rpms/selinux-policy/F-12 policy-20100106.patch, 1.48, 1.49 selinux-policy.spec, 1.1032, 1.1033
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 9 16:41:58 UTC 2010
- Previous message: rpms/ecl/devel ecl-10.3.1-ffi.patch, NONE, 1.1 ecl-10.3.1-semaphore.patch, NONE, 1.1 .cvsignore, 1.8, 1.9 ecl.spec, 1.17, 1.18 sources, 1.8, 1.9 ecl-10.2.1-ffi.patch, 1.1, NONE ecl-10.2.1-semaphore.patch, 1.1, NONE
- Next message: File blahtexml-0.8-src.tar.gz uploaded to lookaside cache by jasper
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14682
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Allow pulseaudio sys_tty_config capability
- Add label for cman_tool
- Fixes for corosync policy
- Allow abrt to get the attributes of all domains
- Allow abrt to read symbolic links on a NFS filesystem
policy-20100106.patch:
config/appconfig-mcs/x_contexts | 109 ----
config/appconfig-mls/x_contexts | 109 ----
config/appconfig-standard/x_contexts | 109 ----
policy/flask/access_vectors | 55 +-
policy/flask/security_classes | 4
policy/modules/admin/consoletype.if | 4
policy/modules/admin/dmesg.fc | 1
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 5
policy/modules/admin/mcelog.fc | 2
policy/modules/admin/mcelog.if | 20
policy/modules/admin/mcelog.te | 31 +
policy/modules/admin/netutils.fc | 1
policy/modules/admin/netutils.te | 6
policy/modules/admin/prelink.te | 1
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.if | 60 ++
policy/modules/admin/rpm.te | 2
policy/modules/admin/smoltclient.te | 2
policy/modules/admin/usermanage.te | 8
policy/modules/admin/vbetool.te | 13
policy/modules/admin/vpn.te | 7
policy/modules/apps/cdrecord.te | 2
policy/modules/apps/chrome.te | 11
policy/modules/apps/execmem.if | 6
policy/modules/apps/firewallgui.te | 6
policy/modules/apps/gnome.fc | 9
policy/modules/apps/gnome.if | 81 ++-
policy/modules/apps/gnome.te | 8
policy/modules/apps/gpg.fc | 2
policy/modules/apps/gpg.te | 7
policy/modules/apps/java.if | 1
policy/modules/apps/java.te | 1
policy/modules/apps/kdumpgui.te | 4
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/nsplugin.fc | 1
policy/modules/apps/nsplugin.if | 38 +
policy/modules/apps/nsplugin.te | 6
policy/modules/apps/openoffice.if | 1
policy/modules/apps/podsleuth.te | 1
policy/modules/apps/ptchown.te | 1
policy/modules/apps/pulseaudio.fc | 7
policy/modules/apps/pulseaudio.if | 68 ++
policy/modules/apps/pulseaudio.te | 41 +
policy/modules/apps/qemu.te | 1
policy/modules/apps/sambagui.te | 4
policy/modules/apps/sandbox.if | 54 +-
policy/modules/apps/sandbox.te | 49 +
policy/modules/apps/slocate.te | 1
policy/modules/apps/vmware.if | 18
policy/modules/apps/vmware.te | 10
policy/modules/apps/wine.if | 5
policy/modules/apps/wine.te | 18
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 5
policy/modules/kernel/corenetwork.if.in | 18
policy/modules/kernel/corenetwork.te.in | 7
policy/modules/kernel/devices.fc | 6
policy/modules/kernel/devices.if | 200 +++++++-
policy/modules/kernel/devices.te | 25 -
policy/modules/kernel/domain.if | 24
policy/modules/kernel/domain.te | 6
policy/modules/kernel/files.fc | 2
policy/modules/kernel/files.if | 334 ++++++++++---
policy/modules/kernel/files.te | 7
policy/modules/kernel/filesystem.if | 156 ++++++
policy/modules/kernel/filesystem.te | 12
policy/modules/kernel/kernel.if | 36 +
policy/modules/kernel/terminal.if | 247 +++++++++-
policy/modules/roles/auditadm.te | 2
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 18
policy/modules/roles/sysadm.te | 6
policy/modules/roles/unconfineduser.fc | 5
policy/modules/roles/unconfineduser.te | 10
policy/modules/roles/xguest.te | 6
policy/modules/services/abrt.if | 5
policy/modules/services/abrt.te | 20
policy/modules/services/afs.te | 6
policy/modules/services/aisexec.fc | 2
policy/modules/services/aisexec.te | 8
policy/modules/services/amavis.te | 1
policy/modules/services/apache.fc | 9
policy/modules/services/apache.if | 48 +
policy/modules/services/apache.te | 43 +
policy/modules/services/apcupsd.te | 2
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.te | 1
policy/modules/services/avahi.fc | 2
policy/modules/services/bind.if | 19
policy/modules/services/cachefilesd.fc | 28 +
policy/modules/services/cachefilesd.if | 41 +
policy/modules/services/cachefilesd.te | 146 +++++
policy/modules/services/ccs.te | 6
policy/modules/services/chronyd.fc | 2
policy/modules/services/chronyd.te | 15
policy/modules/services/clogd.if | 24
policy/modules/services/clogd.te | 7
policy/modules/services/cobbler.fc | 5
policy/modules/services/cobbler.if | 156 ++++++
policy/modules/services/cobbler.te | 132 +++++
policy/modules/services/consolekit.te | 15
