rpms/selinux-policy/F-12 policy-20100106.patch, 1.50, 1.51 selinux-policy.spec, 1.1034, 1.1035
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 15 17:11:28 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9763
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Allow bluetooth sys_admin capability
- Fix label for libADM libraries
- Allow libvirt to set svrit_image_t label on sysfs
- Add shutdown policy from Dan Walsh
policy-20100106.patch:
config/appconfig-mcs/x_contexts | 109 ----
config/appconfig-mls/x_contexts | 109 ----
config/appconfig-standard/x_contexts | 109 ----
policy/flask/access_vectors | 55 +-
policy/flask/security_classes | 4
policy/modules/admin/consoletype.if | 4
policy/modules/admin/dmesg.fc | 1
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 5
policy/modules/admin/mcelog.fc | 2
policy/modules/admin/mcelog.if | 20
policy/modules/admin/mcelog.te | 31 +
policy/modules/admin/netutils.fc | 1
policy/modules/admin/netutils.te | 6
policy/modules/admin/prelink.te | 1
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.if | 60 ++
policy/modules/admin/rpm.te | 2
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 100 ++++
policy/modules/admin/shutdown.te | 57 ++
policy/modules/admin/smoltclient.te | 2
policy/modules/admin/usermanage.te | 8
policy/modules/admin/vbetool.te | 13
policy/modules/admin/vpn.te | 7
policy/modules/apps/cdrecord.te | 2
policy/modules/apps/chrome.te | 11
policy/modules/apps/execmem.if | 10
policy/modules/apps/firewallgui.te | 6
policy/modules/apps/gnome.fc | 9
policy/modules/apps/gnome.if | 81 ++-
policy/modules/apps/gnome.te | 8
policy/modules/apps/gpg.fc | 2
policy/modules/apps/gpg.te | 10
policy/modules/apps/java.if | 1
policy/modules/apps/java.te | 1
policy/modules/apps/kdumpgui.te | 4
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 36 +
policy/modules/apps/nsplugin.fc | 1
policy/modules/apps/nsplugin.if | 40 +
policy/modules/apps/nsplugin.te | 10
policy/modules/apps/openoffice.if | 1
policy/modules/apps/podsleuth.te | 1
policy/modules/apps/ptchown.te | 1
policy/modules/apps/pulseaudio.fc | 7
policy/modules/apps/pulseaudio.if | 70 ++
policy/modules/apps/pulseaudio.te | 41 +
policy/modules/apps/qemu.te | 1
policy/modules/apps/sambagui.te | 4
policy/modules/apps/sandbox.if | 54 +-
policy/modules/apps/sandbox.te | 49 +
policy/modules/apps/slocate.te | 1
policy/modules/apps/vmware.if | 18
policy/modules/apps/vmware.te | 11
policy/modules/apps/wine.if | 5
policy/modules/apps/wine.te | 18
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 5
policy/modules/kernel/corenetwork.if.in | 18
policy/modules/kernel/corenetwork.te.in | 7
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.if | 335 ++++++++++++-
policy/modules/kernel/devices.te | 25 -
policy/modules/kernel/domain.if | 24
policy/modules/kernel/domain.te | 6
policy/modules/kernel/files.fc | 2
policy/modules/kernel/files.if | 334 ++++++++++---
policy/modules/kernel/files.te | 7
policy/modules/kernel/filesystem.if | 156 ++++++
policy/modules/kernel/filesystem.te | 12
policy/modules/kernel/kernel.if | 36 +
policy/modules/kernel/terminal.if | 247 +++++++++-
policy/modules/roles/auditadm.te | 2
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 18
policy/modules/roles/sysadm.te | 12
policy/modules/roles/unconfineduser.fc | 5
policy/modules/roles/unconfineduser.te | 17
policy/modules/roles/xguest.te | 7
policy/modules/services/abrt.if | 5
policy/modules/services/abrt.te | 22
policy/modules/services/afs.te | 6
policy/modules/services/aisexec.fc | 2
policy/modules/services/aisexec.te | 8
policy/modules/services/amavis.te | 1
policy/modules/services/apache.fc | 9
policy/modules/services/apache.if | 48 +
policy/modules/services/apache.te | 46 +
policy/modules/services/apcupsd.te | 6
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.te | 1
policy/modules/services/avahi.fc | 2
policy/modules/services/avahi.if | 1
policy/modules/services/bind.if | 19
policy/modules/services/bluetooth.te | 2
policy/modules/services/cachefilesd.fc | 28 +
policy/modules/services/cachefilesd.if | 41 +
policy/modules/services/cachefilesd.te | 146 +++++
policy/modules/services/ccs.te | 6
policy/modules/services/chronyd.fc | 2
policy/modules/services/chronyd.te | 15
policy/modules/services/clogd.if | 24
policy/modules/services/clogd.te | 7
policy/modules/services/cobbler.fc | 5
policy/modules/services/cobbler.if | 156 ++++++
policy/modules/services/cobbler.te | 132 +++++
policy/modules/services/consolekit.te | 19
policy/modules/services/corosync.fc | 3
policy/modules/services/corosync.te | 15
policy/modules/services/cron.te | 9
policy/modules/services/cups.te | 8
policy/modules/services/dbus.if | 7
policy/modules/services/dcc.te | 2
policy/modules/services/devicekit.fc | 4
policy/modules/services/devicekit.te | 14
policy/modules/services/dhcp.if | 19
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38 +
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 38 +
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.te | 6
policy/modules/services/exim.if | 18
policy/modules/services/fail2ban.if | 18
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 37 +
policy/modules/services/ftp.te | 116 ++++
policy/modules/services/git.fc | 17
policy/modules/services/git.if | 466 ++++++++++++++----
policy/modules/services/git.te | 145 +++--
policy/modules/services/gpm.fc | 2
policy/modules/services/hal.te | 13
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 2
policy/modules/services/ldap.fc | 3
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 7
policy/modules/services/mailman.te | 1
policy/modules/services/memcached.te | 14
