rpms/selinux-policy/F-12 policy-20100106.patch, 1.68, 1.69 selinux-policy.spec, 1.1053, 1.1054
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jun 23 09:08:31 UTC 2010
- Previous message: File firefox-3.6.4.source.tar.bz2 uploaded to lookaside cache by xhorak
- Next message: rpms/firefox/devel firefox-mozconfig-debuginfo, NONE, 1.1 .cvsignore, 1.111, 1.112 firefox-mozconfig, 1.18, 1.19 firefox.spec, 1.365, 1.366 sources, 1.125, 1.126
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv17654
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Allow rpm to execute rpm tmp files
- Allow denyhosts to send syslog messages
policy-20100106.patch:
config/appconfig-mcs/x_contexts | 109 ----
config/appconfig-mls/x_contexts | 109 ----
config/appconfig-standard/x_contexts | 109 ----
policy/flask/access_vectors | 55 +-
policy/flask/security_classes | 4
policy/mcs | 31 -
policy/modules/admin/alsa.te | 2
policy/modules/admin/consoletype.if | 4
policy/modules/admin/dmesg.fc | 1
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.fc | 7
policy/modules/admin/logwatch.te | 11
policy/modules/admin/mcelog.fc | 2
policy/modules/admin/mcelog.if | 20
policy/modules/admin/mcelog.te | 33 +
policy/modules/admin/netutils.fc | 1
policy/modules/admin/netutils.te | 7
policy/modules/admin/prelink.te | 3
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 3
policy/modules/admin/rpm.if | 62 ++
policy/modules/admin/rpm.te | 3
policy/modules/admin/shorewall.te | 4
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 100 ++++
policy/modules/admin/shutdown.te | 57 ++
policy/modules/admin/smoltclient.te | 2
policy/modules/admin/tzdata.te | 1
policy/modules/admin/usermanage.te | 8
policy/modules/admin/vbetool.te | 13
policy/modules/admin/vpn.if | 18
policy/modules/admin/vpn.te | 7
policy/modules/apps/cdrecord.te | 2
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 5
policy/modules/apps/chrome.te | 16
policy/modules/apps/execmem.if | 10
policy/modules/apps/firewallgui.te | 6
policy/modules/apps/gnome.fc | 9
policy/modules/apps/gnome.if | 99 +++-
policy/modules/apps/gnome.te | 8
policy/modules/apps/gpg.fc | 2
policy/modules/apps/gpg.if | 38 +
policy/modules/apps/gpg.te | 45 +
policy/modules/apps/java.if | 1
policy/modules/apps/java.te | 1
policy/modules/apps/kdumpgui.te | 4
policy/modules/apps/livecd.if | 57 ++
policy/modules/apps/livecd.te | 9
policy/modules/apps/mono.if | 4
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 36 +
policy/modules/apps/nsplugin.fc | 1
policy/modules/apps/nsplugin.if | 40 +
policy/modules/apps/nsplugin.te | 10
policy/modules/apps/openoffice.if | 1
policy/modules/apps/podsleuth.te | 1
policy/modules/apps/ptchown.te | 1
policy/modules/apps/pulseaudio.fc | 8
policy/modules/apps/pulseaudio.if | 70 ++
policy/modules/apps/pulseaudio.te | 43 +
policy/modules/apps/qemu.te | 1
policy/modules/apps/sambagui.te | 4
policy/modules/apps/sandbox.if | 118 ++++
policy/modules/apps/sandbox.te | 68 +-
policy/modules/apps/slocate.te | 3
policy/modules/apps/vmware.if | 18
policy/modules/apps/vmware.te | 14
policy/modules/apps/wine.if | 5
policy/modules/apps/wine.te | 18
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 8
policy/modules/kernel/corenetwork.if.in | 279 ++++++++++-
policy/modules/kernel/corenetwork.te.in | 62 +-
policy/modules/kernel/corenetwork.te.m4 | 19
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.if | 343 ++++++++++++-
policy/modules/kernel/devices.te | 25 -
policy/modules/kernel/domain.if | 24
policy/modules/kernel/domain.te | 6
policy/modules/kernel/files.fc | 6
policy/modules/kernel/files.if | 370 ++++++++++++---
policy/modules/kernel/files.te | 7
policy/modules/kernel/filesystem.if | 212 ++++++++
policy/modules/kernel/filesystem.te | 12
policy/modules/kernel/kernel.if | 54 ++
policy/modules/kernel/mcs.if | 40 +
policy/modules/kernel/mcs.te | 2
policy/modules/kernel/storage.if | 20
policy/modules/kernel/terminal.if | 247 +++++++++-
policy/modules/roles/auditadm.te | 2
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 22