policy/modules/services/corosync.fc | 3
policy/modules/services/corosync.te | 15
policy/modules/services/cron.te | 9
policy/modules/services/cups.te | 8
policy/modules/services/dbus.if | 7
policy/modules/services/dcc.te | 2
policy/modules/services/devicekit.fc | 4
policy/modules/services/devicekit.te | 14
policy/modules/services/dhcp.if | 19
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38 +
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 38 +
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.te | 6
policy/modules/services/exim.if | 18
policy/modules/services/fail2ban.if | 18
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 37 +
policy/modules/services/ftp.te | 116 ++++
policy/modules/services/git.fc | 17
policy/modules/services/git.if | 466 ++++++++++++++----
policy/modules/services/git.te | 145 +++--
policy/modules/services/gpm.fc | 2
policy/modules/services/hal.te | 9
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 2
policy/modules/services/ldap.fc | 3
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 7
policy/modules/services/mailman.te | 1
policy/modules/services/memcached.te | 14
policy/modules/services/modemmanager.te | 2
policy/modules/services/mta.if | 38 +
policy/modules/services/mta.te | 1
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 5
policy/modules/services/nagios.fc | 46 +
policy/modules/services/nagios.if | 28 +
policy/modules/services/nagios.te | 87 +++
policy/modules/services/networkmanager.fc | 1
policy/modules/services/networkmanager.if | 19
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 5
policy/modules/services/nis.te | 8
policy/modules/services/nx.if | 18
policy/modules/services/openvpn.te | 4
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 304 ------------
policy/modules/services/plymouth.te | 102 ----
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++++++++++
policy/modules/services/plymouthd.te | 106 ++++
policy/modules/services/policykit.te | 20
policy/modules/services/postfix.if | 37 +
policy/modules/services/postfix.te | 5
policy/modules/services/ppp.fc | 2
policy/modules/services/ppp.te | 8
policy/modules/services/prelude.te | 2
policy/modules/services/qmail.if | 18
policy/modules/services/rgmanager.if | 40 +
policy/modules/services/rgmanager.te | 58 +-
policy/modules/services/rhcs.fc | 9
policy/modules/services/rhcs.if | 58 ++
policy/modules/services/rhcs.te | 278 ++---------
policy/modules/services/ricci.te | 8
policy/modules/services/rpc.if | 1
policy/modules/services/rpc.te | 8
policy/modules/services/rsync.if | 38 +
policy/modules/services/samba.te | 18
policy/modules/services/sendmail.te | 4
policy/modules/services/setroubleshoot.te | 4
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 1
policy/modules/services/spamassassin.if | 18
policy/modules/services/spamassassin.te | 6
policy/modules/services/ssh.if | 4
policy/modules/services/ssh.te | 84 ---
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 85 ++-
policy/modules/services/sssd.te | 16
policy/modules/services/tftp.if | 20
policy/modules/services/tftp.te | 1
policy/modules/services/tgtd.te | 1
policy/modules/services/tuned.fc | 3
policy/modules/services/tuned.te | 15
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 6
policy/modules/services/usbmuxd.if | 64 ++
policy/modules/services/usbmuxd.te | 51 ++
policy/modules/services/virt.if | 8
policy/modules/services/virt.te | 15
policy/modules/services/xserver.fc | 17
policy/modules/services/xserver.if | 738 ++++++++++--------------------
policy/modules/services/xserver.te | 384 ++++++++-------
policy/modules/system/application.te | 12
policy/modules/system/daemontools.if | 62 ++
policy/modules/system/daemontools.te | 26 -
policy/modules/system/fstools.fc | 2
policy/modules/system/hostname.te | 3
policy/modules/system/hotplug.te | 4
policy/modules/system/init.if | 35 +
policy/modules/system/init.te | 27 +
policy/modules/system/ipsec.te | 13
policy/modules/system/iptables.if | 10
policy/modules/system/iptables.te | 6
policy/modules/system/iscsi.fc | 3
policy/modules/system/iscsi.te | 10
policy/modules/system/libraries.fc | 19
policy/modules/system/locallogin.te | 22
policy/modules/system/logging.fc | 7
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 10
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 4
policy/modules/system/lvm.te | 6
policy/modules/system/miscfiles.fc | 5
policy/modules/system/miscfiles.if | 37 +
policy/modules/system/modutils.te | 2
policy/modules/system/mount.if | 56 ++
policy/modules/system/mount.te | 56 ++
policy/modules/system/selinuxutil.if | 21
policy/modules/system/selinuxutil.te | 1
