rpms/selinux-policy/F-13 policy-F13.patch, 1.131, 1.132 selinux-policy.spec, 1.1033, 1.1034
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jun 28 17:02:46 UTC 2010
- Previous message: rpms/jericho-html/EL-6 import.log, NONE, 1.1 jericho-html.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: rpms/kernel/devel kernel.spec, 1.2045, 1.2046 linux-2.6-phylib-autoload.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13225
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
- Allow sectool to connect to users over unix stream socket
- Add label for /var/spool/abrt-upload
- Add audio_home_t type for homedir/Music files
- Allow aiccu to read network config files
- Allow qpidd to setsched
- Allow virt domains to manage svirt_image_t fifo files
- Fixes for NM-openswan
- Fixes for admin interfaces
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 2
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 164 ++
policy/modules/admin/accountsd.te | 64 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 3
policy/modules/admin/dmesg.te | 6
policy/modules/admin/firstboot.te | 7
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/logwatch.fc | 7
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mcelog.te | 2
policy/modules/admin/mrtg.te | 1
policy/modules/admin/ncftool.fc | 2
policy/modules/admin/ncftool.if | 74 +
policy/modules/admin/ncftool.te | 79 +
policy/modules/admin/netutils.fc | 2
policy/modules/admin/netutils.if | 1
policy/modules/admin/netutils.te | 24
policy/modules/admin/prelink.fc | 4
policy/modules/admin/prelink.if | 28
policy/modules/admin/prelink.te | 79 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 ++++++
policy/modules/admin/rpm.te | 110 +
policy/modules/admin/sectoolm.te | 1
policy/modules/admin/shorewall.if | 45
policy/modules/admin/shorewall.te | 7
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 136 ++
policy/modules/admin/shutdown.te | 63 +
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 12
policy/modules/admin/tmpreaper.te | 24
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 24
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.if | 20
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 3
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 86 +
policy/modules/apps/cpufreqselector.te | 4
policy/modules/apps/execmem.fc | 47
policy/modules/apps/execmem.if | 110 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.fc | 2
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gitosis.te | 7
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 +++++++
policy/modules/apps/gnome.te | 118 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 114 +-
policy/modules/apps/gpg.te | 157 ++
policy/modules/apps/irc.fc | 7
policy/modules/apps/irc.if | 37
policy/modules/apps/irc.te | 104 +
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 127 ++
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 5
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 29
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 391 +++++++
policy/modules/apps/nsplugin.te | 297 +++++
policy/modules/apps/openoffice.fc | 4
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.if | 57 +
policy/modules/apps/pulseaudio.te | 11
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 84 +
policy/modules/apps/qemu.te | 11
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 314 +++++
policy/modules/apps/sandbox.te | 389 +++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/telepathysofiasip.fc | 2
policy/modules/apps/telepathysofiasip.if | 69 +
policy/modules/apps/telepathysofiasip.te | 45
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 56 +
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 14
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 22
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 37
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 37
policy/modules/kernel/devices.fc | 9
policy/modules/kernel/devices.if | 214 +++
policy/modules/kernel/devices.te | 18
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 113 ++
policy/modules/kernel/files.fc | 30
policy/modules/kernel/files.if | 653 +++++++++++
policy/modules/kernel/files.te | 15
policy/modules/kernel/filesystem.if | 296 ++++-
policy/modules/kernel/filesystem.te | 11
policy/modules/kernel/kernel.if | 107 +
policy/modules/kernel/kernel.te | 36
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 22
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 3
policy/modules/roles/guest.te | 8
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 118 ++
policy/modules/roles/sysadm.te | 102 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 443 +++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 79 +
policy/modules/services/abrt.fc | 18
policy/modules/services/abrt.if | 226 +++-
policy/modules/services/abrt.te | 180 ++-
policy/modules/services/afs.te | 5
policy/modules/services/aiccu.fc | 6
policy/modules/services/aiccu.if | 118 ++
policy/modules/services/aiccu.te | 71 +
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 114 ++
policy/modules/services/apache.fc | 18
policy/modules/services/apache.if | 221 +++
policy/modules/services/apache.te | 234 +++-
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 45
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 1
policy/modules/services/avahi.te | 4
