[selinux-policy] - Add conflicts for dirsrv package
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Nov 9 12:55:59 UTC 2010
commit fc9bf2f03dfc5b3c8b20a981c27d9af470e0560e
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Nov 9 07:55:52 2010 -0500
- Add conflicts for dirsrv package
modules-targeted.conf | 14 ++
policy-F15.patch | 452 ++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 6 +-
3 files changed, 300 insertions(+), 172 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 854a12d..ec4d9b5 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -511,6 +511,20 @@ dmidecode = base
domain = base
# Layer: services
+# Module: drbd
+#
+# DRBD mirrors a block device over the network to another machine.
+#
+drbd = module
+
+# Layer: services
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+#
+ddclient = module
+
+# Layer: services
# Module: dovecot
#
# Dovecot POP and IMAP mail server
diff --git a/policy-F15.patch b/policy-F15.patch
index b4180e6..ac104f6 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -7335,70 +7335,27 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..8b6dc89 100644
+index 34c9d01..94ec653 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -122,6 +122,8 @@ ifdef(`distro_debian',`
- /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
- ')
+@@ -128,8 +128,8 @@ ifdef(`distro_debian',`
-+/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
- #
- # /lib
- #
-@@ -130,6 +132,7 @@ ifdef(`distro_debian',`
+ /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
- /lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
+-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -146,6 +149,8 @@ ifdef(`distro_gentoo',`
- /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
- /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
- ')
-+/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- #
- # /sbin
-@@ -266,6 +271,8 @@ ifdef(`distro_gentoo',`
- /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
-@@ -382,3 +389,25 @@ ifdef(`distro_suse', `
- ifdef(`distro_suse',`
- /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
- ')
-+/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-+
-+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
-+
-+/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
-+
-+/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
-+
-+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -307,6 +307,7 @@ ifdef(`distro_redhat', `
+ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..24018ce 100644
--- a/policy/modules/kernel/corecommands.if
@@ -8319,7 +8276,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..5dcb9ad 100644
+index 5302dac..9b828ee 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8335,7 +8292,32 @@ index 5302dac..5dcb9ad 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1446,6 +1444,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
+@@ -1410,6 +1408,24 @@ interface(`files_getattr_all_mountpoints',`
+
+ ########################################
+ ## <summary>
++## Set the attributes of all mount points.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir setattr;
++')
++
++########################################
++## <summary>
+ ## Search all mount points.
+ ## </summary>
+ ## <param name="domain">
+@@ -1446,6 +1462,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
########################################
## <summary>
@@ -8396,7 +8378,7 @@ index 5302dac..5dcb9ad 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1836,6 +1888,25 @@ interface(`files_relabelfrom_boot_files',`
+@@ -1836,6 +1906,25 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -8422,7 +8404,7 @@ index 5302dac..5dcb9ad 100644
########################################
## <summary>
## Read and write symbolic links
-@@ -2435,6 +2506,24 @@ interface(`files_delete_etc_files',`
+@@ -2435,6 +2524,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -8447,7 +8429,7 @@ index 5302dac..5dcb9ad 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2605,6 +2694,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2605,6 +2712,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -8472,7 +8454,7 @@ index 5302dac..5dcb9ad 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3086,6 +3193,7 @@ interface(`files_getattr_home_dir',`
+@@ -3086,6 +3211,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -8480,7 +8462,7 @@ index 5302dac..5dcb9ad 100644
')
########################################
-@@ -3106,6 +3214,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3106,6 +3232,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -8488,7 +8470,7 @@ index 5302dac..5dcb9ad 100644
')
########################################
-@@ -3347,6 +3456,24 @@ interface(`files_list_mnt',`
+@@ -3347,6 +3474,24 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -8513,7 +8495,7 @@ index 5302dac..5dcb9ad 100644
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3420,6 +3547,24 @@ interface(`files_read_mnt_files',`
+@@ -3420,6 +3565,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -8538,7 +8520,7 @@ index 5302dac..5dcb9ad 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3711,6 +3856,100 @@ interface(`files_read_world_readable_sockets',`
+@@ -3711,6 +3874,100 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -8639,7 +8621,7 @@ index 5302dac..5dcb9ad 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3896,6 +4135,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3896,6 +4153,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -8672,7 +8654,7 @@ index 5302dac..5dcb9ad 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3950,6 +4215,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3950,6 +4233,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -8715,7 +8697,7 @@ index 5302dac..5dcb9ad 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4109,6 +4410,13 @@ interface(`files_purge_tmp',`
+@@ -4109,6 +4428,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8729,7 +8711,7 @@ index 5302dac..5dcb9ad 100644
')
########################################
-@@ -4718,6 +5026,24 @@ interface(`files_read_var_files',`
+@@ -4718,6 +5044,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -8754,7 +8736,7 @@ index 5302dac..5dcb9ad 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5053,6 +5379,24 @@ interface(`files_manage_mounttab',`
+@@ -5053,6 +5397,24 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -8779,7 +8761,7 @@ index 5302dac..5dcb9ad 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5138,12 +5482,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5138,12 +5500,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -8796,64 +8778,103 @@ index 5302dac..5dcb9ad 100644
')
########################################
-@@ -5189,6 +5533,27 @@ interface(`files_delete_all_locks',`
+@@ -5189,29 +5551,28 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
+-## Read all lock files.