policy/modules/system/sysnetwork.fc | 1
policy/modules/system/sysnetwork.if | 4
policy/modules/system/sysnetwork.te | 3
policy/modules/system/udev.te | 5
policy/modules/system/unconfined.if | 2
policy/modules/system/userdomain.fc | 1
policy/modules/system/userdomain.if | 45 +
policy/modules/system/xen.if | 2
policy/modules/system/xen.te | 22
policy/support/obj_perm_sets.spt | 8
policy/users | 2
238 files changed, 5539 insertions(+), 2284 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -p -r1.48 -r1.49
--- policy-20100106.patch 5 Mar 2010 15:57:59 -0000 1.48
+++ policy-20100106.patch 9 Mar 2010 16:41:58 -0000 1.49
@@ -587,8 +587,16 @@ diff -b -B --ignore-all-space --exclude-
-/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-01-18 18:24:22.549542536 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2010-02-23 10:29:44.779867996 +0100
-@@ -215,5 +215,9 @@
++++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2010-03-09 15:56:02.235764426 +0100
+@@ -108,6 +108,7 @@
+ init_domtrans_script(logrotate_t)
+
+ logging_manage_all_logs(logrotate_t)
++logging_send_audit_msgs(logrotate_t)
+ logging_send_syslog_msg(logrotate_t)
+ # cjp: why is this needed?
+ logging_exec_all_logs(logrotate_t)
+@@ -215,5 +216,9 @@
')
optional_policy(`
@@ -927,6 +935,27 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
hal_rw_pid_files(vbetool_t)
hal_write_log(vbetool_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.6.32/policy/modules/admin/vpn.te
+--- nsaserefpolicy/policy/modules/admin/vpn.te 2010-01-18 18:24:22.585539991 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/vpn.te 2010-03-09 17:28:45.666384350 +0100
+@@ -31,7 +31,7 @@
+ allow vpnc_t self:rawip_socket create_socket_perms;
+ allow vpnc_t self:unix_dgram_socket create_socket_perms;
+ allow vpnc_t self:unix_stream_socket create_socket_perms;
+-allow vpnc_t self:tun_socket create;
++allow vpnc_t self:tun_socket create_socket_perms;
+ # cjp: this needs to be fixed
+ allow vpnc_t self:socket create_socket_perms;
+
+@@ -117,3 +117,8 @@
+ networkmanager_dbus_chat(vpnc_t)
+ ')
+ ')
++
++optional_policy(`
++ networkmanager_attach_tun_iface(vpnc_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.6.32/policy/modules/apps/cdrecord.te
--- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/cdrecord.te 2010-02-09 09:59:13.342615577 +0100
@@ -1394,6 +1423,17 @@ diff -b -B --ignore-all-space --exclude-
userdom_signal_unpriv_users(podsleuth_t)
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.32/policy/modules/apps/ptchown.te
+--- nsaserefpolicy/policy/modules/apps/ptchown.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/ptchown.te 2010-03-08 12:56:34.687874102 +0100
+@@ -23,6 +23,7 @@
+
+ fs_rw_anon_inodefs_files(ptchown_t)
+
++term_getattr_all_ptys(ptchown_t)
+ term_setattr_generic_ptys(ptchown_t)
+ term_setattr_all_user_ptys(ptchown_t)
+ term_use_generic_ptys(ptchown_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc
--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc 2010-03-04 16:47:02.038534128 +0100
@@ -1504,7 +1544,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-21 20:47:43.404568303 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-03-04 17:20:24.650533952 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-03-08 12:59:06.980892887 +0100
@@ -1,5 +1,5 @@
-policy_module(pulseaudio, 1.0.1)
@@ -1537,7 +1577,7 @@ diff -b -B --ignore-all-space --exclude-
# pulseaudio local policy
#
-+allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource };
++allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
allow pulseaudio_t self:fifo_file rw_file_perms;
allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -1572,7 +1612,16 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(pulseaudio_t)
-@@ -72,6 +99,8 @@
+@@ -63,6 +90,8 @@
+
+ miscfiles_read_localization(pulseaudio_t)
+
++userdom_search_admin_dir(pulseaudio_t)
++
+ optional_policy(`
+ bluetooth_stream_connect(pulseaudio_t)
+ ')
+@@ -72,6 +101,8 @@
')
optional_policy(`
@@ -1581,7 +1630,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
dbus_connect_session_bus(pulseaudio_t)
-@@ -108,7 +137,9 @@
+@@ -108,7 +139,9 @@
')
optional_policy(`
@@ -2582,7 +2631,16 @@ diff -b -B --ignore-all-space --exclude-
allow devices_unconfined_type mtrr_device_t:file *;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-01-18 18:24:22.683530317 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2010-02-26 09:33:54.830549053 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2010-03-08 13:17:11.540614796 +0100
+@@ -543,7 +543,7 @@
+
+ ########################################
+ ## <summary>
+-## Get the attributes of all domains of all domains.
