rpms/selinux-policy/F-13 policy-F13.patch, 1.85, 1.86 selinux-policy.spec, 1.991, 1.992
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Mar 29 17:45:50 UTC 2010
- Previous message: rpms/kdeutils/devel .cvsignore, 1.81, 1.82 kdeutils.spec, 1.219, 1.220 sources, 1.79, 1.80
- Next message: rpms/gnome-doc-utils/F-13 gnome-doc-utils.spec, 1.84, 1.85 sources, 1.49, 1.50
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv30655
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
* Fri Mar 26 2010 Dan Walsh <dwalsh at redhat.com> 3.7.16-2
- Fix ~/.fontconfig label
- Add /root/.cert label
- Allow reading of the fixed_file_disk_t:lnk_file if you can read file
- Allow qemu_exec_t as an entrypoint to svirt_t
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 1
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 166 +++
policy/modules/admin/accountsd.te | 48
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 1
policy/modules/admin/firstboot.te | 2
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.fc | 1
policy/modules/admin/netutils.te | 20
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 78 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 +++++++
policy/modules/admin/rpm.te | 104 +
policy/modules/admin/shorewall.te | 2
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 118 ++
policy/modules/admin/shutdown.te | 57 +
policy/modules/admin/su.if | 8
policy/modules/admin/sudo.if | 9
policy/modules/admin/tmpreaper.te | 20
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 20
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 85 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 45
policy/modules/apps/execmem.if | 118 ++
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 260 ++++
policy/modules/apps/gnome.te | 116 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 5
policy/modules/apps/gpg.te | 14
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 104 +
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 2
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 390 +++++++
policy/modules/apps/nsplugin.te | 296 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.fc | 8
policy/modules/apps/pulseaudio.if | 74 +
policy/modules/apps/pulseaudio.te | 44
policy/modules/apps/qemu.if | 83 +
policy/modules/apps/qemu.te | 9
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 287 +++++
policy/modules/apps/sandbox.te | 365 ++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 48
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 10
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 20
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 24
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 24
policy/modules/kernel/devices.fc | 1
policy/modules/kernel/devices.if | 73 +
policy/modules/kernel/devices.te | 12
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 109 ++
policy/modules/kernel/files.fc | 15
policy/modules/kernel/files.if | 617 +++++++++++
policy/modules/kernel/files.te | 11
policy/modules/kernel/filesystem.if | 82 +
policy/modules/kernel/filesystem.te | 3
policy/modules/kernel/kernel.if | 39
policy/modules/kernel/kernel.te | 25
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 2
policy/modules/roles/guest.te | 6
policy/modules/roles/staff.te | 108 ++
policy/modules/roles/sysadm.te | 97 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 422 +++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 72 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 143 ++
policy/modules/services/abrt.te | 144 ++
policy/modules/services/aiccu.fc | 5
policy/modules/services/aiccu.if | 119 ++
policy/modules/services/aiccu.te | 41
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 115 ++
policy/modules/services/apache.fc | 63 +
policy/modules/services/apache.if | 492 ++++++---
policy/modules/services/apache.te | 503 ++++++++-
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 43
policy/modules/services/avahi.fc | 2
policy/modules/services/avahi.if | 1
policy/modules/services/avahi.te | 13
policy/modules/services/bluetooth.te | 3
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 81 +
policy/modules/services/cachefilesd.fc | 28
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 146 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 ++++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 7
policy/modules/services/cgroup.if | 35
policy/modules/services/cgroup.te | 87 +
policy/modules/services/chronyd.fc | 2
policy/modules/services/chronyd.if | 4
policy/modules/services/chronyd.te | 19
policy/modules/services/clamav.te | 18
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cobbler.if | 4
policy/modules/services/cobbler.te | 12
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 34
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 122 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 99 +
policy/modules/services/cron.te | 94 +