policy/modules/services/bind.if | 5
policy/modules/services/bitlbee.te | 7
policy/modules/services/bluetooth.if | 26
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 98 +
policy/modules/services/bugzilla.fc | 4
policy/modules/services/bugzilla.if | 39
policy/modules/services/bugzilla.te | 57 +
policy/modules/services/cachefilesd.fc | 29
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 147 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 218 +++
policy/modules/services/certmonger.te | 75 +
policy/modules/services/cgroup.fc | 12
policy/modules/services/cgroup.if | 242 ++++
policy/modules/services/cgroup.te | 102 +
policy/modules/services/chronyd.if | 86 +
policy/modules/services/chronyd.te | 10
policy/modules/services/clamav.te | 23
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cmirrord.fc | 6
policy/modules/services/cmirrord.if | 118 ++
policy/modules/services/cmirrord.te | 63 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 9
policy/modules/services/cobbler.te | 28
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 42
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 122 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 119 +-
policy/modules/services/cron.te | 100 +
policy/modules/services/cups.fc | 15
policy/modules/services/cups.if | 5
policy/modules/services/cups.te | 68 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 107 +
policy/modules/services/dbus.te | 21
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +
policy/modules/services/denyhosts.te | 77 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 101 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 6
policy/modules/services/dovecot.if | 5
policy/modules/services/dovecot.te | 48
policy/modules/services/exim.fc | 3
policy/modules/services/exim.if | 61 +
policy/modules/services/exim.te | 3
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 9
policy/modules/services/git.if | 526 +++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/gnomeclock.if | 21
policy/modules/services/gpsd.te | 5
policy/modules/services/hal.if | 22
policy/modules/services/hal.te | 38
policy/modules/services/icecast.te | 6
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 8
policy/modules/services/ksmtuned.fc | 2
policy/modules/services/ksmtuned.if | 4
policy/modules/services/ksmtuned.te | 13
policy/modules/services/ldap.fc | 5
policy/modules/services/ldap.if | 81 +
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 24
policy/modules/services/memcached.if | 1
policy/modules/services/milter.if | 20
policy/modules/services/milter.te | 8
policy/modules/services/modemmanager.te | 9
policy/modules/services/mpd.fc | 11
policy/modules/services/mpd.if | 295 +++++
policy/modules/services/mpd.te | 111 +
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 28
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 175 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 160 ++
policy/modules/services/nagios.te | 294 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 125 ++
policy/modules/services/networkmanager.te | 134 ++
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 81 +
policy/modules/services/nis.te | 23
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 29
policy/modules/services/nslcd.te | 2
policy/modules/services/ntop.if | 156 ++
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.te | 3
policy/modules/services/nut.te | 4
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.fc | 1
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openvpn.te | 10
policy/modules/services/pegasus.te | 28
policy/modules/services/piranha.fc | 21
policy/modules/services/piranha.if | 175 +++
policy/modules/services/piranha.te | 187 +++
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++
policy/modules/services/plymouthd.te | 109 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 86 +
policy/modules/services/portreserve.fc | 3
policy/modules/services/portreserve.if | 55
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 3
policy/modules/services/postfix.if | 282 ++++-
policy/modules/services/postfix.te | 154 ++
policy/modules/services/ppp.te | 4
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.te | 26
policy/modules/services/psad.if | 26
policy/modules/services/psad.te | 1
policy/modules/services/puppet.te | 2
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/radius.te | 2
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 10
policy/modules/services/rgmanager.if | 141 ++
policy/modules/services/rgmanager.te | 223 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 415 +++++++
policy/modules/services/rhcs.te | 243 ++++
policy/modules/services/ricci.fc | 3
policy/modules/services/ricci.if | 62 +
policy/modules/services/ricci.te | 42
policy/modules/services/rlogin.fc | 3
policy/modules/services/rlogin.te | 1
policy/modules/services/rpc.if | 21
policy/modules/services/rpc.te | 15
policy/modules/services/rpcbind.if | 2
policy/modules/services/rpcbind.te | 4
policy/modules/services/rsync.if | 61 -
policy/modules/services/rsync.te | 26
policy/modules/services/rtkit.if | 21
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 134 ++
policy/modules/services/samba.te | 123 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.fc | 2
policy/modules/services/sendmail.if | 84 +
policy/modules/services/sendmail.te | 20