++## Get the attributes of all domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -718,10 +718,6 @@
dontaudit $1 domain:dir list_dir_perms;
dontaudit $1 domain:lnk_file read_lnk_file_perms;
@@ -4042,7 +4100,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-03 10:39:47.599611967 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-09 15:42:45.872752800 +0100
@@ -39,6 +39,8 @@
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
@@ -4052,7 +4110,18 @@ diff -b -B --ignore-all-space --exclude-
domain_user_exemption_target(unconfined_t)
allow system_r unconfined_r;
-@@ -171,7 +173,7 @@
+@@ -148,6 +150,10 @@
+ ')
+
+ optional_policy(`
++ lvm_run(unconfined_usertype, unconfined_r)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
+@@ -171,7 +177,7 @@
optional_policy(`
xserver_rw_shm(unconfined_usertype)
xserver_run_xauth(unconfined_usertype, unconfined_r)
@@ -4061,7 +4130,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -344,7 +346,7 @@
+@@ -344,7 +350,7 @@
')
optional_policy(`
@@ -4110,8 +4179,8 @@ diff -b -B --ignore-all-space --exclude-
######################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-03-02 17:01:58.927615554 +0100
-@@ -96,6 +96,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-03-09 09:52:05.533515863 +0100
+@@ -96,16 +96,19 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
@@ -4119,7 +4188,11 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_memory_dev(abrt_t)
-@@ -106,6 +107,7 @@
+
++domain_getattr_all_domains(abrt_t)
+ domain_read_all_domains_state(abrt_t)
+ domain_signull_all_domains(abrt_t)
+
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
files_read_var_lib_files(abrt_t)
@@ -4127,7 +4200,15 @@ diff -b -B --ignore-all-space --exclude-
files_read_usr_files(abrt_t)
files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
-@@ -176,6 +178,16 @@
+@@ -119,6 +122,7 @@
+ fs_read_fusefs_files(abrt_t)
+ fs_read_noxattr_fs_files(abrt_t)
+ fs_read_nfs_files(abrt_t)
++fs_read_nfs_symlinks(abrt_t)
+ fs_search_all(abrt_t)
+
+ sysnet_read_config(abrt_t)
+@@ -176,6 +180,16 @@
sssd_stream_connect(abrt_t)
')
@@ -4144,7 +4225,7 @@ diff -b -B --ignore-all-space --exclude-
permissive abrt_t;
########################################
-@@ -200,10 +212,16 @@
+@@ -200,10 +214,16 @@
files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)
@@ -5326,8 +5407,14 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.32/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 2010-01-18 18:24:22.762530308 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/corosync.fc 2010-02-17 15:36:57.020864395 +0100
-@@ -9,5 +9,5 @@
++++ serefpolicy-3.6.32/policy/modules/services/corosync.fc 2010-03-08 16:04:18.113614620 +0100
+@@ -4,10 +4,11 @@
+ /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+ /usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+ /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
@@ -5336,8 +5423,26 @@ diff -b -B --ignore-all-space --exclude-
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-01-18 18:24:22.764539991 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2010-02-21 19:02:15.511309414 +0100
-@@ -72,6 +72,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2010-03-08 16:05:31.170864569 +0100
+@@ -38,7 +38,7 @@
+ #
+
+ allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
+-allow corosync_t self:process { setrlimit setsched signal };
++allow corosync_t self:process { setrlimit setsched signal signull };
+
+ allow corosync_t self:fifo_file rw_fifo_file_perms;
+ allow corosync_t self:sem create_sem_perms;
+@@ -46,6 +46,8 @@
+ allow corosync_t self:unix_dgram_socket create_socket_perms;
+ allow corosync_t self:udp_socket create_socket_perms;
+
++can_exec(corosync_t,corosync_exec_t)
++
+ # tmp files
+ manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+ manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+@@ -72,14 +74,19 @@
files_pid_filetrans(corosync_t,corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
@@ -5347,7 +5452,17 @@ diff -b -B --ignore-all-space --exclude-
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -92,6 +95,7 @@
+ corecmd_exec_bin(corosync_t)
++corecmd_exec_shell(corosync_t)
+
+ dev_read_urand(corosync_t)
+
+ files_manage_mounttab(corosync_t)
++files_read_usr_files(corosync_t)
+
+ auth_use_nsswitch(corosync_t)
+
+@@ -92,6 +99,7 @@
userdom_rw_user_tmpfs_files(corosync_t)
@@ -5355,7 +5470,7 @@ diff -b -B --ignore-all-space --exclude-
# to communication with RHCS
dlm_controld_manage_tmpfs_files(corosync_t)