policy/modules/roles/sysadm.te | 12
policy/modules/roles/unconfineduser.fc | 5
policy/modules/roles/unconfineduser.te | 17
policy/modules/roles/unprivuser.te | 2
policy/modules/roles/xguest.te | 7
policy/modules/services/abrt.fc | 4
policy/modules/services/abrt.if | 5
policy/modules/services/abrt.te | 30 +
policy/modules/services/afs.te | 11
policy/modules/services/aisexec.fc | 2
policy/modules/services/aisexec.te | 8
policy/modules/services/amavis.te | 1
policy/modules/services/apache.fc | 12
policy/modules/services/apache.if | 156 ++++++
policy/modules/services/apache.te | 61 ++
policy/modules/services/apcupsd.te | 6
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 3
policy/modules/services/avahi.fc | 2
policy/modules/services/avahi.if | 1
policy/modules/services/avahi.te | 4
policy/modules/services/bind.if | 19
policy/modules/services/bluetooth.te | 2
policy/modules/services/cachefilesd.fc | 28 +
policy/modules/services/cachefilesd.if | 41 +
policy/modules/services/cachefilesd.te | 146 +++++
policy/modules/services/ccs.te | 6
policy/modules/services/chronyd.fc | 2
policy/modules/services/chronyd.if | 22
policy/modules/services/chronyd.te | 22
policy/modules/services/clamav.te | 2
policy/modules/services/clogd.if | 24
policy/modules/services/clogd.te | 7
policy/modules/services/cobbler.fc | 5
policy/modules/services/cobbler.if | 156 ++++++
policy/modules/services/cobbler.te | 132 +++++
policy/modules/services/consolekit.te | 19
policy/modules/services/corosync.fc | 3
policy/modules/services/corosync.te | 15
policy/modules/services/cron.if | 18
policy/modules/services/cron.te | 9
policy/modules/services/cups.te | 8
policy/modules/services/dbus.if | 7
policy/modules/services/dcc.te | 2
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +++
policy/modules/services/denyhosts.te | 77 +++
policy/modules/services/devicekit.fc | 4
policy/modules/services/devicekit.te | 14
policy/modules/services/dhcp.if | 19
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38 +
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 38 +
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.te | 6
policy/modules/services/exim.if | 18
policy/modules/services/fail2ban.if | 18
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 37 +
policy/modules/services/ftp.te | 116 ++++
policy/modules/services/git.fc | 17
policy/modules/services/git.if | 466 ++++++++++++++----
policy/modules/services/git.te | 145 +++--
policy/modules/services/gpm.fc | 2
policy/modules/services/gpsd.if | 21
policy/modules/services/gpsd.te | 4
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 36 +
policy/modules/services/inn.te | 2
policy/modules/services/kerberos.if | 21
policy/modules/services/ksmtuned.te | 11
policy/modules/services/ldap.fc | 3
policy/modules/services/ldap.if | 24
policy/modules/services/ldap.te | 13
policy/modules/services/likewise.fc | 54 ++
policy/modules/services/likewise.if | 105 ++++
policy/modules/services/likewise.te | 247 ++++++++++
policy/modules/services/lircd.te | 9
policy/modules/services/mailman.te | 1
policy/modules/services/memcached.te | 14
policy/modules/services/modemmanager.te | 2
policy/modules/services/mta.if | 41 +
policy/modules/services/mta.te | 6
policy/modules/services/munin.fc | 55 ++
policy/modules/services/munin.if | 66 ++
policy/modules/services/munin.te | 165 ++++++
policy/modules/services/mysql.te | 8
policy/modules/services/nagios.fc | 46 +
policy/modules/services/nagios.if | 46 +
policy/modules/services/nagios.te | 101 +++-
policy/modules/services/networkmanager.fc | 1
policy/modules/services/networkmanager.if | 19
policy/modules/services/networkmanager.te | 5
policy/modules/services/nis.fc | 5
policy/modules/services/nis.te | 8
policy/modules/services/ntp.te | 2
policy/modules/services/nut.te | 11
policy/modules/services/nx.if | 18
policy/modules/services/openvpn.te | 11
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 304 ------------
policy/modules/services/plymouth.te | 102 ----