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/smartmon.te | 2
policy/modules/services/smokeping.te | 2
policy/modules/services/snmp.te | 3
policy/modules/services/snort.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 6
policy/modules/services/ssh.if | 158 ++
policy/modules/services/ssh.te | 56 -
policy/modules/services/sssd.te | 3
policy/modules/services/sysstat.te | 4
policy/modules/services/tftp.if | 19
policy/modules/services/tgtd.te | 6
policy/modules/services/tor.te | 3
policy/modules/services/tuned.te | 5
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 2
policy/modules/services/varnishd.if | 19
policy/modules/services/vhostmd.te | 2
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 78 +
policy/modules/services/virt.te | 97 +
policy/modules/services/w3c.te | 9
policy/modules/services/xserver.fc | 61 -
policy/modules/services/xserver.if | 456 +++++++-
policy/modules/services/xserver.te | 425 ++++++-
policy/modules/system/application.te | 16
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 56 -
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 12
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 7
policy/modules/system/hotplug.te | 2
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 148 ++
policy/modules/system/init.te | 214 +++
policy/modules/system/ipsec.fc | 1
policy/modules/system/ipsec.if | 72 +
policy/modules/system/ipsec.te | 48
policy/modules/system/iptables.fc | 7
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 22
policy/modules/system/iscsi.if | 18
policy/modules/system/iscsi.te | 2
policy/modules/system/libraries.fc | 155 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 40
policy/modules/system/logging.fc | 16
policy/modules/system/logging.if | 62 +
policy/modules/system/logging.te | 33
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 21
policy/modules/system/miscfiles.fc | 6
policy/modules/system/miscfiles.if | 3
policy/modules/system/modutils.if | 20
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 163 ++
policy/modules/system/mount.te | 155 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 +++++
policy/modules/system/selinuxutil.te | 246 +---
policy/modules/system/setrans.te | 1
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 131 ++
policy/modules/system/sosreport.te | 155 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 171 ++-
policy/modules/system/sysnetwork.te | 30
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 13
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 -------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 12
policy/modules/system/userdomain.if | 1667 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 58 -
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 15
policy/support/misc_patterns.spt | 8
policy/support/obj_perm_sets.spt | 38
policy/users | 17
446 files changed, 25087 insertions(+), 2241 deletions(-)
View full diff with command:
/usr/bin/cvs -n -f diff -kk -u -p -N -r 1.131 -r 1.132 policy-F13.patchIndex: policy-F13.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.131
retrieving revision 1.132
diff -u -p -r1.131 -r1.132
--- policy-F13.patch 21 Jun 2010 19:53:50 -0000 1.131
+++ policy-F13.patch 28 Jun 2010 17:02:44 -0000 1.132
@@ -584,7 +584,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.19/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-06-21 10:15:08.013074097 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-06-28 16:07:02.334150320 +0200
@@ -20,6 +20,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -606,6 +606,14 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
+@@ -93,6 +100,7 @@
+ sysnet_exec_ifconfig(logwatch_t)
+
+ userdom_dontaudit_search_user_home_dirs(logwatch_t)
++userdom_dontaudit_list_admin_dir(logwatch_t)
+
+ mta_send_mail(logwatch_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.19/policy/modules/admin/mcelog.te
--- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/mcelog.te 2010-05-28 09:41:59.952610471 +0200
@@ -1925,6 +1933,87 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectoolm.te serefpolicy-3.7.19/policy/modules/admin/sectoolm.te
+--- nsaserefpolicy/policy/modules/admin/sectoolm.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/sectoolm.te 2010-06-28 16:05:26.150150582 +0200
+@@ -85,6 +85,7 @@
+ sysnet_domtrans_ifconfig(sectoolm_t)
+
+ userdom_manage_user_tmp_sockets(sectoolm_t)
++userdom_stream_connect(sectoolm_t)
+
+ optional_policy(`
+ mount_exec(sectoolm_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.19/policy/modules/admin/shorewall.if
+--- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-06-28 18:47:53.194150718 +0200
+@@ -37,44 +37,6 @@
+ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+ ')
+
+-#######################################
+-## <summary>
+-## Read shorewall PID files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`shorewall_read_pid_files',`
+- gen_require(`
+- type shorewall_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+-')
+-
+-#######################################
+-## <summary>
+-## Read and write shorewall PID files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`shorewall_rw_pid_files',`
+- gen_require(`
+- type shorewall_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+-')
+-
+ ######################################
+ ## <summary>
+ ## Read shorewall /var/lib files.