dlm_controld_rw_semaphores(corosync_t)
-@@ -101,6 +105,11 @@
+@@ -101,6 +109,11 @@
gfs_controld_manage_tmpfs_files(corosync_t)
gfs_controld_rw_semaphores(corosync_t)
@@ -7039,8 +7154,8 @@ diff -b -B --ignore-all-space --exclude-
+#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/ldap.te 2010-01-29 10:41:13.184864510 +0100
-@@ -28,6 +28,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/ldap.te 2010-03-09 15:08:52.333753712 +0100
+@@ -28,9 +28,15 @@
type slapd_replog_t;
files_type(slapd_replog_t)
@@ -7050,7 +7165,13 @@ diff -b -B --ignore-all-space --exclude-
type slapd_tmp_t;
files_tmp_file(slapd_tmp_t)
-@@ -68,6 +71,10 @@
++type slapd_tmpfs_t;
++files_tmpfs_file(slapd_tmpfs_t)
++
+ type slapd_var_run_t;
+ files_pid_file(slapd_var_run_t)
+
+@@ -68,10 +74,17 @@
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
@@ -7061,6 +7182,13 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+
++manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
++fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
++
+ manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+ manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+ files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-18 18:24:22.806540025 +0100
+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2010-02-01 20:50:49.950161278 +0100
@@ -7214,8 +7342,17 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-01-18 18:24:22.815530066 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-02-09 12:34:15.400865901 +0100
-@@ -134,6 +134,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-03-09 15:32:34.203753605 +0100
+@@ -104,6 +104,8 @@
+
+ auth_use_nsswitch(munin_t)
+
++init_read_utmp(munin_t)
++
+ logging_send_syslog_msg(munin_t)
+ logging_read_all_logs(munin_t)
+
+@@ -134,6 +136,7 @@
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
@@ -7544,10 +7681,43 @@ diff -b -B --ignore-all-space --exclude-
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.32/policy/modules/services/networkmanager.if
+--- nsaserefpolicy/policy/modules/services/networkmanager.if 2010-01-18 18:24:22.824530931 +0100
++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2010-03-09 17:28:17.089383297 +0100
+@@ -199,3 +199,22 @@
+ role $2 types NetworkManager_t;
+ ')
+
++#######################################
++## <summary>
++## Allow caller to relabel tun_socket
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_attach_tun_iface',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-01-18 18:24:22.825542512 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-02-01 20:40:02.343160698 +0100
-@@ -51,6 +51,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-03-09 15:47:10.995505282 +0100
+@@ -45,12 +45,14 @@
+ allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+ allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
++allow NetworkManager_t self:tun_socket create_socket_perms;
+ allow NetworkManager_t self:udp_socket create_socket_perms;
+ allow NetworkManager_t self:packet_socket create_socket_perms;
+
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
@@ -7989,8 +8159,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.6.32/policy/modules/services/plymouthd.te
--- nsaserefpolicy/policy/modules/services/plymouthd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/plymouthd.te 2010-03-03 10:39:47.605611921 +0100
-@@ -0,0 +1,105 @@
++++ serefpolicy-3.6.32/policy/modules/services/plymouthd.te 2010-03-09 16:16:21.119384494 +0100
+@@ -0,0 +1,106 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
@@ -8018,7 +8188,8 @@ diff -b -B --ignore-all-space --exclude-
+
+type plymouth_t;
+type plymouth_exec_t;
-+init_daemon_domain(plymouth_t, plymouth_exec_t)
++application_domain(plymouth_t, plymouth_exec_t)
++role system_r types plymouth_t;
+
+########################################
+#
@@ -10467,8 +10638,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-03-05 16:12:03.673562124 +0100
-@@ -0,0 +1,49 @@
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-03-09 16:49:50.347389389 +0100
+@@ -0,0 +1,51 @@
+
+policy_module(usbmuxd,1.0.0)
+
@@ -10508,8 +10679,10 @@ diff -b -B --ignore-all-space --exclude-
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(usbmuxd_t)
++kernel_read_kernel_sysctls(usbmuxd_t)
+
+dev_rw_generic_usb_dev(usbmuxd_t)
++dev_read_sysfs(usbmuxd_t)
+
+files_read_etc_files(usbmuxd_t)
+