policy/modules/services/cups.fc | 14
policy/modules/services/cups.te | 65 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 56 -
policy/modules/services/dbus.te | 31
policy/modules/services/dcc.te | 2
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 90 +
policy/modules/services/denyhosts.te | 73 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 95 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.te | 34
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 19
policy/modules/services/git.if | 536 +++++++++
policy/modules/services/git.te | 179 +++
policy/modules/services/gpsd.te | 2
policy/modules/services/hal.te | 32
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ksmtuned.fc | 5
policy/modules/services/ksmtuned.if | 76 +
policy/modules/services/ksmtuned.te | 44
policy/modules/services/ldap.fc | 3
policy/modules/services/ldap.if | 38
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 21
policy/modules/services/memcached.te | 10
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 21
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 168 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 142 ++
policy/modules/services/nagios.te | 283 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 86 +
policy/modules/services/networkmanager.te | 123 +-
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 78 +
policy/modules/services/nis.te | 21
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 27
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 34
policy/modules/services/ntp.te | 2
policy/modules/services/nut.te | 21
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/pcscd.if | 38
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++
policy/modules/services/plymouthd.te | 105 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 82 +
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 187 +++
policy/modules/services/postfix.te | 149 ++
policy/modules/services/ppp.fc | 1
policy/modules/services/ppp.if | 4
policy/modules/services/ppp.te | 9
policy/modules/services/prelude.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 98 +
policy/modules/services/rgmanager.te | 226 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 424 +++++++
policy/modules/services/rhcs.te | 239 ++++
policy/modules/services/ricci.te | 39
policy/modules/services/rpc.fc | 4
policy/modules/services/rpc.if | 46
policy/modules/services/rpc.te | 35
policy/modules/services/rsync.if | 4
policy/modules/services/rsync.te | 26
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 122 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.if | 19
policy/modules/services/sendmail.te | 17
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/smokeping.fc | 12
policy/modules/services/smokeping.if | 193 +++
policy/modules/services/smokeping.te | 81 +
policy/modules/services/snort.te | 10
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 65 -
policy/modules/services/ssh.te | 53
policy/modules/services/sssd.fc | 4
policy/modules/services/sssd.if | 47
policy/modules/services/sssd.te | 25
policy/modules/services/tor.fc | 3
policy/modules/services/tor.te | 13
policy/modules/services/tuned.te | 4
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 4
policy/modules/services/usbmuxd.if | 39
policy/modules/services/usbmuxd.te | 50
policy/modules/services/varnishd.if | 19
policy/modules/services/vhostmd.fc | 6
policy/modules/services/vhostmd.if | 228 ++++
policy/modules/services/vhostmd.te | 84 +
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 33
policy/modules/services/virt.te | 39
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 56 -
policy/modules/services/xserver.if | 385 ++++++-
policy/modules/services/xserver.te | 385 ++++++-
policy/modules/system/application.te | 15
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 51
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 8
policy/modules/system/hostname.te | 3
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 145 ++
policy/modules/system/init.te | 188 +++
policy/modules/system/ipsec.te | 10
policy/modules/system/iptables.fc | 2
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 15
policy/modules/system/libraries.fc | 144 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 39
policy/modules/system/logging.fc | 14
policy/modules/system/logging.if | 24
policy/modules/system/logging.te | 17
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 20
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 138 ++
policy/modules/system/mount.te | 147 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 ++++++
policy/modules/system/selinuxutil.te | 241 +---
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 74 +
policy/modules/system/sosreport.te | 128 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 96 +
policy/modules/system/sysnetwork.te | 17
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 9