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++++++++++
policy/modules/services/plymouthd.te | 108 ++++
policy/modules/services/policykit.te | 23
policy/modules/services/postfix.if | 37 +
policy/modules/services/postfix.te | 11
policy/modules/services/ppp.fc | 2
policy/modules/services/ppp.if | 20
policy/modules/services/ppp.te | 9
policy/modules/services/prelude.te | 2
policy/modules/services/qmail.if | 18
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 +++++++++
policy/modules/services/qpidd.te | 61 ++
policy/modules/services/rgmanager.if | 40 +
policy/modules/services/rgmanager.te | 58 +-
policy/modules/services/rhcs.fc | 9
policy/modules/services/rhcs.if | 58 ++
policy/modules/services/rhcs.te | 279 ++---------
policy/modules/services/ricci.te | 8
policy/modules/services/rpc.if | 1
policy/modules/services/rpc.te | 8
policy/modules/services/rpcbind.te | 4
policy/modules/services/rsync.if | 38 +
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 20
policy/modules/services/sasl.te | 2
policy/modules/services/sendmail.te | 4
policy/modules/services/setroubleshoot.te | 4
policy/modules/services/snmp.te | 6
policy/modules/services/snort.te | 3
policy/modules/services/spamassassin.if | 18
policy/modules/services/spamassassin.te | 6
policy/modules/services/squid.te | 12
policy/modules/services/ssh.if | 4
policy/modules/services/ssh.te | 84 ---
policy/modules/services/sssd.fc | 4
policy/modules/services/sssd.if | 85 ++-
policy/modules/services/sssd.te | 20
policy/modules/services/tftp.if | 20
policy/modules/services/tftp.te | 1
policy/modules/services/tgtd.te | 3
policy/modules/services/tor.fc | 1
policy/modules/services/tuned.fc | 3
policy/modules/services/tuned.te | 15
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 6
policy/modules/services/usbmuxd.if | 64 ++
policy/modules/services/usbmuxd.te | 51 ++
policy/modules/services/varnishd.if | 19
policy/modules/services/virt.if | 11
policy/modules/services/virt.te | 26 -
policy/modules/services/xserver.fc | 18
policy/modules/services/xserver.if | 738 ++++++++++--------------------
policy/modules/services/xserver.te | 392 ++++++++-------
policy/modules/system/application.te | 16
policy/modules/system/authlogin.if | 4
policy/modules/system/daemontools.if | 62 ++
policy/modules/system/daemontools.te | 26 -
policy/modules/system/fstools.fc | 2
policy/modules/system/hostname.te | 7
policy/modules/system/hotplug.te | 6
policy/modules/system/init.if | 38 +
policy/modules/system/init.te | 32 +
policy/modules/system/ipsec.te | 13
policy/modules/system/iptables.if | 10
policy/modules/system/iptables.te | 6
policy/modules/system/iscsi.fc | 3
policy/modules/system/iscsi.te | 10
policy/modules/system/libraries.fc | 39 +
policy/modules/system/locallogin.te | 22
policy/modules/system/logging.fc | 9
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 10
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 4
policy/modules/system/lvm.te | 6
policy/modules/system/miscfiles.fc | 7
policy/modules/system/miscfiles.if | 37 +
policy/modules/system/modutils.te | 2
policy/modules/system/mount.if | 56 ++
policy/modules/system/mount.te | 58 ++
policy/modules/system/selinuxutil.if | 21
policy/modules/system/selinuxutil.te | 25 -
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 74 +++
policy/modules/system/sosreport.te | 129 +++++
policy/modules/system/sysnetwork.fc | 3
policy/modules/system/sysnetwork.if | 4
policy/modules/system/sysnetwork.te | 4
policy/modules/system/udev.te | 5
policy/modules/system/unconfined.if | 2
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.if | 45 +
policy/modules/system/userdomain.te | 4
policy/modules/system/xen.if | 2
policy/modules/system/xen.te | 22
policy/support/obj_perm_sets.spt | 11
policy/users | 2
297 files changed, 8597 insertions(+), 2455 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.68
retrieving revision 1.69
diff -u -p -r1.68 -r1.69
--- policy-20100106.patch 4 Jun 2010 10:51:20 -0000 1.68