@@ -10677,7 +10850,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-01-18 18:24:22.920530710 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2010-03-05 09:36:04.144561462 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2010-03-09 15:10:08.558503370 +0100
@@ -19,27 +19,9 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -10795,15 +10968,24 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -218,7 +169,6 @@
+@@ -189,6 +140,7 @@
+ gen_require(`
+ type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
++ class x_screen all_x_screen_perms;
+ ')
+
+ xserver_restricted_role($1, $2)
+@@ -218,7 +170,7 @@
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
- xserver_common_app($2)
++ allow $2 xserver_t:x_screen { saver_hide saver_setattr saver_show };
')
#######################################
-@@ -290,6 +240,37 @@
+@@ -290,6 +242,37 @@
#######################################
## <summary>
@@ -10841,7 +11023,7 @@ diff -b -B --ignore-all-space --exclude-
## Create full client sessions
## on a user X server.
## </summary>
-@@ -307,7 +288,7 @@
+@@ -307,7 +290,7 @@
interface(`xserver_user_client',`
refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
@@ -10850,7 +11032,7 @@ diff -b -B --ignore-all-space --exclude-
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
')
-@@ -321,9 +302,9 @@
+@@ -321,9 +304,9 @@
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
@@ -10863,7 +11045,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit $1 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -367,24 +348,24 @@
+@@ -367,24 +350,24 @@
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -10898,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -392,27 +373,38 @@
+@@ -392,27 +375,38 @@
# Local Policy
#
@@ -10953,7 +11135,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -438,27 +430,12 @@
+@@ -438,27 +432,12 @@
#
# Types for properties
@@ -10982,7 +11164,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -486,14 +463,13 @@
+@@ -486,14 +465,13 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -11001,7 +11183,7 @@ diff -b -B --ignore-all-space --exclude-
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
-@@ -501,9 +477,9 @@
+@@ -501,9 +479,9 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -11014,7 +11196,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -519,6 +495,7 @@
+@@ -519,6 +497,7 @@
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -11022,7 +11204,7 @@ diff -b -B --ignore-all-space --exclude-
# X object manager
xserver_object_types_template($1)
-@@ -529,10 +506,6 @@
+@@ -529,10 +508,6 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
@@ -11033,7 +11215,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -592,11 +565,8 @@
+@@ -592,11 +567,8 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -11046,7 +11228,7 @@ diff -b -B --ignore-all-space --exclude-
fs_dontaudit_rw_anon_inodefs_files(xauth_t)
')
')
-@@ -652,6 +622,7 @@
+@@ -652,6 +624,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -11054,7 +11236,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -742,7 +713,7 @@
+@@ -742,7 +715,7 @@
type xdm_t;
')
@@ -11063,7 +11245,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -778,11 +749,11 @@
+@@ -778,11 +751,11 @@
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -11077,7 +11259,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -816,10 +787,10 @@
+@@ -816,10 +789,10 @@
#
interface(`xserver_setattr_xdm_tmp_dirs',`
gen_require(`
@@ -11090,7 +11272,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -835,13 +806,12 @@
+@@ -835,13 +808,12 @@
#
interface(`xserver_create_xdm_tmp_sockets',`
gen_require(`
@@ -11107,7 +11289,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -865,43 +835,6 @@
+@@ -865,43 +837,6 @@
########################################
## <summary>
@@ -11151,7 +11333,7 @@ diff -b -B --ignore-all-space --exclude-
## Read XDM var lib files.
## </summary>
## <param name="domain">
-@@ -920,75 +853,6 @@
+@@ -920,75 +855,6 @@
########################################
## <summary>
@@ -11227,7 +11409,7 @@ diff -b -B --ignore-all-space --exclude-
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1007,24 +871,6 @@
+@@ -1007,24 +873,6 @@
########################################
## <summary>
@@ -11252,7 +11434,7 @@ diff -b -B --ignore-all-space --exclude-
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -1100,27 +946,6 @@
+@@ -1100,27 +948,6 @@
########################################
## <summary>
@@ -11280,7 +11462,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to write the X server