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 9
policy/modules/system/userdomain.if | 1612 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 44
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 11
policy/support/misc_patterns.spt | 4
policy/support/obj_perm_sets.spt | 35
policy/users | 17
378 files changed, 21398 insertions(+), 2186 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.85
retrieving revision 1.86
diff -u -p -r1.85 -r1.86
--- policy-F13.patch 25 Mar 2010 19:01:15 -0000 1.85
+++ policy-F13.patch 29 Mar 2010 17:45:48 -0000 1.86
@@ -59,14 +59,6 @@ diff --exclude-from=exclude -N -u -r nsa
( t1 == mlsnetwrite ));
# these access vectors have no MLS restrictions
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accounts_daemon.fc serefpolicy-3.7.16/policy/modules/admin/accounts_daemon.fc
---- nsaserefpolicy/policy/modules/admin/accounts_daemon.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/admin/accounts_daemon.fc 2010-03-23 11:38:44.000000000 -0400
-@@ -0,0 +1,4 @@
-+
-+/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accounts_daemon_exec_t,s0)
-+
-+/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accounts_daemon_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.fc serefpolicy-3.7.16/policy/modules/admin/accountsd.fc
--- nsaserefpolicy/policy/modules/admin/accountsd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.16/policy/modules/admin/accountsd.fc 2010-03-23 11:38:44.000000000 -0400
@@ -247,8 +239,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.7.16/policy/modules/admin/accountsd.te
--- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/admin/accountsd.te 2010-03-23 11:38:44.000000000 -0400
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.7.16/policy/modules/admin/accountsd.te 2010-03-29 12:59:08.000000000 -0400
+@@ -0,0 +1,48 @@
+policy_module(accountsd,1.0.0)
+
+########################################
@@ -279,6 +271,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
+corecmd_exec_bin(accountsd_t)
+
++files_read_usr_files(accountsd_t)
++
+fs_list_inotifyfs(accountsd_t)
+
+auth_use_nsswitch(accountsd_t)
@@ -295,7 +289,6 @@ diff --exclude-from=exclude -N -u -r nsa
+optional_policy(`
+ policykit_dbus_chat(accountsd_t)
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.16/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.16/policy/modules/admin/acct.te 2010-03-23 11:38:44.000000000 -0400
@@ -307,6 +300,18 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.16/policy/modules/admin/alsa.te
+--- nsaserefpolicy/policy/modules/admin/alsa.te 2010-03-12 11:48:14.000000000 -0500
++++ serefpolicy-3.7.16/policy/modules/admin/alsa.te 2010-03-29 10:04:13.000000000 -0400
+@@ -52,6 +52,8 @@
+ files_read_usr_files(alsa_t)
+
+ term_dontaudit_use_console(alsa_t)
++term_dontaudit_use_generic_ptys(alsa_t)
++term_dontaudit_use_all_ptys(alsa_t)
+
+ auth_use_nsswitch(alsa_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.16/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.16/policy/modules/admin/anaconda.te 2010-03-23 11:38:44.000000000 -0400
@@ -3176,8 +3181,8 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.16/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/apps/java.te 2010-03-23 11:38:44.000000000 -0400
-@@ -147,6 +147,14 @@
++++ serefpolicy-3.7.16/policy/modules/apps/java.te 2010-03-29 09:55:13.000000000 -0400
+@@ -147,6 +147,15 @@
init_dbus_chat_script(unconfined_java_t)
@@ -3187,6 +3192,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
++ userdom_unpriv_usertype(unconfined, unconfined_java_t)
+
+ optional_policy(`
+ rpm_domtrans(unconfined_java_t)
@@ -4089,8 +4095,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.16/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/apps/nsplugin.te 2010-03-23 11:38:44.000000000 -0400
-@@ -0,0 +1,295 @@
++++ serefpolicy-3.7.16/policy/modules/apps/nsplugin.te 2010-03-26 15:11:49.000000000 -0400
+@@ -0,0 +1,296 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -4230,6 +4236,7 @@ diff --exclude-from=exclude -N -u -r nsa
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
++miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
@@ -4794,7 +4801,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.16/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/apps/qemu.if 2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/apps/qemu.if 2010-03-29 13:34:11.000000000 -0400
@@ -127,12 +127,14 @@
template(`qemu_role',`
gen_require(`
@@ -4878,11 +4885,30 @@ diff --exclude-from=exclude -N -u -r nsa
## Manage qemu temporary dirs.
## </summary>
## <param name="domain">
-@@ -306,3 +369,4 @@
+@@ -306,3 +369,23 @@
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
+
++########################################
++## <summary>
++## Make qemu_exec_t an entrypoint for
++## the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which qemu_exec_t is an entrypoint.