+## Relabel all lock files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_read_all_locks',`
++interface(`files_relabel_all_lock_dirs',`
+ gen_require(`
+ attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- allow $1 lockfile:dir list_dir_perms;
+- read_files_pattern($1, lockfile, lockfile)
+- read_lnk_files_pattern($1, lockfile, lockfile)
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, lockfile, lockfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## manage all lock files.
++## Read all lock files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5219,15 +5580,37 @@ interface(`files_read_all_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_locks',`
++interface(`files_read_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- manage_dirs_pattern($1, lockfile, lockfile)
+- manage_files_pattern($1, lockfile, lockfile)
++ allow $1 lockfile:dir list_dir_perms;
++ read_files_pattern($1, lockfile, lockfile)
++ read_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## manage all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_lock_dirs',`
++interface(`files_manage_all_locks',`
+ gen_require(`
+ attribute lockfile;
-+ type var_t;
++ type var_t, var_lock_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
- ## Read all lock files.
- ## </summary>
- ## <param name="domain">
-@@ -5317,23 +5682,60 @@ interface(`files_search_pids',`
++ allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ manage_dirs_pattern($1, lockfile, lockfile)
++ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+ ')
+
+@@ -5317,6 +5700,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
--########################################
+######################################
- ## <summary>
--## Do not audit attempts to search
--## the /var/run directory.
++## <summary>
+## Add and remove entries from pid directories.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_pids',`
-- gen_require(`
-- type var_run_t;
-- ')
++## </param>
++#
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
-
-- dontaudit $1 var_run_t:dir search_dir_perms;
++
+ allow $1 var_run_t:dir rw_dir_perms;
+')
+
@@ -8876,27 +8897,10 @@ index 5302dac..5dcb9ad 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
-+########################################
-+## <summary>
-+## Do not audit attempts to search
-+## the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_pids',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:dir search_dir_perms;
- ')
-
########################################
-@@ -5524,6 +5926,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ ## <summary>
+ ## Do not audit attempts to search
+@@ -5524,6 +5944,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -8959,7 +8963,7 @@ index 5302dac..5dcb9ad 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5541,6 +5999,44 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +6017,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -9004,7 +9008,7 @@ index 5302dac..5dcb9ad 100644
')
########################################
-@@ -5826,3 +6322,247 @@ interface(`files_unconfined',`
+@@ -5826,3 +6340,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12353,7 +12357,7 @@ index 0b827c5..8961dba 100644
admin_pattern($1, abrt_tmp_t)
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 98646c4..5be7dc8 100644
+index 98646c4..73ae7f0 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1)
@@ -12397,7 +12401,15 @@ index 98646c4..5be7dc8 100644
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
-@@ -121,6 +130,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -114,6 +123,7 @@ domain_signull_all_domains(abrt_t)
+
+ files_getattr_all_files(abrt_t)
+ files_read_etc_files(abrt_t)
++files_read_etc_runtime_files(abrt_t)
+ files_read_var_symlinks(abrt_t)
+ files_read_var_lib_files(abrt_t)