## log files.
## </summary>
-@@ -1174,11 +999,11 @@
+@@ -1174,11 +1001,11 @@
#
interface(`xserver_read_xdm_tmp_files',`
gen_require(`
@@ -11294,7 +11476,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1193,11 +1018,11 @@
+@@ -1193,11 +1020,11 @@
#
interface(`xserver_dontaudit_read_xdm_tmp_files',`
gen_require(`
@@ -11309,7 +11491,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1212,11 +1037,11 @@
+@@ -1212,11 +1039,11 @@
#
interface(`xserver_rw_xdm_tmp_files',`
gen_require(`
@@ -11324,7 +11506,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1231,10 +1056,10 @@
+@@ -1231,10 +1058,10 @@
#
interface(`xserver_manage_xdm_tmp_files',`
gen_require(`
@@ -11337,7 +11519,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1249,10 +1074,10 @@
+@@ -1249,10 +1076,10 @@
#
interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
gen_require(`
@@ -11350,7 +11532,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1267,11 +1092,10 @@
+@@ -1267,11 +1094,10 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -11363,7 +11545,7 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1409,7 +1233,9 @@
+@@ -1409,7 +1235,9 @@
########################################
## <summary>
@@ -11374,7 +11556,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1417,18 +1243,33 @@
+@@ -1417,18 +1245,33 @@
## </summary>
## </param>
#
@@ -11413,7 +11595,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1436,81 +1277,95 @@
+@@ -1436,81 +1279,95 @@
## </summary>
## </param>
#
@@ -11536,7 +11718,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1518,127 +1373,92 @@
+@@ -1518,127 +1375,92 @@
## </summary>
## </param>
#
@@ -11696,7 +11878,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1662,27 +1482,30 @@
+@@ -1662,27 +1484,30 @@
########################################
## <summary>
@@ -11734,7 +11916,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1690,145 +1513,102 @@
+@@ -1690,145 +1515,102 @@
## </summary>
## </param>
#
@@ -13121,7 +13303,7 @@ diff -b -B --ignore-all-space --exclude-
gen_require(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-01-18 18:24:22.939530053 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-03-05 09:36:04.157811933 +0100
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-03-08 12:57:11.225864570 +0100
@@ -182,9 +182,9 @@
# ipsec_mgmt Local policy
#
@@ -13130,7 +13312,7 @@ diff -b -B --ignore-all-space --exclude-
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
-+allow ipsec_mgmt_t self:process { getsched signal setrlimit ptrace };
++allow ipsec_mgmt_t self:process { getsched setsched signal setrlimit ptrace };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
@@ -13337,7 +13519,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-01-18 18:24:22.948530849 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-02-26 09:34:21.814810364 +0100
++++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-03-09 15:11:11.342502914 +0100
@@ -34,8 +34,7 @@
#
@@ -13390,7 +13572,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`enable_mls',`
sysadm_shell_domtrans(sulogin_t)
',`
-@@ -252,10 +255,6 @@
+@@ -252,13 +255,10 @@
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
@@ -13399,8 +13581,13 @@ diff -b -B --ignore-all-space --exclude-
- selinux_compute_user_contexts(sulogin_t)
-')
- ifdef(`sulogin_no_pam', `
+-ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
++
++ifdef(`sulogin_no_pam', `
+ init_getpgid(sulogin_t)
+ ', `
+ allow sulogin_t self:process setexec;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-18 18:24:22.949542779 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-02-16 17:27:23.944598052 +0100
@@ -13508,9 +13695,27 @@ diff -b -B --ignore-all-space --exclude-
#
# /sbin
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.6.32/policy/modules/system/lvm.if
+--- nsaserefpolicy/policy/modules/system/lvm.if 2010-01-18 18:24:22.952542532 +0100
++++ serefpolicy-3.6.32/policy/modules/system/lvm.if 2010-03-09 15:41:07.772503258 +0100
+@@ -58,10 +58,14 @@
+ interface(`lvm_run',`
+ gen_require(`
+ type lvm_t;
++ type clvmd_t;
+ ')
+
+ lvm_domtrans($1)
+ role $2 types lvm_t;
++ role $2 types clvmd_t;
++
++ modutils_run_insmod(lvm_t, $2)
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2010-01-18 18:24:22.953540006 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2010-02-26 09:34:34.736814526 +0100