++## </summary>
++## </param>
++#
++interface(`qemu_entry_type',`
++ gen_require(`
++ type qemu_exec_t;
++ ')
++
++ domain_entry_file($1, qemu_exec_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.16/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500
+++ serefpolicy-3.7.16/policy/modules/apps/qemu.te 2010-03-23 11:38:44.000000000 -0400
@@ -6198,7 +6224,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.16/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/kernel/corecommands.if 2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/kernel/corecommands.if 2010-03-29 13:31:59.000000000 -0400
@@ -931,6 +931,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -8042,9 +8068,21 @@ diff --exclude-from=exclude -N -u -r nsa
+ fs_type($1)
+ mls_trusted_object($1)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.16/policy/modules/kernel/storage.if
+--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500
++++ serefpolicy-3.7.16/policy/modules/kernel/storage.if 2010-03-26 08:59:44.000000000 -0400
+@@ -101,6 +101,8 @@
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
++ #577012
++ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
+ typeattribute $1 fixed_disk_raw_read;
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.16/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/kernel/terminal.if 2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/kernel/terminal.if 2010-03-29 10:04:19.000000000 -0400
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -11641,7 +11679,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.16/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-03-18 06:48:02.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/apache.te 2010-03-23 15:40:50.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/apache.te 2010-03-29 09:50:03.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -13818,8 +13856,22 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.16/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/services/clamav.te 2010-03-23 11:38:44.000000000 -0400
-@@ -57,6 +57,7 @@
++++ serefpolicy-3.7.16/policy/modules/services/clamav.te 2010-03-29 10:11:31.000000000 -0400
+@@ -1,6 +1,13 @@
+
+ policy_module(clamav, 1.7.1)
+
++## <desc>
++## <p>
++## Allow clamd to use JIT compiler
++## </p>
++## </desc>
++gen_tunable(clamd_use_jit, false)
++
+ ########################################
+ #
+ # Declarations
+@@ -57,6 +64,7 @@
#
allow clamd_t self:capability { kill setgid setuid dac_override };
@@ -13827,7 +13879,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -189,10 +190,14 @@
+@@ -189,10 +197,14 @@
auth_use_nsswitch(freshclam_t)
@@ -13842,6 +13894,19 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
+@@ -246,6 +258,12 @@
+
+ mta_send_mail(clamscan_t)
+
++tunable_policy(`clamd_use_jit',`
++ allow clamd_t self:process execmem;
++', `
++ dontaudit clamd_t self:process execmem;
++')
++
+ optional_policy(`
+ amavis_read_spool_files(clamscan_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.16/policy/modules/services/clogd.fc
--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.16/policy/modules/services/clogd.fc 2010-03-23 11:38:44.000000000 -0400
@@ -14056,13 +14121,15 @@ diff --exclude-from=exclude -N -u -r nsa
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.16/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/consolekit.fc 2010-03-23 11:38:44.000000000 -0400
-@@ -2,4 +2,5 @@
++++ serefpolicy-3.7.16/policy/modules/services/consolekit.fc 2010-03-29 13:08:45.000000000 -0400
+@@ -1,5 +1,7 @@
+ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
++
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
-+
++/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.16/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
@@ -14483,7 +14550,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.16/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/cron.if 2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/cron.if 2010-03-25 14:56:10.000000000 -0400
@@ -12,6 +12,10 @@
## </param>
#
@@ -14659,7 +14726,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.16/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/services/cron.te 2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/cron.te 2010-03-29 13:12:03.000000000 -0400
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -14938,6 +15005,15 @@ diff --exclude-from=exclude -N -u -r nsa
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
+@@ -590,7 +670,7 @@
+ userdom_manage_user_home_content_sockets(cronjob_t)
+ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+-list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+