policy/modules/services/modemmanager.te | 2
policy/modules/services/mta.if | 38 +
policy/modules/services/mta.te | 1
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 6
policy/modules/services/nagios.fc | 46 +
policy/modules/services/nagios.if | 28 +
policy/modules/services/nagios.te | 87 +++
policy/modules/services/networkmanager.fc | 1
policy/modules/services/networkmanager.if | 19
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 5
policy/modules/services/nis.te | 8
policy/modules/services/nut.te | 11
policy/modules/services/nx.if | 18
policy/modules/services/openvpn.te | 4
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 304 ------------
policy/modules/services/plymouth.te | 102 ----
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++++++++++
policy/modules/services/plymouthd.te | 106 ++++
policy/modules/services/policykit.te | 20
policy/modules/services/postfix.if | 37 +
policy/modules/services/postfix.te | 9
policy/modules/services/ppp.fc | 2
policy/modules/services/ppp.te | 8
policy/modules/services/prelude.te | 2
policy/modules/services/qmail.if | 18
policy/modules/services/rgmanager.if | 40 +
policy/modules/services/rgmanager.te | 58 +-
policy/modules/services/rhcs.fc | 9
policy/modules/services/rhcs.if | 58 ++
policy/modules/services/rhcs.te | 278 ++---------
policy/modules/services/ricci.te | 8
policy/modules/services/rpc.if | 1
policy/modules/services/rpc.te | 8
policy/modules/services/rsync.if | 38 +
policy/modules/services/samba.te | 18
policy/modules/services/sendmail.te | 4
policy/modules/services/setroubleshoot.te | 4
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 1
policy/modules/services/spamassassin.if | 18
policy/modules/services/spamassassin.te | 6
policy/modules/services/ssh.if | 4
policy/modules/services/ssh.te | 84 ---
policy/modules/services/sssd.fc | 4
policy/modules/services/sssd.if | 85 ++-
policy/modules/services/sssd.te | 16
policy/modules/services/tftp.if | 20
policy/modules/services/tftp.te | 1
policy/modules/services/tgtd.te | 1
policy/modules/services/tor.fc | 1
policy/modules/services/tuned.fc | 3
policy/modules/services/tuned.te | 15
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 6
policy/modules/services/usbmuxd.if | 64 ++
policy/modules/services/usbmuxd.te | 51 ++
policy/modules/services/virt.if | 9
policy/modules/services/virt.te | 15
policy/modules/services/xserver.fc | 18
policy/modules/services/xserver.if | 738 ++++++++++--------------------
policy/modules/services/xserver.te | 384 ++++++++-------
policy/modules/system/application.te | 12
policy/modules/system/daemontools.if | 62 ++
policy/modules/system/daemontools.te | 26 -
policy/modules/system/fstools.fc | 2
policy/modules/system/hostname.te | 3
policy/modules/system/hotplug.te | 4
policy/modules/system/init.if | 39 +
policy/modules/system/init.te | 27 +
policy/modules/system/ipsec.te | 13
policy/modules/system/iptables.if | 10
policy/modules/system/iptables.te | 6
policy/modules/system/iscsi.fc | 3
policy/modules/system/iscsi.te | 10
policy/modules/system/libraries.fc | 24
policy/modules/system/locallogin.te | 22
policy/modules/system/logging.fc | 7
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 10
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 4
policy/modules/system/lvm.te | 6
policy/modules/system/miscfiles.fc | 5
policy/modules/system/miscfiles.if | 37 +
policy/modules/system/modutils.te | 2
policy/modules/system/mount.if | 56 ++
policy/modules/system/mount.te | 56 ++
policy/modules/system/selinuxutil.if | 21
policy/modules/system/selinuxutil.te | 1
policy/modules/system/sysnetwork.fc | 1
policy/modules/system/sysnetwork.if | 4
policy/modules/system/sysnetwork.te | 3
policy/modules/system/udev.te | 5
policy/modules/system/unconfined.if | 2
policy/modules/system/userdomain.fc | 1
policy/modules/system/userdomain.if | 45 +
policy/modules/system/xen.if | 2
policy/modules/system/xen.te | 22
policy/support/obj_perm_sets.spt | 8
policy/users | 2
246 files changed, 5913 insertions(+), 2322 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -p -r1.50 -r1.51
--- policy-20100106.patch 10 Mar 2010 15:41:50 -0000 1.50
+++ policy-20100106.patch 15 Mar 2010 17:11:27 -0000 1.51
@@ -861,6 +861,180 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Declarations
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.6.32/policy/modules/admin/shutdown.fc
+--- nsaserefpolicy/policy/modules/admin/shutdown.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/shutdown.fc 2010-03-11 21:20:40.173442296 +0100
+@@ -0,0 +1,5 @@
++/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
++
++/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++
++/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.6.32/policy/modules/admin/shutdown.if
+--- nsaserefpolicy/policy/modules/admin/shutdown.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/shutdown.if 2010-03-11 21:27:17.562510150 +0100
+@@ -0,0 +1,100 @@
++
++## <summary>policy for shutdown</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run shutdown.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`shutdown_domtrans',`
++ gen_require(`
++ type shutdown_t, shutdown_exec_t;
++ ')
++
++ domtrans_pattern($1, shutdown_exec_t, shutdown_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit shutdown_t $1:socket_class_set { read write };
++ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
++ ')
++')
++
++
++########################################
++## <summary>
++## Execute shutdown in the shutdown domain, and
++## allow the specified role the shutdown domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the shutdown domain.