+++ policy-20100106.patch 23 Jun 2010 09:08:30 -0000 1.69
@@ -684,10 +684,48 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
varnishd_manage_log(logrotate_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.fc serefpolicy-3.6.32/policy/modules/admin/logwatch.fc
+--- nsaserefpolicy/policy/modules/admin/logwatch.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/admin/logwatch.fc 2010-06-23 09:47:52.287613306 +0200
+@@ -1,7 +1,14 @@
++
++/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+ /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+
+ /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
+
+ /var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
++
++/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
+ /var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
++
+ /var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
++
++/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-01-18 18:24:22.550542523 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2010-02-17 16:16:54.606863741 +0100
-@@ -103,6 +103,11 @@
++++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2010-06-23 09:48:20.982863188 +0200
+@@ -20,6 +20,9 @@
+ type logwatch_tmp_t;
+ files_tmp_file(logwatch_tmp_t)
+
++type logwatch_var_run_t;
++files_pid_file(logwatch_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -40,6 +43,9 @@
+ manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+ files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+
++allow logwatch_t logwatch_var_run_t:file manage_file_perms;
++files_pid_filetrans(logwatch_t, logwatch_var_run_t, file)
++
+ kernel_read_fs_sysctls(logwatch_t)
+ kernel_read_kernel_sysctls(logwatch_t)
+ kernel_read_system_state(logwatch_t)
+@@ -103,6 +109,11 @@
mta_send_mail(logwatch_t)
@@ -970,7 +1008,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-01-18 18:24:22.568530565 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2010-02-26 16:50:05.472606689 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2010-06-23 09:44:03.864613532 +0200
@@ -1,6 +1,8 @@
policy_module(rpm, 1.10.0)
@@ -980,6 +1018,14 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Declarations
+@@ -88,6 +90,7 @@
+ manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+ manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+ files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
++can_exec(rpm_t, rpm_tmp_t)
+
+ manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+ manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.32/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-01-18 18:24:22.571542610 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/shorewall.te 2010-04-13 14:13:03.163602020 +0200
@@ -2581,7 +2627,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-04-13 14:57:35.509601481 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-06-23 10:16:12.879613154 +0200
@@ -10,14 +10,15 @@
#
@@ -2764,7 +2810,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_bus_client(sandbox_web_client_t)
dbus_read_config(sandbox_web_client_t)
-@@ -279,6 +306,8 @@
+@@ -279,8 +306,11 @@
selinux_compute_user_contexts(sandbox_web_client_t)
seutil_read_default_contexts(sandbox_web_client_t)
@@ -2772,8 +2818,11 @@ diff -b -B --ignore-all-space --exclude-
+
optional_policy(`
nsplugin_read_rw_files(sandbox_web_client_t)
++ nsplugin_manage_rw(sandbox_web_client_t)
nsplugin_rw_exec(sandbox_web_client_t)
-@@ -310,7 +339,7 @@
+ ')
+
+@@ -310,7 +340,7 @@
corenet_tcp_connect_all_ports(sandbox_net_client_t)
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
@@ -6403,7 +6452,7 @@ diff -b -B --ignore-all-space --exclude-
/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-05-31 18:00:35.141362064 +0200
++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-06-23 10:06:17.602612906 +0200
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
@@ -6429,7 +6478,59 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`httpd_enable_cgi',`
-@@ -833,6 +837,27 @@
+@@ -550,7 +554,7 @@
+ #
+ interface(`apache_read_tmp',`