+ tunable_policy(`fcron_crond', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.16/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
+++ serefpolicy-3.7.16/policy/modules/services/cups.fc 2010-03-23 11:38:44.000000000 -0400
@@ -24533,6 +24609,19 @@ diff --exclude-from=exclude -N -u -r nsa
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.16/policy/modules/services/sasl.te
+--- nsaserefpolicy/policy/modules/services/sasl.te 2010-03-23 10:55:15.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/sasl.te 2010-03-29 09:28:33.000000000 -0400
+@@ -50,6 +50,9 @@
+ kernel_read_kernel_sysctls(saslauthd_t)
+ kernel_read_system_state(saslauthd_t)
+
++#577519
++corecmd_exec_bin(saslauthd_t)
++
+ corenet_all_recvfrom_unlabeled(saslauthd_t)
+ corenet_all_recvfrom_netlabel(saslauthd_t)
+ corenet_tcp_sendrecv_generic_if(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.16/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500
+++ serefpolicy-3.7.16/policy/modules/services/sendmail.if 2010-03-23 11:38:44.000000000 -0400
@@ -26898,7 +26987,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.16/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/virt.te 2010-03-25 14:51:49.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/virt.te 2010-03-29 13:34:58.000000000 -0400
@@ -36,13 +36,6 @@
## <desc>
@@ -27000,7 +27089,15 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -446,6 +458,10 @@
+@@ -370,6 +382,7 @@
+ qemu_signal(virtd_t)
+ qemu_kill(virtd_t)
+ qemu_setsched(virtd_t)
++ qemu_entry_type(virt_domain)
+ ')
+
+ optional_policy(`
+@@ -446,6 +459,10 @@
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -27035,12 +27132,14 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.16/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/xserver.fc 2010-03-23 11:38:44.000000000 -0400
-@@ -3,12 +3,21 @@
++++ serefpolicy-3.7.16/policy/modules/services/xserver.fc 2010-03-26 15:09:02.000000000 -0400
+@@ -2,13 +2,23 @@
+ # HOME_DIR
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
++HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
-+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
++HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
@@ -27058,7 +27157,7 @@ diff --exclude-from=exclude -N -u -r nsa
#
# /dev
#
-@@ -32,11 +41,6 @@
+@@ -32,11 +42,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -27070,7 +27169,7 @@ diff --exclude-from=exclude -N -u -r nsa
#
# /opt
#
-@@ -47,21 +51,23 @@
+@@ -47,21 +52,23 @@
# /tmp
#
@@ -27098,7 +27197,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,17 +95,42 @@
+@@ -89,17 +96,42 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -27146,7 +27245,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.16/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/services/xserver.if 2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/xserver.if 2010-03-26 15:10:37.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -29143,7 +29242,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.16/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/system/init.te 2010-03-23 15:35:31.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/system/init.te 2010-03-29 13:05:05.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -29260,7 +29359,7 @@ diff --exclude-from=exclude -N -u -r nsa
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -259,13 +293,19 @@
+@@ -259,13 +293,21 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29275,14 +29374,15 @@ diff --exclude-from=exclude -N -u -r nsa
+files_setattr_pid_dirs(initrc_t)
files_read_kernel_symbol_table(initrc_t)
--
--corecmd_exec_all_executables(initrc_t)
+files_exec_etc_files(initrc_t)
+files_manage_etc_symlinks(initrc_t)
+-corecmd_exec_all_executables(initrc_t)
++fs_manage_tmpfs_dirs(initrc_t)
+
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -299,6 +339,7 @@
+@@ -299,6 +341,7 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29290,7 +29390,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_all_executables(initrc_t)
-@@ -325,8 +366,10 @@
+@@ -325,8 +368,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29302,7 +29402,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -342,6 +385,8 @@
+@@ -342,6 +387,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29311,7 +29411,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
-@@ -352,6 +397,11 @@
+@@ -352,6 +399,11 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29323,7 +29423,7 @@ diff --exclude-from=exclude -N -u -r nsa
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -395,15 +445,16 @@