+@@ -134,9 +96,9 @@
+ #
+ interface(`shorewall_admin',`
+ gen_require(`
+- type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
++ type shorewall_t, shorewall_lock_t;
+ type shorewall_initrc_exec_t, shorewall_var_lib_t;
+- type shorewall_tmp_t;
++ type shorewall_tmp_t, shorewall_etc_t;
+ ')
+
+ allow $1 shorewall_t:process { ptrace signal_perms };
+@@ -153,9 +115,6 @@
+ files_search_locks($1)
+ admin_pattern($1, shorewall_lock_t)
+
+- files_search_pids($1)
+- admin_pattern($1, shorewall_var_run_t)
+-
+ files_search_var_lib($1)
+ admin_pattern($1, shorewall_var_lib_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.19/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-06-14 20:23:23.332218554 +0200
@@ -6601,8 +6690,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-06-16 18:43:19.954110079 +0200
-@@ -0,0 +1,388 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-06-28 14:07:11.618192152 +0200
+@@ -0,0 +1,389 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6912,7 +7001,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
+
-+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
++#fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
++fs_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+storage_dontaudit_rw_fuse(sandbox_web_type)
@@ -12775,15 +12865,29 @@ diff --exclude-from=exclude -N -u -r nsa
admin_pattern($1, abrt_var_cache_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-15 06:54:27.545609592 +0200
-@@ -1,5 +1,5 @@
++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-28 16:23:52.388151357 +0200
+@@ -1,11 +1,19 @@
-policy_module(abrt, 1.0.1)
+policy_module(abrt, 1.1.0)
########################################
#
-@@ -33,13 +33,25 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow ABRT to modify public files
++## used for public file transfer services.
++## </p>
++## </desc>
++gen_tunable(abrt_anon_write, false)
++
+ type abrt_t;
+ type abrt_exec_t;
+ init_daemon_domain(abrt_t, abrt_exec_t)
+@@ -33,13 +41,25 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -12811,7 +12915,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -54,20 +66,25 @@
+@@ -54,20 +74,25 @@
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -12839,7 +12943,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
-@@ -75,25 +92,46 @@
+@@ -75,27 +100,49 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -12888,8 +12992,11 @@ diff --exclude-from=exclude -N -u -r nsa
+fs_search_all(abrt_t)
sysnet_read_config(abrt_t)
++sysnet_dns_name_resolve(abrt_t)
-@@ -103,22 +141,121 @@
+ logging_read_generic_logs(abrt_t)
[...1738 lines suppressed...]
-@@ -1802,8 +2098,7 @@
+@@ -1802,8 +2102,7 @@
type user_home_dir_t, user_home_t;
')
@@ -39260,7 +39868,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1815,25 +2110,18 @@
+@@ -1815,25 +2114,18 @@
## Domain allowed access.
## </summary>
## </param>
@@ -39290,7 +39898,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Do not audit attempts to execute user home files.
-@@ -1866,6 +2154,7 @@
+@@ -1866,6 +2158,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -39298,7 +39906,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2391,25 @@
+@@ -2102,6 +2395,25 @@
########################################
## <summary>
@@ -39324,7 +39932,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Do not audit attempts to list user
## temporary directories.
## </summary>
-@@ -2218,6 +2526,25 @@
+@@ -2218,6 +2530,25 @@
########################################
## <summary>
@@ -39350,7 +39958,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Do not audit attempts to manage users