++## </summary>
++## </param>
++#
++interface(`shutdown_run',`
++ gen_require(`
++ type shutdown_t;
++ ')
++
++ shutdown_domtrans($1)
++ role $2 types shutdown_t;
++')
++
++########################################
++## <summary>
++## Role access for shutdown
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`shutdown_role',`
++ gen_require(`
++ type shutdown_t;
++ ')
++
++ role $1 types shutdown_t;
++
++ shutdown_domtrans($2)
++
++ ps_process_pattern($2, shutdown_t)
++ allow $2 shutdown_t:process signal;
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## shutdown over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`shutdown_dbus_chat',`
++ gen_require(`
++ type shutdown_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 shutdown_t:dbus send_msg;
++ allow shutdown_t $1:dbus send_msg;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.6.32/policy/modules/admin/shutdown.te
+--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/shutdown.te 2010-03-11 21:21:02.264511203 +0100
+@@ -0,0 +1,57 @@
++policy_module(shutdown,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type shutdown_t;
++type shutdown_exec_t;
++application_domain(shutdown_t, shutdown_exec_t)
++role system_r types shutdown_t;
++
++type shutdown_etc_t;
++files_config_file(shutdown_etc_t)
++
++type shutdown_var_run_t;
++files_pid_file(shutdown_var_run_t)
++
++permissive shutdown_t;
++
++########################################
++#
++# shutdown local policy
++#
++
++allow shutdown_t self:capability { kill setuid sys_tty_config };
++allow shutdown_t self:process { fork signal };
++
++allow shutdown_t self:fifo_file manage_fifo_file_perms;
++allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
++files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
++
++manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
++files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
++
++files_read_etc_files(shutdown_t)
++files_read_generic_pids(shutdown_t)
++
++term_use_all_terms(shutdown_t)
++
++auth_use_nsswitch(shutdown_t)
++auth_write_login_records(shutdown_t)
++
++init_dontaudit_write_utmp(shutdown_t)
++init_read_utmp(shutdown_t)
++init_telinit(shutdown_t)
++
++logging_send_audit_msgs(shutdown_t)
++
++miscfiles_read_localization(shutdown_t)
++
++optional_policy(`
++ dbus_system_bus_client(shutdown_t)
++ dbus_connect_system_bus(shutdown_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 2010-01-18 18:24:22.573543214 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2010-01-25 11:03:49.548441857 +0100
@@ -1004,8 +1178,8 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 2010-01-18 18:24:22.590539929 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2010-03-03 10:39:47.586612078 +0100
-@@ -74,7 +74,11 @@
++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2010-03-11 22:17:04.177894107 +0100
+@@ -74,7 +74,15 @@
')
optional_policy(`
@@ -1015,6 +1189,10 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ optional_policy(`
++ mozilla_exec_domtrans($3, $1_execmem_t)
++ ')
++
++ optional_policy(`
xserver_role($2, $1_execmem_t)
')
')
@@ -1243,7 +1421,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2010-01-18 18:24:22.605530382 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-03-03 10:39:47.587612339 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-03-11 21:20:40.181057088 +0100
@@ -112,11 +112,6 @@
userdom_use_user_terminals(gpg_t)
@@ -1256,7 +1434,24 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# GPG helper local policy
-@@ -271,6 +266,6 @@
+@@ -156,6 +151,7 @@
+ # sign/encrypt user files
+ userdom_manage_user_tmp_files(gpg_t)
+ userdom_manage_user_home_content_files(gpg_t)
++userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+@@ -185,6 +181,8 @@
+ # GPG agent local policy
+ #
+
++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
++
+ # rlimit: gpg-agent wants to prevent coredumps
+ allow gpg_agent_t self:process setrlimit;
+
+@@ -271,6 +269,6 @@
')
optional_policy(`
@@ -1311,6 +1506,49 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.32/policy/modules/apps/mozilla.if
+--- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-01-18 18:24:22.624530355 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2010-03-11 22:16:08.809566699 +0100
+@@ -210,3 +210,39 @@
+
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
+ ')
++
++#######################################
++## <summary>
++## Execute mozilla_exec_t
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a mozilla_exec_t
++## in the specified domain.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`mozilla_exec_domtrans',`
++ gen_require(`
++ type mozilla_exec_t;
++ ')
++
++ allow $2 mozilla_exec_t:file entrypoint;
++ domtrans_pattern($1, mozilla_exec_t, $2)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 2010-01-18 18:24:22.626536127 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2010-01-21 18:31:18.271612626 +0100
@@ -1323,8 +1561,8 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 2010-01-18 18:24:22.627530248 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2010-03-03 10:39:47.590622757 +0100
-@@ -130,8 +130,6 @@
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2010-03-15 11:21:13.428614633 +0100
+@@ -130,8 +132,6 @@
optional_policy(`
pulseaudio_role($1, nsplugin_t)
')
@@ -1333,7 +1571,16 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -321,3 +319,39 @@
+@@ -169,7 +169,7 @@
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+ ')
+
+-#######################################
++######################################
+ ## <summary>
+ ## The per role template for the nsplugin module.