++++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2010-03-09 15:12:07.296752851 +0100
@@ -143,6 +143,7 @@
optional_policy(`
@@ -13527,7 +13732,24 @@ diff -b -B --ignore-all-space --exclude-
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -317,6 +319,7 @@
+@@ -222,6 +224,7 @@
+ # it has no reason to need this
+ kernel_dontaudit_getattr_core_if(lvm_t)
+ kernel_use_fds(lvm_t)
++kernel_request_load_module(lvm_t)
+ kernel_search_debugfs(lvm_t)
+
+ corecmd_exec_bin(lvm_t)
+@@ -260,7 +263,7 @@
+ files_dontaudit_search_isid_type_dirs(lvm_t)
+ files_dontaudit_getattr_tmpfs_files(lvm_t)
+
+-fs_getattr_xattr_fs(lvm_t)
++fs_getattr_all_fs(lvm_t)
+ fs_search_auto_mountpoints(lvm_t)
+ fs_list_tmpfs(lvm_t)
+ fs_read_tmpfs_symlinks(lvm_t)
+@@ -317,6 +320,7 @@
optional_policy(`
aisexec_stream_connect(lvm_t)
@@ -13619,7 +13841,7 @@ diff -b -B --ignore-all-space --exclude-
init_rw_initctl(insmod_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2010-01-18 18:24:22.960539988 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.if 2010-03-05 09:36:36.304811858 +0100
++++ serefpolicy-3.6.32/policy/modules/system/mount.if 2010-03-09 16:47:39.693634416 +0100
@@ -17,6 +17,10 @@
domtrans_pattern($1, mount_exec_t, mount_t)
@@ -13656,10 +13878,33 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Execute fusermount.
-@@ -133,6 +155,31 @@
- role $2 types mount_t;
+@@ -105,12 +127,17 @@
+ optional_policy(`
+ samba_run_smbmount($1, $2)
+ ')
++
++ optional_policy(`
++ mount_run_fusermount($1, $2)
++ ')
')
+ ########################################
+ ## <summary>
+ ## Execute fusermount in the mount domain, and
+-## allow the specified role the mount domain
++## allow the specified role the mount domain,
++## and use the caller's terminal.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -131,6 +158,33 @@
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
++
++ fstools_run(mount_t, $2)
++')
++
+#######################################
+## <summary>
+## Execute showmount in the showmount domain, and
@@ -13683,11 +13928,9 @@ diff -b -B --ignore-all-space --exclude-
+
+ mount_domtrans_showmount($1)
+ role $2 types showmount_t;
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Execute mount in the caller domain.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-03-05 09:36:36.314559997 +0100
@@ -13916,7 +14159,7 @@ diff -b -B --ignore-all-space --exclude-
HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-03-05 09:36:04.191809032 +0100
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-03-09 16:30:07.806384243 +0100
@@ -461,7 +461,7 @@
xserver_create_xdm_tmp_sockets($1)
# Needed for escd, remove if we get escd policy
@@ -13953,7 +14196,15 @@ diff -b -B --ignore-all-space --exclude-
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
-@@ -2316,6 +2314,24 @@
+@@ -1136,7 +1134,6 @@
+
+ optional_policy(`
+ mount_run($1_t, $1_r)
+- mount_run_fusermount($1_usertype, $1_r)
+ ')
+
+ optional_policy(`
+@@ -2316,6 +2313,24 @@
dontaudit $1 user_tmp_t:dir list_dir_perms;
')
@@ -13978,7 +14229,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Do not audit attempts to manage users
-@@ -3631,6 +3647,24 @@
+@@ -3631,6 +3646,24 @@
########################################
## <summary>
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1032
retrieving revision 1.1033
diff -u -p -r1.1032 -r1.1033
--- selinux-policy.spec 5 Mar 2010 15:57:59 -0000 1.1032
+++ selinux-policy.spec 9 Mar 2010 16:41:58 -0000 1.1033
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 99%{?dist}
+Release: 100%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,13 @@ exit 0
%endif
%changelog
+* Tue Mar 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-100
+- Allow pulseaudio sys_tty_config capability
+- Add label for cman_tool
+- Fixes for corosync policy
+- Allow abrt to get the attributes of all domains
+- Allow abrt to read symbolic links on a NFS filesystem
+
* Fri Mar 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-99
- Add back etcfile attribute
- Previous message: rpms/ecl/devel ecl-10.3.1-ffi.patch, NONE, 1.1 ecl-10.3.1-semaphore.patch, NONE, 1.1 .cvsignore, 1.8, 1.9 ecl.spec, 1.17, 1.18 sources, 1.8, 1.9 ecl-10.2.1-ffi.patch, 1.1, NONE ecl-10.2.1-semaphore.patch, 1.1, NONE
- Next message: File blahtexml-0.8-src.tar.gz uploaded to lookaside cache by jasper
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list