+ files_read_usr_files(abrt_t)
+@@ -121,6 +131,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -12406,7 +12418,7 @@ index 98646c4..5be7dc8 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +142,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,7 +143,7 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -12415,7 +12427,7 @@ index 98646c4..5be7dc8 100644
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +151,15 @@ miscfiles_read_generic_certs(abrt_t)
+@@ -140,6 +152,15 @@ miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -12431,7 +12443,7 @@ index 98646c4..5be7dc8 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +170,11 @@ optional_policy(`
+@@ -150,6 +171,11 @@ optional_policy(`
')
optional_policy(`
@@ -12443,7 +12455,7 @@ index 98646c4..5be7dc8 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -178,12 +203,18 @@ optional_policy(`
+@@ -178,12 +204,18 @@ optional_policy(`
')
optional_policy(`
@@ -12463,7 +12475,7 @@ index 98646c4..5be7dc8 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +234,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -203,6 +235,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@@ -12471,7 +12483,7 @@ index 98646c4..5be7dc8 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +248,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +249,8 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -12481,7 +12493,7 @@ index 98646c4..5be7dc8 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +257,18 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +258,18 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -19790,7 +19802,7 @@ index e1d7dc5..ee51a19 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..dd7fe41 100644
+index cbe14e4..9e2f6d5 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -19865,7 +19877,16 @@ index cbe14e4..dd7fe41 100644
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-@@ -242,6 +252,7 @@ optional_policy(`
+@@ -189,6 +199,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+
+ read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+
++read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
++
+ manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+ files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+@@ -242,6 +254,7 @@ optional_policy(`
')
optional_policy(`
@@ -19873,7 +19894,7 @@ index cbe14e4..dd7fe41 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +264,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+@@ -253,19 +266,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
@@ -19907,7 +19928,7 @@ index cbe14e4..dd7fe41 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +325,5 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,4 +327,5 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -25548,15 +25569,16 @@ index 4876cae..5f2ba87 100644
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
-index 85188dc..99cefb8 100644
+index 85188dc..76f26dd 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
-@@ -116,7 +116,25 @@ interface(`nscd_socket_use',`
+@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- dontaudit $1 nscd_var_run_t:file { getattr read };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
++ ps_process_pattern(nscd_t, $1)
+')
+
+########################################
@@ -25578,7 +25600,7 @@ index 85188dc..99cefb8 100644
')
########################################
-@@ -146,11 +164,14 @@ interface(`nscd_shm_use',`
+@@ -146,11 +165,14 @@ interface(`nscd_shm_use',`
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
@@ -25596,7 +25618,7 @@ index 85188dc..99cefb8 100644
')
########################################
-@@ -168,7 +189,7 @@ interface(`nscd_dontaudit_search_pid',`
+@@ -168,7 +190,7 @@ interface(`nscd_dontaudit_search_pid',`
type nscd_var_run_t;
')
@@ -25605,7 +25627,7 @@ index 85188dc..99cefb8 100644
')