+ ## </summary>
+@@ -321,3 +322,39 @@
allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
')
@@ -1459,7 +1706,16 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-01-18 18:24:22.632542198 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2010-03-04 16:47:02.048533186 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2010-03-15 12:23:36.288864417 +0100
+@@ -18,7 +18,7 @@
+ interface(`pulseaudio_role',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
+- class dbus { send_msg };
++ class dbus { acquire_svc send_msg };
+ ')
+
+ role $1 types pulseaudio_t;
@@ -29,7 +29,7 @@
ps_process_pattern($2, pulseaudio_t)
@@ -2248,7 +2504,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(nmbd, udp,137,s0, udp,138,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-02-26 09:33:34.628548195 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-03-15 10:19:23.322613725 +0100
@@ -64,6 +64,7 @@
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
@@ -2265,7 +2521,12 @@ diff -b -B --ignore-all-space --exclude-
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
-@@ -104,6 +106,7 @@
+@@ -101,9 +103,12 @@
+ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
++/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
++/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -2273,27 +2534,54 @@ diff -b -B --ignore-all-space --exclude-
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -145,6 +148,7 @@
- /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-+/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-
- /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
-
-@@ -162,6 +166,8 @@
- /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-
-+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
-+
- /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
- /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-02-26 09:33:41.069548571 +0100
-@@ -147,6 +147,24 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-03-15 11:20:54.084614154 +0100
+@@ -29,14 +29,39 @@
+
+ ########################################
+ ## <summary>
+-## Make the passed in type a type appropriate for
+-## use on device nodes (usually files in /dev).
++## Make the specified type usable for device
++## nodes in a filesystem.
+ ## </summary>
+-## <param name="object_type">
++## <desc>
++## <p>
++## Make the specified type usable for device nodes
++## in a filesystem. Types used for device nodes that
++## do not use this interface, or an interface that
++## calls this one, will have unexpected behaviors
++## while the system is running.
++## </p>
++## <p>
++## Example:
++## </p>
++## <p>
++## type mydev_t;
++## dev_node(mydev_t)
++## allow mydomain_t mydev_t:chr_file read_chr_file_perms;
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>term_tty()</li>
++## <li>term_pty()</li>
++## </ul>
++## </desc>
++## <param name="type">
+ ## <summary>
+-## The object type that will be used on device nodes.
++## Type to be used for device nodes.
+ ## </summary>
+ ## </param>
++## <infoflow type="none"/>
+ #
+ interface(`dev_node',`
+ gen_require(`
+@@ -147,6 +172,24 @@
########################################
## <summary>
@@ -2318,15 +2606,15 @@ diff -b -B --ignore-all-space --exclude-
## Create a directory in the device directory.
## </summary>
## <param name="domain">
-@@ -418,6 +436,24 @@
+@@ -436,6 +479,24 @@
########################################
## <summary>
-+## Dontaudit getattr for generic character device files.
++## Read and write generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to dontaudit access.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -2340,10 +2628,10 @@ diff -b -B --ignore-all-space --exclude-
+
+########################################
+## <summary>
- ## Dontaudit setattr for generic character device files.
+ ## Do not audit attempts to set the attributes
+ ## of symbolic links in device directories (/dev).
## </summary>
- ## <param name="domain">
-@@ -873,6 +909,42 @@
+@@ -873,6 +934,42 @@
########################################
## <summary>
@@ -2386,7 +2674,7 @@ diff -b -B --ignore-all-space --exclude-
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1398,6 +1470,42 @@
+@@ -1398,6 +1495,42 @@
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -2429,7 +2717,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## getattr the dri devices.
-@@ -1728,6 +1836,24 @@
+@@ -1728,6 +1861,24 @@
########################################
## <summary>
@@ -2454,7 +2742,7 @@ diff -b -B --ignore-all-space --exclude-
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
-@@ -1963,7 +2089,7 @@
+@@ -1963,7 +2114,7 @@
########################################
## <summary>
@@ -2463,7 +2751,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1971,17 +2097,17 @@
+@@ -1971,17 +2122,17 @@
## </summary>
## </param>
#
@@ -2485,7 +2773,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1989,15 +2115,14 @@
+@@ -1989,15 +2140,14 @@
## </summary>
## </param>
#
@@ -2504,32 +2792,91 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## dontaudit getattr raw memory devices (e.g. /dev/mem).
