8 @@
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
+allow dhcpc_t dhcp_state_t:file relabelfrom;
++allow dhcpc_t dhcpc_state_t:file relabelfrom;
manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
-@@ -67,6 +71,8 @@
+@@ -67,6 +72,8 @@
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -35588,7 +35681,7 @@ diff --exclude-from=exclude -N -u -r nsa
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -111,6 +117,7 @@
+@@ -111,6 +118,7 @@
# for SSP:
dev_read_urand(dhcpc_t)
@@ -35596,7 +35689,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -156,6 +163,10 @@
+@@ -156,6 +164,10 @@
')
optional_policy(`
@@ -35607,7 +35700,7 @@ diff --exclude-from=exclude -N -u -r nsa
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -172,6 +183,7 @@
+@@ -172,6 +184,7 @@
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -35615,7 +35708,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -193,6 +205,12 @@
+@@ -193,6 +206,12 @@
')
optional_policy(`
@@ -35628,7 +35721,7 @@ diff --exclude-from=exclude -N -u -r nsa
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -214,6 +232,7 @@
+@@ -214,6 +233,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -35636,7 +35729,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -277,8 +296,11 @@
+@@ -277,8 +297,11 @@
domain_use_interactive_fds(ifconfig_t)
@@ -35648,7 +35741,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -306,6 +328,8 @@
+@@ -306,6 +329,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -35657,7 +35750,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -328,6 +352,8 @@
+@@ -328,6 +353,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/selinux-policy.spec,v
retrieving revision 1.1024
retrieving revision 1.1025
diff -u -p -r1.1024 -r1.1025
--- selinux-policy.spec 3 Jun 2010 14:59:24 -0000 1.1024
+++ selinux-policy.spec 8 Jun 2010 15:37:31 -0000 1.1025
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 24%{?dist}
+Release: 25%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,16 @@ exit 0
%endif
%changelog
+* Tue Jun 8 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-25
+- Fixes for cmirrord policy
+- Dontaudit xauth to list inotifyfs filesystem.
+- Allow xserver to translate contexts.
+- Allow kdumpgui domain sys_admin capability
+- Allow vpnc to relabelfrom tun_socket
+- Allow prelink_cron_system_t to signal
+- Fixes for gitolite
+- Allow virt domain to read symbolic links in device directories
+
* Thu Jun 3 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-24
- Add support for /dev/vhost-net
- Allow psad to read files in /usr
More information about the scm-commits
mailing list