+@@ -395,15 +447,16 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29342,7 +29442,7 @@ diff --exclude-from=exclude -N -u -r nsa
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
-@@ -471,7 +522,7 @@
+@@ -471,7 +524,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29351,7 +29451,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -517,6 +568,15 @@
+@@ -517,6 +570,15 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -29367,7 +29467,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -542,6 +602,34 @@
+@@ -542,6 +604,34 @@
')
')
@@ -29402,7 +29502,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +642,8 @@
+@@ -554,6 +644,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29411,7 +29511,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -594,6 +684,7 @@
+@@ -594,6 +686,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29419,7 +29519,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -647,11 +738,6 @@
+@@ -647,11 +740,6 @@
')
optional_policy(`
@@ -29431,7 +29531,7 @@ diff --exclude-from=exclude -N -u -r nsa
kerberos_use(initrc_t)
')
-@@ -690,12 +776,18 @@
+@@ -690,12 +778,18 @@
')
optional_policy(`
@@ -29450,7 +29550,7 @@ diff --exclude-from=exclude -N -u -r nsa
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +810,10 @@
+@@ -718,6 +812,10 @@
')
optional_policy(`
@@ -29461,7 +29561,7 @@ diff --exclude-from=exclude -N -u -r nsa
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -760,8 +856,6 @@
+@@ -760,8 +858,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29470,7 +29570,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -774,10 +868,12 @@
+@@ -774,10 +870,12 @@
squid_manage_logs(initrc_t)
')
@@ -29483,7 +29583,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +886,7 @@
+@@ -790,6 +888,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -29491,7 +29591,7 @@ diff --exclude-from=exclude -N -u -r nsa
udev_manage_pid_files(initrc_t)
')
-@@ -801,8 +898,15 @@
+@@ -801,8 +900,15 @@
virt_manage_svirt_cache(initrc_t)
')
@@ -29507,7 +29607,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +916,25 @@
+@@ -812,6 +918,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29533,7 +29633,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -837,3 +960,34 @@
+@@ -837,3 +962,34 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29709,8 +29809,16 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.16/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/system/libraries.fc 2010-03-23 11:38:44.000000000 -0400
-@@ -302,13 +302,8 @@
++++ serefpolicy-3.7.16/policy/modules/system/libraries.fc 2010-03-29 09:05:19.000000000 -0400
+@@ -208,6 +208,7 @@
+
+ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -302,13 +303,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29726,7 +29834,7 @@ diff --exclude-from=exclude -N -u -r nsa
') dnl end distro_redhat
#
-@@ -319,14 +314,144 @@
+@@ -319,14 +315,144 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -32894,14 +33002,15 @@ diff --exclude-from=exclude -N -u -r nsa
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.16/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/system/userdomain.fc 2010-03-23 11:38:44.000000000 -0400
-@@ -1,4 +1,10 @@
++++ serefpolicy-3.7.16/policy/modules/system/userdomain.fc 2010-03-26 08:56:41.000000000 -0400
+@@ -1,4 +1,11 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
++/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/selinux-policy.spec,v
retrieving revision 1.991
retrieving revision 1.992
diff -u -p -r1.991 -r1.992
--- selinux-policy.spec 25 Mar 2010 19:01:16 -0000 1.991
+++ selinux-policy.spec 29 Mar 2010 17:45:49 -0000 1.992
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.16
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,8 +466,19 @@ exit 0
%endif
%changelog
+* Fri Mar 26 2010 Dan Walsh <dwalsh at redhat.com> 3.7.16-2
+- Fix ~/.fontconfig label
+- Add /root/.cert label
+- Allow reading of the fixed_file_disk_t:lnk_file if you can read file
+- Allow qemu_exec_t as an entrypoint to svirt_t
+
* Tue Mar 23 2010 Dan Walsh <dwalsh at redhat.com> 3.7.16-1
- Update to upstream
+- Allow tmpreaper to delete sandbox sock files
+- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems
+- Fixes for gitosis
+- No transition on livecd to passwd or chfn
+- Fixes for denyhosts
* Tue Mar 23 2010 Dan Walsh <dwalsh at redhat.com> 3.7.15-4
- Add label for /var/lib/upower
- Previous message: rpms/kdeutils/devel .cvsignore, 1.81, 1.82 kdeutils.spec, 1.219, 1.220 sources, 1.79, 1.80
- Next message: rpms/gnome-doc-utils/F-13 gnome-doc-utils.spec, 1.84, 1.85 sources, 1.49, 1.50
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list