+ gen_require(`
+- type httpd_config_t;
++ type httpd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+@@ -571,19 +575,40 @@
+ #
+ interface(`apache_dontaudit_write_tmp',`
+ gen_require(`
+- type httpd_config_t;
++ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file write;
+ ')
+
++######################################
++## <summary>
++## Allow the specified domain to search
++## apache configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_search_config',`
++ gen_require(`
++ type httpd_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 httpd_config_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to read
+ ## apache configuration files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>/
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+@@ -833,6 +858,27 @@
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
@@ -6457,7 +6558,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Allow the specified domain to manage
-@@ -857,6 +882,29 @@
+@@ -857,6 +903,29 @@
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -6487,7 +6588,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Allow the specified domain to delete
-@@ -1112,6 +1160,64 @@
+@@ -1112,6 +1181,64 @@
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
@@ -6552,7 +6653,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Execute CGI in the specified domain.
-@@ -1167,6 +1273,29 @@
+@@ -1167,6 +1294,29 @@
allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
')
@@ -8044,8 +8145,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.6.32/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/denyhosts.te 2010-05-21 13:28:34.975140060 +0200
-@@ -0,0 +1,76 @@
++++ serefpolicy-3.6.32/policy/modules/services/denyhosts.te 2010-06-23 09:54:43.079863310 +0200
+@@ -0,0 +1,77 @@
+
+policy_module(denyhosts, 1.0.0)
+
@@ -8113,6 +8214,7 @@ diff -b -B --ignore-all-space --exclude-
+
+# /var/log/secure
+logging_read_generic_logs(denyhosts_t)
++logging_send_syslog_msg(denyhosts_t)
+
+miscfiles_read_localization(denyhosts_t)
+
@@ -9863,7 +9965,7 @@ diff -b -B --ignore-all-space --exclude-
## Create a derived type for kerberos keytab
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.6.32/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-01-18 18:24:22.803539923 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.te 2010-05-05 13:04:10.736879272 +0200
++++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.te 2010-06-23 09:39:29.336613499 +0200
@@ -21,13 +21,10 @@
#
# ksmtuned local policy
@@ -9880,10 +9982,12 @@ diff -b -B --ignore-all-space --exclude-
allow ksmtuned_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
-@@ -43,4 +40,6 @@
+@@ -43,4 +40,8 @@
files_read_etc_files(ksmtuned_t)
++mls_file_read_to_clearance(ksmtuned_t)
++
+term_use_all_terms(ksmtuned_t)
+
miscfiles_read_localization(ksmtuned_t)
@@ -11106,7 +11210,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-06-04 12:26:22.209409594 +0200
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-06-23 10:06:51.031613283 +0200
@@ -45,10 +45,18 @@
type nrpe_var_run_t;
files_pid_file(nrpe_var_run_t)
@@ -11176,16 +11280,20 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-@@ -148,8 +156,6 @@
+@@ -148,8 +156,10 @@
mta_send_mail(nagios_t)
optional_policy(`
- netutils_domtrans_ping(nagios_t)
- netutils_signal_ping(nagios_t)
++ apache_search_config(nagios_t)
++')
++
++optional_policy(`
netutils_kill_ping(nagios_t)
')
-@@ -253,6 +259,11 @@
+@@ -253,6 +263,11 @@
')
optional_policy(`
@@ -11197,7 +11305,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(nrpe_t)
')
-@@ -264,6 +275,66 @@
+@@ -264,6 +279,66 @@
udev_read_db(nrpe_t)
')
@@ -11264,7 +11372,7 @@ diff -b -B --ignore-all-space --exclude-
######################################
#
-@@ -290,6 +361,8 @@
+@@ -290,6 +365,8 @@
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
@@ -11273,7 +11381,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(nagios_services_plugin_t)
corenet_tcp_connect_all_ports(nagios_services_plugin_t)