-@@ -2487,6 +2612,24 @@
+@@ -2018,7 +2168,7 @@
+
+ ########################################
+ ## <summary>
+-## dontaudit getattr raw memory devices (e.g. /dev/mem).
++## Read raw memory devices (e.g. /dev/mem).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2026,34 +2176,35 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_read_memory_dev',`
++interface(`dev_read_raw_memory',`
+ gen_require(`
+- type memory_device_t;
++ type device_t, memory_device_t;
++ attribute memory_raw_read;
+ ')
+
+- dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
++ read_chr_files_pattern($1, device_t, memory_device_t)
++
++ allow $1 self:capability sys_rawio;
++ typeattribute $1 memory_raw_read;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read raw memory devices (e.g. /dev/mem).
++## Do not audit attempts to read raw memory devices
++## (e.g. /dev/mem).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_read_raw_memory',`
++interface(`dev_dontaudit_read_raw_memory',`
+ gen_require(`
+- type device_t, memory_device_t;
+- attribute memory_raw_read;
++ type memory_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, memory_device_t)
+-
+- allow $1 self:capability sys_rawio;
+- typeattribute $1 memory_raw_read;
++ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+ ')
+
+ ########################################
+@@ -2468,6 +2619,26 @@
########################################
## <summary>
-+## Dontaudit write the memory type range registers (MTRR).
++## Do not audit attempts to write the memory type
++## range registers (MTRR).
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_mtrr',`
-+ gen_require(`
-+ type mtrr_device_t;
-+ ')
++ gen_require(`
++ type mtrr_device_t;
++ ')
+
+ dontaudit $1 mtrr_device_t:chr_file write;
++ dontaudit $1 mtrr_device_t:file write;
+')
+
+########################################
+## <summary>
- ## Get the attributes of the network control device
+ ## Read and write the memory type range registers (MTRR).
## </summary>
## <param name="domain">
-@@ -2590,8 +2733,7 @@
+@@ -2590,8 +2761,7 @@
type device_t, null_device_t;
')
@@ -2539,7 +2886,118 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3553,6 +3695,24 @@
+@@ -2835,13 +3005,28 @@
+ ########################################
+ ## <summary>
+ ## Read from random number generator
+-## devices (e.g., /dev/random)
++## devices (e.g., /dev/random).
+ ## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read from random number
++## generator devices (e.g., /dev/random). Typically this is
++## used in situations when a cryptographically secure random
++## number is needed.
++## </p>
++## <p>
++## Related interface:
++## </p>
++## <ul>
++## <li>dev_read_urand()</li>
++## </ul>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+ interface(`dev_read_rand',`
+ gen_require(`
+@@ -3383,13 +3568,22 @@
+
+ ########################################
+ ## <summary>
+-## Allow caller to read hardware state information.
++## Read hardware state information.
+ ## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read the contents of
++## the sysfs filesystem. This filesystem contains
++## information, parameters, and other settings on the
++## hardware installed on the system.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## The process type reading hardware state information.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+ interface(`dev_read_sysfs',`
+ gen_require(`
+@@ -3425,13 +3619,54 @@
+
+ ########################################
+ ## <summary>
+-## Read from pseudo random devices (e.g., /dev/urandom)
++## Associate a file to a sysfs filesystem.
+ ## </summary>
++## <param name="file_type">
++## <summary>
++## The type of the file to be associated to sysfs.
++## </summary>
++## </param>
++#
++interface(`dev_associate_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:filesystem associate;
++')
++
++########################################
++## <summary>
++## Read from pseudo random number generator devices (e.g., /dev/urandom).
++## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read from pseudo random number
++## generator devices (e.g., /dev/urandom). Typically this is
++## used in situations when a cryptographically secure random
++## number is not necessarily needed. One example is the Stack
++## Smashing Protector (SSP, formerly known as ProPolice) support
++## that may be compiled into programs.
++## </p>
++## <p>
++## Related interface:
++## </p>
++## <ul>
++## <li>dev_read_rand()</li>
++## </ul>
++## <p>
++## Related tunable:
++## </p>
++## <ul>
++## <li>global_ssp</li>
++## </ul>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+ interface(`dev_read_urand',`
+ gen_require(`
+@@ -3553,6 +3788,24 @@
########################################
## <summary>
@@ -2564,13 +3022,13 @@ diff -b -B --ignore-all-space --exclude-
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3741,6 +3901,24 @@
+@@ -3741,6 +3994,24 @@
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
+######################################
+## <summary>
-+## Read or write userio device.