########################################
-@@ -224,6 +245,7 @@ interface(`nscd_unconfined',`
+@@ -224,6 +246,7 @@ interface(`nscd_unconfined',`
## Role allowed access.
## </summary>
## </param>
@@ -26093,7 +26115,7 @@ index 9d0a67b..9197ef0 100644
#
interface(`openct_domtrans',`
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..cb87bef 100644
+index 8b550f4..e41ff47 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -26155,7 +26177,16 @@ index 8b550f4..cb87bef 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -113,20 +120,20 @@ sysnet_manage_config(openvpn_t)
+@@ -102,6 +109,8 @@ files_read_etc_runtime_files(openvpn_t)
+
+ auth_use_pam(openvpn_t)
+
++init_read_utmp(openvpn_t)
++
+ logging_send_syslog_msg(openvpn_t)
+
+ miscfiles_read_localization(openvpn_t)
+@@ -113,20 +122,20 @@ sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
@@ -26183,7 +26214,7 @@ index 8b550f4..cb87bef 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +145,7 @@ optional_policy(`
+@@ -138,3 +147,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -27733,10 +27764,21 @@ index 55e62d2..c114a40 100644
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..ff521d5 100644
+index 46bee12..9c13189 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
-@@ -50,7 +50,7 @@ template(`postfix_domain_template',`
+@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
+ domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
+ role system_r types postfix_$1_t;
+
++ allow postfix_$1_t self:capability sys_nice;
+ dontaudit postfix_$1_t self:capability sys_tty_config;
+- allow postfix_$1_t self:process { signal_perms setpgid };
++ allow postfix_$1_t self:process { signal_perms setpgid setsched };
+ allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket connectto;
+@@ -50,7 +51,7 @@ template(`postfix_domain_template',`
can_exec(postfix_$1_t, postfix_$1_exec_t)
@@ -27745,7 +27787,7 @@ index 46bee12..ff521d5 100644
allow postfix_$1_t postfix_master_t:process sigchld;
-@@ -77,6 +77,7 @@ template(`postfix_domain_template',`
+@@ -77,6 +78,7 @@ template(`postfix_domain_template',`
files_read_etc_files(postfix_$1_t)
files_read_etc_runtime_files(postfix_$1_t)
@@ -27753,7 +27795,7 @@ index 46bee12..ff521d5 100644
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
-@@ -272,7 +273,8 @@ interface(`postfix_read_local_state',`
+@@ -272,7 +274,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@@ -27763,7 +27805,7 @@ index 46bee12..ff521d5 100644
')
########################################
-@@ -290,7 +292,8 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +293,8 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
@@ -27773,7 +27815,7 @@ index 46bee12..ff521d5 100644
')
########################################
-@@ -376,6 +379,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +380,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -27799,7 +27841,7 @@ index 46bee12..ff521d5 100644
########################################
## <summary>
## Execute the master postfix program in the
-@@ -404,7 +426,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +427,6 @@ interface(`postfix_exec_master',`
## Domain allowed access.
## </summary>
## </param>
@@ -27807,7 +27849,7 @@ index 46bee12..ff521d5 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -529,6 +550,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +551,25 @@ interface(`postfix_domtrans_smtp',`
########################################
## <summary>
@@ -27833,7 +27875,7 @@ index 46bee12..ff521d5 100644
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +579,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +580,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -27846,7 +27888,7 @@ index 46bee12..ff521d5 100644
files_search_spool($1)
')
-@@ -558,10 +598,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +599,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -27859,7 +27901,7 @@ index 46bee12..ff521d5 100644
files_search_spool($1)
')
-@@ -577,11 +617,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +618,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -27873,7 +27915,7 @@ index 46bee12..ff521d5 100644
')
########################################
-@@ -596,11 +636,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +637,11 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -27887,7 +27929,7 @@ index 46bee12..ff521d5 100644
')
########################################
-@@ -621,3 +661,103 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +662,103 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -30293,13 +30335,47 @@ index 340a6c0..f24c52e 100644
+ ')
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
-index 0a76027..cdd0542 100644
+index 0a76027..88ac667 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
-@@ -114,7 +114,6 @@ optional_policy(`
+@@ -49,6 +49,7 @@ fs_getattr_xattr_fs(remote_login_t)
+ fs_search_auto_mountpoints(remote_login_t)
+
+ term_relabel_all_ptys(remote_login_t)
++term_use_all_ptys(remote_login_t)
+
+ auth_rw_login_records(remote_login_t)
+ auth_rw_faillog(remote_login_t)
+@@ -77,7 +78,7 @@ files_list_mnt(remote_login_t)
+ # for when /var/mail is a sym-link
+ files_read_var_symlinks(remote_login_t)
+
+-sysnet_dns_name_resolve(remote_login_t)
++auth_use_nsswitch(remote_login_t)
+
+ miscfiles_read_localization(remote_login_t)
+
+@@ -87,6 +88,7 @@ userdom_search_user_home_content(remote_login_t)
+ # since very weak authentication is used.
+ userdom_signal_unpriv_users(remote_login_t)
+ userdom_spec_domtrans_unpriv_users(remote_login_t)
++userdom_use_user_ptys(remote_login_t)
+
+ # Search for mail spool file.