## temporary files.
## </summary>
-@@ -2427,13 +2754,14 @@
+@@ -2427,13 +2758,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -39366,7 +39974,7 @@ diff --exclude-from=exclude -N -u -r nsa
## </summary>
## <param name="domain">
## <summary>
-@@ -2454,6 +2782,24 @@
+@@ -2454,6 +2786,24 @@
########################################
## <summary>
@@ -39391,7 +39999,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2747,6 +3093,25 @@
+@@ -2747,6 +3097,25 @@
########################################
## <summary>
@@ -39417,7 +40025,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2787,7 +3152,7 @@
+@@ -2787,7 +3156,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -39426,7 +40034,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3168,13 @@
+@@ -2803,11 +3172,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -39442,7 +40050,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2944,7 +3311,7 @@
+@@ -2944,7 +3315,7 @@
type user_tmp_t;
')
@@ -39451,7 +40059,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2981,6 +3348,7 @@
+@@ -2981,6 +3352,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -39459,7 +40067,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_search_proc($1)
')
-@@ -3111,3 +3479,702 @@
+@@ -3111,3 +3483,724 @@
allow $1 userdomain:dbus send_msg;
')
@@ -40034,6 +40642,28 @@ diff --exclude-from=exclude -N -u -r nsa
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
+')
+
++#######################################
++## <summary>
++## Read audio files in the users homedir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_read_home_audio_files',`
++ gen_require(`
++ type audio_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 audio_home_t:dir list_dir_perms;
++ read_files_pattern($1, audio_home_t, audio_home_t)
++ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
++')
++
+########################################
+## <summary>
+## dontaudit Search getatrr /root files
@@ -40164,7 +40794,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-05-28 09:42:00.529612133 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-06-28 14:07:11.753148781 +0200
@@ -29,13 +29,6 @@
## <desc>
@@ -40210,11 +40840,15 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -97,3 +100,36 @@
+@@ -97,3 +100,40 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
++type audio_home_t;
++userdom_user_home_content(audio_home_t)
++ubac_constrained(audio_home_t)
++
+type home_bin_t;
+userdom_user_home_content(home_bin_t)
+ubac_constrained(home_bin_t)
@@ -40263,7 +40897,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.19/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-05-28 09:42:00.531610673 +0200
++++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-06-28 16:10:21.601401352 +0200
@@ -5,6 +5,7 @@
#
# Declarations
@@ -40297,7 +40931,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_kernel_sysctls(xm_t)
kernel_read_sysctl(xm_t)
kernel_read_xen_state(xm_t)
-@@ -438,6 +441,12 @@
+@@ -438,10 +441,17 @@
')
optional_policy(`
@@ -40310,7 +40944,12 @@ diff --exclude-from=exclude -N -u -r nsa
virt_domtrans(xm_t)
virt_manage_images(xm_t)
virt_manage_config(xm_t)
-@@ -454,11 +463,14 @@
+ virt_stream_connect(xm_t)
++ virt_dontaudit_read_lib_files(xm_t)
+ ')
+
+ ########################################
+@@ -454,11 +464,14 @@
kernel_read_xen_state(xm_ssh_t)
kernel_write_xen_state(xm_ssh_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/selinux-policy.spec,v
retrieving revision 1.1033
retrieving revision 1.1034
diff -u -p -r1.1033 -r1.1034
--- selinux-policy.spec 21 Jun 2010 19:53:51 -0000 1.1033
+++ selinux-policy.spec 28 Jun 2010 17:02:46 -0000 1.1034
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 31%{?dist}
+Release: 32%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,16 @@ exit 0
%endif
%changelog
+* Mon Jun 28 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-32
+- Allow sectool to connect to users over unix stream socket
+- Add label for /var/spool/abrt-upload
+- Add audio_home_t type for homedir/Music files
+- Allow aiccu to read network config files
+- Allow qpidd to setsched
+- Allow virt domains to manage svirt_image_t fifo files
+- Fixes for NM-openswan
+- Fixes for admin interfaces
+
* Mon Jun 21 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-31
- Remove daemons dontaudit to search all dirs
- Add support for epylog
- Previous message: rpms/jericho-html/EL-6 import.log, NONE, 1.1 jericho-html.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: rpms/kernel/devel kernel.spec, 1.2045, 1.2046 linux-2.6-phylib-autoload.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list