++## Read and write userio device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -4033,7 +4491,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-01-18 18:24:22.718544267 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-03-01 16:05:50.238492151 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-03-11 22:17:24.506733160 +0100
@@ -26,6 +26,8 @@
auth_domtrans_pam_console(staff_t)
@@ -4074,7 +4532,7 @@ diff -b -B --ignore-all-space --exclude-
gnomeclock_dbus_chat(staff_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-01-18 18:24:22.719529727 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2010-03-05 09:36:36.292561297 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2010-03-11 21:20:40.181057088 +0100
@@ -29,6 +29,7 @@
corecmd_exec_shell(sysadm_t)
@@ -4102,6 +4560,19 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+@@ -314,7 +320,11 @@
+ ')
+
+ optional_policy(`
+- tzdata_domtrans(sysadm_t)
++ shutdown_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
++ tzdata_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-02-02 10:47:12.668175161 +0100
@@ -4119,7 +4590,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-09 15:42:45.872752800 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-11 22:33:59.863510767 +0100
@@ -39,6 +39,8 @@
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
@@ -4149,18 +4620,32 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -344,7 +350,7 @@
+@@ -344,7 +350,11 @@
')
optional_policy(`
- tzdata_run(unconfined_t, unconfined_r)
++ shutdown_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ tzdata_run(unconfined_usertype, unconfined_r)
')
optional_policy(`
+@@ -405,7 +415,8 @@
+ type unconfined_execmem_t;
+ type nsplugin_exec_t;
+ ')
+- domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
++ #nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
++ #domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
+ domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t)
+ ')
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-18 18:24:22.724546986 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-02-16 17:36:22.545598200 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-03-15 10:36:16.988623468 +0100
@@ -15,7 +15,7 @@
## <desc>
@@ -4181,6 +4666,14 @@ diff -b -B --ignore-all-space --exclude-
# Allow mounting of file systems
optional_policy(`
tunable_policy(`xguest_mount_media',`
+@@ -100,6 +104,7 @@
+ tunable_policy(`xguest_connect_network',`
+ networkmanager_dbus_chat(xguest_t)
+ networkmanager_read_var_lib_files(xguest_t)
++ kernel_read_network_state(xguest_usertype)
+ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
+ corenet_all_recvfrom_unlabeled(xguest_usertype)
+ corenet_all_recvfrom_netlabel(xguest_usertype)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100
@@ -4198,7 +4691,7 @@ diff -b -B --ignore-all-space --exclude-
######################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-03-10 16:27:19.514618496 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-03-15 11:24:00.710614337 +0100
@@ -96,16 +96,19 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
@@ -4206,7 +4699,8 @@ diff -b -B --ignore-all-space --exclude-
+dev_getattr_all_chr_files(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
- dev_dontaudit_read_memory_dev(abrt_t)
+-dev_dontaudit_read_memory_dev(abrt_t)
++dev_dontaudit_read_raw_memory(abrt_t)
+domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
@@ -4475,7 +4969,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-05 10:50:10.901811487 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-15 09:29:24.349614032 +0100
@@ -67,6 +67,13 @@
## <desc>
@@ -4499,7 +4993,17 @@ diff -b -B --ignore-all-space --exclude-
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -363,10 +370,10 @@
+@@ -351,7 +358,8 @@
+
+ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
++manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
++files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
+
+ manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -363,10 +371,10 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -4512,7 +5016,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -400,6 +407,7 @@
+@@ -400,6 +408,7 @@
dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
@@ -4520,7 +5024,7 @@ diff -b -B --ignore-all-space --exclude-
fs_search_auto_mountpoints(httpd_t)
fs_read_iso9660_files(httpd_t)
-@@ -483,8 +491,14 @@
+@@ -483,8 +492,14 @@
corenet_tcp_connect_pop_port(httpd_t)
corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
@@ -4536,7 +5040,7 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`httpd_can_network_relay',`
-@@ -588,6 +602,9 @@
+@@ -588,6 +603,9 @@
optional_policy(`
cobbler_search_lib(httpd_t)
@@ -4546,7 +5050,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -612,6 +629,11 @@
+@@ -612,6 +630,11 @@
avahi_dbus_chat(httpd_t)
')
')
@@ -4558,7 +5062,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
')
-@@ -756,8 +778,14 @@
+@@ -756,8 +779,14 @@
corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
corenet_tcp_connect_mysqld_port(httpd_suexec_t)
corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
@@ -4574,7 +5078,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
mysql_stream_connect(httpd_php_t)
-@@ -895,6 +923,9 @@
+@@ -895,6 +924,9 @@
sysnet_read_config(httpd_sys_script_t)
@@ -4584,7 +5088,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -906,6 +937,7 @@
+@@ -906,6 +938,7 @@
fs_manage_nfs_files(httpd_sys_script_t)
fs_manage_nfs_symlinks(httpd_sys_script_t)
fs_exec_nfs_files(httpd_sys_script_t)
@@ -4592,7 +5096,7 @@ diff -b -B --ignore-all-space --exclude-
fs_manage_nfs_dirs(httpd_suexec_t)
fs_manage_nfs_files(httpd_suexec_t)
-@@ -945,6 +976,7 @@
+@@ -945,6 +977,7 @@
fs_manage_cifs_files(httpd_suexec_t)