+ mta_getattr_spool(remote_login_t)
+@@ -106,15 +108,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(remote_login_t)
++ telnet_use_ptys(remote_login_t)
')
optional_policy(`
+- nscd_socket_use(remote_login_t)
+-')
+-
+-optional_policy(`
- unconfined_domain(remote_login_t)
unconfined_shell_domtrans(remote_login_t)
')
@@ -34424,6 +34500,30 @@ index 7038b55..4e84f23 100644
type tcpd_tmp_t;
files_tmp_file(tcpd_tmp_t)
+diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if
+index 58e7ec0..cf4cc85 100644
+--- a/policy/modules/services/telnet.if
++++ b/policy/modules/services/telnet.if
+@@ -1 +1,19 @@
+ ## <summary>Telnet daemon</summary>
++
++########################################
++## <summary>
++## Read and write a telnetd domain pty.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`telnet_use_ptys',`
++ gen_require(`
++ type telnetd_devpts_t;
++ ')
++
++ allow $1 telnetd_devpts_t:chr_file rw_term_perms;
++')
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index f40e67b..34c4c57 100644
--- a/policy/modules/services/telnet.te
@@ -42712,7 +42812,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..43cb923 100644
+index fca6947..e1f7531 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -42762,7 +42862,7 @@ index fca6947..43cb923 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,50 +68,83 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,50 +68,84 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -42814,6 +42914,7 @@ index fca6947..43cb923 100644
+# for when /etc/mtab loses its type
+files_delete_etc_files(mount_t)
files_mounton_all_mountpoints(mount_t)
++files_setattr_all_mountpoints(mount_t)
+# ntfs-3g checks whether the mountpoint is writable before mounting
+files_write_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
@@ -42853,7 +42954,7 @@ index fca6947..43cb923 100644
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -100,6 +155,7 @@ storage_raw_read_fixed_disk(mount_t)
+@@ -100,6 +156,7 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -42861,7 +42962,7 @@ index fca6947..43cb923 100644
term_use_all_terms(mount_t)
-@@ -108,6 +164,8 @@ auth_use_nsswitch(mount_t)
+@@ -108,6 +165,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -42870,7 +42971,7 @@ index fca6947..43cb923 100644
logging_send_syslog_msg(mount_t)
-@@ -118,6 +176,12 @@ sysnet_use_portmap(mount_t)
+@@ -118,6 +177,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -42883,7 +42984,7 @@ index fca6947..43cb923 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -133,10 +197,17 @@ ifdef(`distro_ubuntu',`
+@@ -133,10 +198,17 @@ ifdef(`distro_ubuntu',`
')
')
@@ -42901,7 +43002,7 @@ index fca6947..43cb923 100644
')
optional_policy(`
-@@ -166,6 +237,8 @@ optional_policy(`
+@@ -166,6 +238,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -42910,7 +43011,7 @@ index fca6947..43cb923 100644
')
optional_policy(`
-@@ -173,6 +246,28 @@ optional_policy(`
+@@ -173,6 +247,28 @@ optional_policy(`
')
optional_policy(`
@@ -42939,7 +43040,7 @@ index fca6947..43cb923 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,13 +275,44 @@ optional_policy(`
+@@ -180,13 +276,44 @@ optional_policy(`
')
')
@@ -42984,7 +43085,7 @@ index fca6947..43cb923 100644
')
########################################
-@@ -195,6 +321,42 @@ optional_policy(`
+@@ -195,6 +322,42 @@ optional_policy(`
#
optional_policy(`
@@ -43932,9 +44033,18 @@ index 0e48679..78b3429 100644
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 726619b..4bb3158 100644
+index 726619b..36426f7 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
+@@ -13,7 +13,7 @@
+ /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -64,3 +64,5 @@ ifdef(`distro_redhat',`
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f230f82..ab47532 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.8
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -319,6 +319,7 @@ Conflicts: audispd-plugins <= 1.7.7-1
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: seedit
+Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
%description targeted
SELinux Reference policy targeted base module.
@@ -470,6 +471,9 @@ exit 0
%endif
%changelog
+* Fri Nov 5 2010 Dan Walsh <dwalsh at redhat.com> 3.9.8-2
+- Add conflicts for dirsrv package
+
* Fri Nov 5 2010 Dan Walsh <dwalsh at redhat.com> 3.9.8-1
- Update to upstream
- Add vlock policy
More information about the scm-commits
mailing list