-@@ -309,12 +382,18 @@
+@@ -309,12 +386,18 @@
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -12552,7 +12660,7 @@ diff -b -B --ignore-all-space --exclude-
## Execute the master postdrop in the
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-03-15 12:17:32.531614479 +0100
++++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-06-23 09:50:23.936613186 +0200
@@ -307,6 +307,8 @@
mta_delete_spool(postfix_local_t)
# For reading spamassasin
@@ -12588,7 +12696,16 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -573,6 +578,8 @@
+@@ -516,6 +521,8 @@
+ init_sigchld_script(postfix_postqueue_t)
+ init_use_script_fds(postfix_postqueue_t)
+
++mta_mailserver_user_agent(postfix_postqueue_t)
++
+ optional_policy(`
+ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
+ ')
+@@ -573,6 +580,8 @@
# Postfix smtp delivery local policy
#
@@ -13804,6 +13921,17 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.32/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-01-18 18:24:22.877530409 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rpcbind.te 2010-06-23 10:25:24.508863150 +0200
+@@ -72,3 +72,7 @@
+ ifdef(`hide_broken_symptoms',`
+ dontaudit rpcbind_t self:udp_socket listen;
+ ')
++
++optional_policy(`
++ nis_use_ypbind(rpcbind_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-01-18 18:24:22.879530454 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2010-02-23 19:16:59.984776521 +0100
@@ -17403,7 +17531,16 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-18 18:27:02.780542727 +0100
++++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-06-23 09:56:21.095613242 +0200
+@@ -24,7 +24,7 @@
+ #
+
+ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+-dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
++dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit hotplug_t self:capability { dac_override dac_read_search };
+ allow hotplug_t self:process { setpgid getsession getattr signal_perms };
@@ -125,6 +125,10 @@
')
@@ -17830,7 +17967,7 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-06-04 12:30:12.835158677 +0200
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-06-07 09:26:29.584056468 +0200
@@ -69,6 +69,8 @@
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
@@ -17880,7 +18017,7 @@ diff -b -B --ignore-all-space --exclude-
/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -377,9 +387,6 @@
+@@ -377,13 +387,11 @@
/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -17890,7 +18027,12 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -396,10 +403,8 @@
+ /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ ifdef(`fixed',`
+ /usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -396,10 +404,8 @@
/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -17901,7 +18043,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -411,7 +416,7 @@
+@@ -411,7 +417,7 @@
/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -17910,7 +18052,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
')
/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -432,9 +437,28 @@
+@@ -432,9 +438,28 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1053
retrieving revision 1.1054
diff -u -p -r1.1053 -r1.1054
--- selinux-policy.spec 4 Jun 2010 10:51:21 -0000 1.1053
+++ selinux-policy.spec 23 Jun 2010 09:08:31 -0000 1.1054
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 118%{?dist}
+Release: 119%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Wed Jun 23 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-119
+- Allow rpm to execute rpm tmp files
+- Allow denyhosts to send syslog messages
+
* Fri Jun 4 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-118
- Fixes for abrt
- Previous message: File firefox-3.6.4.source.tar.bz2 uploaded to lookaside cache by xhorak
- Next message: rpms/firefox/devel firefox-mozconfig-debuginfo, NONE, 1.1 .cvsignore, 1.111, 1.112 firefox-mozconfig, 1.18, 1.19 firefox.spec, 1.365, 1.366 sources, 1.125, 1.126
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list