fs_manage_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
@@ -4602,7 +5106,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-03-15 10:39:23.254614082 +0100
@@ -31,7 +31,7 @@
#
@@ -4612,6 +5116,17 @@ diff -b -B --ignore-all-space --exclude-
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+@@ -99,6 +99,10 @@
+ mta_system_content(apcupsd_tmp_t)
+ ')
+
++optional_policy(`
++ shutdown_domtrans(apcupsd_t)
++')
++
+ ########################################
+ #
+ # apcupsd_cgi Declarations
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-01-18 18:24:22.741530430 +0100
+++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2010-02-11 20:25:58.833441037 +0100
@@ -4644,6 +5159,17 @@ diff -b -B --ignore-all-space --exclude-
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.32/policy/modules/services/avahi.if
+--- nsaserefpolicy/policy/modules/services/avahi.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/avahi.if 2010-03-15 12:20:34.422613978 +0100
+@@ -92,6 +92,7 @@
+
+ allow $1 avahi_t:dbus send_msg;
+ allow avahi_t $1:dbus send_msg;
++ allow avahi_t $1:file read;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2010-01-18 18:24:22.745530450 +0100
+++ serefpolicy-3.6.32/policy/modules/services/bind.if 2010-03-01 15:52:05.256741085 +0100
@@ -4673,6 +5199,18 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Send and receive datagrams to and from named. (Deprecated)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-01-18 18:24:22.747539993 +0100
++++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2010-03-15 10:10:44.978613858 +0100
+@@ -54,7 +54,7 @@
+ # Bluetooth services local policy
+ #
+
+-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock };
++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+ dontaudit bluetooth_t self:capability sys_tty_config;
+ allow bluetooth_t self:process { getcap setcap getsched signal_perms };
+ allow bluetooth_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc
--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc 2010-03-01 09:30:08.471741607 +0100
@@ -5383,7 +5921,7 @@ diff -b -B --ignore-all-space --exclude-
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-21 20:46:52.740325173 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-03-03 10:48:14.219612204 +0100
++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-03-11 21:20:40.181057088 +0100
@@ -16,6 +16,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -5410,8 +5948,14 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -118,10 +119,10 @@
+@@ -116,12 +117,16 @@
+ ')
+
optional_policy(`
++ shutdown_domtrans(consolekit_t)
++')
++
++optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
- xserver_common_app(consolekit_t)
@@ -7101,7 +7645,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-01-18 18:24:22.795530524 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-03-01 15:09:45.271494370 +0100
++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-03-15 10:42:13.048864743 +0100
@@ -121,6 +121,7 @@
corenet_udp_sendrecv_all_ports(hald_t)
@@ -7121,7 +7665,18 @@ diff -b -B --ignore-all-space --exclude-
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -331,6 +336,10 @@
+@@ -322,6 +327,10 @@
+ ')
+
+ optional_policy(`
++ shutdown_domtrans(hald_t)
++')
++
++optional_policy(`
+ udev_domtrans(hald_t)
+ udev_read_db(hald_t)
+ ')
+@@ -331,6 +340,10 @@
')
optional_policy(`
@@ -7381,7 +7936,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-02-17 16:21:10.049863655 +0100
++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-03-15 17:17:51.765854346 +0100
@@ -44,7 +44,7 @@
# Local policy
#
@@ -7391,7 +7946,15 @@ diff -b -B --ignore-all-space --exclude-
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
-@@ -147,6 +147,8 @@
+@@ -56,6 +56,7 @@
+ manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
++manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+
+ allow mysqld_t mysqld_etc_t:file read_file_perms;
+@@ -147,6 +148,8 @@
dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -7400,7 +7963,7 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
-@@ -156,6 +158,7 @@
+@@ -156,6 +159,7 @@
domain_read_all_domains_state(mysqld_safe_t)
@@ -7788,6 +8351,48 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(ypxfr_t)
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te
+--- nsaserefpolicy/policy/modules/services/nut.te 2010-01-18 18:24:22.836530501 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nut.te 2010-03-15 12:18:24.764614391 +0100
+@@ -96,9 +96,6 @@
+ kernel_read_kernel_sysctls(nut_upsmon_t)
+ kernel_read_system_state(nut_upsmon_t)
+
+-# creates /etc/killpower
+-#files_manage_etc_files(nut_upsmon_t)
+-
+ # Creates /etc/killpower
+ files_manage_etc_runtime_files(nut_upsmon_t)
+ files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
+@@ -118,6 +115,12 @@
+ init_rw_utmp(nut_upsmon_t)
+ init_telinit(nut_upsmon_t)
+
++mta_send_mail(nut_upsmon_t)
++
++optional_policy(`
++ shutdown_domtrans(nut_upsmon_t)
++')
++
+ ########################################
+ #
+ # Local policy for upsdrvctl
+@@ -140,7 +143,6 @@
+ files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
+
+ # /sbin/upsdrvctl executes other drivers
+-# can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+ corecmd_exec_bin(nut_upsdrvctl_t)
+ corecmd_exec_sbin(nut_upsdrvctl_t)
+
+@@ -177,7 +179,6 @@
+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
+-# corenet_tcp_connect_generic_port(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2010-01-18 18:24:22.840530591 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nx.if 2010-01-26 14:43:43.595472728 +0100
@@ -8838,8 +9443,17 @@ diff -b -B --ignore-all-space --exclude-
## Execute the master postdrop in the
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100
-@@ -443,6 +443,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-03-15 12:17:32.531614479 +0100
+@@ -307,6 +307,8 @@
+ mta_delete_spool(postfix_local_t)
+ # For reading spamassasin
+ mta_read_config(postfix_local_t)
++# Handle vacation script
++mta_send_mail(postfix_local_t)
+
+ domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+@@ -443,6 +445,7 @@
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -8847,7 +9461,16 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -486,7 +487,7 @@
+@@ -459,6 +462,8 @@
+ allow postfix_postdrop_t self:tcp_socket create;
+ allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
++
+ rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+ postfix_list_spool(postfix_postdrop_t)
+@@ -486,7 +491,7 @@
')
optional_policy(`
@@ -8856,7 +9479,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -573,6 +574,8 @@
+@@ -573,6 +578,8 @@
# Postfix smtp delivery local policy
#
@@ -10164,14 +10787,15 @@ diff -b -B --ignore-all-space --exclude-
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-18 18:24:22.900529842 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2010-01-19 17:08:41.212631842 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2010-03-11 17:03:12.375269132 +0100
@@ -4,6 +4,8 @@
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
- /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
@@ -10722,7 +11346,7 @@ diff -b -B --ignore-all-space --exclude-
+logging_send_syslog_msg(usbmuxd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-01-18 18:24:22.913542181 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-03-03 10:40:17.331612366 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-03-15 10:19:23.356614270 +0100
@@ -194,6 +194,7 @@
files_search_var_lib($1)
@@ -10741,7 +11365,12 @@ diff -b -B --ignore-all-space --exclude-
type $1_tmp_t;
files_tmp_file($1_tmp_t)
-@@ -457,6 +461,9 @@
+@@ -453,10 +457,14 @@
+ type $1_image_t, virt_image_type;
+ files_type($1_image_t)
+ dev_node($1_image_t)
++ dev_associate_sysfs($1_image_t)
+
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -10751,7 +11380,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
manage_files_pattern($1_t, $1_image_t, $1_image_t)
read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
-@@ -486,7 +493,6 @@
+@@ -486,7 +494,6 @@
optional_policy(`
xserver_rw_shm($1_t)
@@ -10823,8 +11452,8 @@ diff -b -B --ignore-all-space --exclude-
term_use_generic_ptys(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-03-03 10:40:17.332611859 +0100
-@@ -51,17 +51,16 @@
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-03-11 17:11:02.481510064 +0100
+@@ -51,17 +51,17 @@
# /tmp
#
@@ -10833,7 +11462,8 @@ diff -b -B --ignore-all-space --exclude-
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
-/tmp/\.X11-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0)
-/tmp/\.X11-unix/.* -s <<none>>
-+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
#
# /usr
@@ -10845,7 +11475,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
-@@ -102,6 +101,7 @@
+@@ -102,6 +102,7 @@
/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
@@ -10853,7 +11483,7 @@ diff -b -B --ignore-all-space --exclude-
/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -114,9 +114,12 @@
+@@ -114,9 +115,12 @@
/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -10867,7 +11497,7 @@ diff -b -B --ignore-all-space --exclude-
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
-@@ -125,6 +128,8 @@
+@@ -125,6 +129,8 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
')
@@ -13118,7 +13748,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-03-03 10:40:17.345612249 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-03-15 17:17:02.854604441 +0100
@@ -165,6 +165,7 @@
type init_t;
role system_r;
@@ -13171,7 +13801,18 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -775,8 +781,10 @@
+@@ -701,6 +707,10 @@
+ ifdef(`enable_mls',`
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ ')
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit init_script_file_type $1:fifo_file rw_inherited_fifo_file_perms;
++ ')
+ ')
+
+ ########################################
+@@ -775,8 +785,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -13182,7 +13823,7 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1686,3 +1694,26 @@
+@@ -1686,3 +1698,26 @@
allow $1 initrc_t:sem rw_sem_perms;
')
@@ -13498,7 +14139,16 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-01 15:02:25.227490412 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-15 09:55:26.375864536 +0100
+@@ -133,7 +133,7 @@
+ /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -245,8 +245,12 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -13512,7 +14162,17 @@ diff -b -B --ignore-all-space --exclude-
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -396,10 +400,8 @@
+@@ -377,9 +381,6 @@
+
+ /usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-
+ /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -396,10 +397,8 @@
/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -13523,7 +14183,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -432,9 +434,22 @@
+@@ -432,9 +431,22 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1034
retrieving revision 1.1035
diff -u -p -r1.1034 -r1.1035
--- selinux-policy.spec 10 Mar 2010 15:41:50 -0000 1.1034
+++ selinux-policy.spec 15 Mar 2010 17:11:27 -0000 1.1035
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 101%{?dist}
+Release: 102%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Mon Mar 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-102
+- Allow bluetooth sys_admin capability
+- Fix label for libADM libraries
+- Allow libvirt to set svrit_image_t label on sysfs
+- Add shutdown policy from Dan Walsh
+
* Wed Mar 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-101
- Allow nsplugin to manage pulseaudio homedir content
More information about the scm-commits
mailing list