[selinux-policy: 1584/3172] patch from dan Fri, 01 Sep 2006 15:45:24 -0400
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:22:07 UTC 2010
commit 5dbda5558aff1f98f8d99a601e790a1baf778e59
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Sep 4 15:15:35 2006 +0000
patch from dan Fri, 01 Sep 2006 15:45:24 -0400
Changelog | 1 +
policy/modules/admin/amanda.fc | 50 -----------------------------
policy/modules/admin/amanda.te | 14 +-------
policy/modules/admin/firstboot.fc | 2 -
policy/modules/admin/firstboot.te | 13 ++-----
policy/modules/kernel/corecommands.if | 1 +
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/terminal.if | 2 +-
policy/modules/kernel/terminal.te | 2 +-
policy/modules/services/apache.te | 1 -
policy/modules/services/cron.if | 15 +++++---
policy/modules/services/cron.te | 2 +-
policy/modules/services/cyrus.te | 3 +-
policy/modules/services/dbus.te | 1 -
policy/modules/services/ftp.te | 1 -
policy/modules/services/hal.te | 4 +-
policy/modules/services/ldap.te | 7 ++--
policy/modules/services/networkmanager.te | 6 ++-
policy/modules/services/ntp.te | 1 -
policy/modules/services/stunnel.te | 5 ++-
policy/modules/system/selinuxutil.fc | 1 +
policy/modules/system/selinuxutil.te | 2 +-
22 files changed, 37 insertions(+), 99 deletions(-)
---
diff --git a/Changelog b/Changelog
index 812cdec..13813bd 100644
--- a/Changelog
+++ b/Changelog
@@ -65,6 +65,7 @@
Wed, 26 Jul 2006
Wed, 23 Aug 2006
Thu, 31 Aug 2006
+ Fri, 01 Sep 2006
- Added modules:
afs
amavis (Erich Schubert)
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index b2a3c36..4caaa8f 100644
--- a/policy/modules/admin/amanda.fc
+++ b/policy/modules/admin/amanda.fc
@@ -11,61 +11,11 @@
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/lib(64)?/amanda/amlogroll -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/amplot\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amplot\.g -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amplot\.gp -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amtrmidx -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/amtrmlog -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/calcsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-chio -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-chs -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-manual -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-multi -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-rth -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-scsi -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-zd-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/driver -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/dumper -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/killpgrp -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/patch-system -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/planner -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/rundump -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/runtar -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/selfcheck -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/sendbackup -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/sendsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/taper -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/versionsuffix -- gen_context(system_u:object_r:amanda_exec_t,s0)
-
-/usr/sbin/amadmin -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amcheck -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amcheckdb -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amcleanup -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amdump -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amflush -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amgetconf -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amlabel -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amoverview -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amplot -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
-/usr/sbin/amreport -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amrestore -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amrmtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amstatus -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amtoc -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amverify -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
-/var/lib/amanda/\.bashrc -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
-/var/lib/amanda/\.profile -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0)
/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 4632176..b07c612 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda,1.3.5)
+policy_module(amanda,1.3.6)
#######################################
#
@@ -33,18 +33,6 @@ files_type(amanda_var_lib_t)
type amanda_gnutarlists_t;
files_type(amanda_gnutarlists_t)
-# type for user startable files
-type amanda_user_exec_t;
-corecmd_executable_file(amanda_user_exec_t)
-
-# type for same awk and other scripts
-type amanda_script_exec_t;
-corecmd_executable_file(amanda_script_exec_t)
-
-# type for the shell configuration files
-type amanda_shellconfig_t;
-files_type(amanda_shellconfig_t)
-
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
diff --git a/policy/modules/admin/firstboot.fc b/policy/modules/admin/firstboot.fc
index ab57cde..ba614e4 100644
--- a/policy/modules/admin/firstboot.fc
+++ b/policy/modules/admin/firstboot.fc
@@ -1,5 +1,3 @@
-# firstboot
/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
-/usr/share/firstboot gen_context(system_u:object_r:firstboot_rw_t,s0)
/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 36f2154..d7faf80 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
-policy_module(firstboot,1.1.4)
+policy_module(firstboot,1.1.5)
gen_require(`
class passwd rootok;
@@ -20,9 +20,6 @@ role system_r types firstboot_t;
type firstboot_etc_t;
files_config_file(firstboot_etc_t)
-type firstboot_rw_t;
-files_type(firstboot_rw_t)
-
########################################
#
# Local policy
@@ -38,10 +35,6 @@ allow firstboot_t self:passwd rootok;
allow firstboot_t firstboot_etc_t:file { getattr read };
-allow firstboot_t firstboot_rw_t:dir create_dir_perms;
-allow firstboot_t firstboot_rw_t:file create_file_perms;
-files_etc_filetrans(firstboot_t,firstboot_rw_t,file)
-
# The big hammer
unconfined_domain(firstboot_t)
@@ -68,7 +61,8 @@ corecmd_exec_all_executables(firstboot_t)
files_exec_etc_files(firstboot_t)
files_manage_etc_files(firstboot_t)
-files_read_etc_runtime_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_etc_filetrans_etc_runtime(firstboot_t, { file dir })
files_read_usr_files(firstboot_t)
files_manage_var_dirs(firstboot_t)
files_manage_var_files(firstboot_t)
@@ -122,6 +116,7 @@ optional_policy(`
usermanage_domtrans_groupadd(firstboot_t)
usermanage_domtrans_passwd(firstboot_t)
usermanage_domtrans_useradd(firstboot_t)
+ usermanage_domtrans_admin_passwd(firstboot_t)
')
ifdef(`TODO',`
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 5aa646e..1514fde 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -950,6 +950,7 @@ interface(`corecmd_manage_all_executables',`
allow $1 exec_type:file manage_file_perms;
allow $1 { bin_t sbin_t }:dir rw_dir_perms;
+ allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
')
########################################
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 3952087..13945b9 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.3.13)
+policy_module(corecommands,1.3.14)
########################################
#
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 5e65156..ddc3042 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -886,7 +886,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
- dontaudit $1 tty_device_t:chr_file { read write };
+ dontaudit $1 tty_device_t:chr_file rw_file_perms;
')
########################################
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 273d72e..885f01c 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
-policy_module(terminal,1.1.6)
+policy_module(terminal,1.1.7)
########################################
#
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index c9996e2..9e0e150 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -141,7 +141,6 @@ allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 3032a63..d6de082 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -54,6 +54,9 @@ template(`cron_per_userdomain_template',`
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
+ type $1_crontab_tmp_t;
+ files_tmp_file($1_crontab_tmp_t)
+
##############################
#
# $1_crond_t local policy
@@ -175,6 +178,10 @@ template(`cron_per_userdomain_template',`
# $1_crontab_t local policy
#
+ # dac_override is to create the file in the directory under /tmp
+ allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
+ allow $1_crontab_t self:process signal_perms;
+
# Transition from the user domain to the derived domain.
domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
allow $2 $1_crontab_t:fd use;
@@ -193,9 +200,8 @@ template(`cron_per_userdomain_template',`
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file create_file_perms;
- # dac_override is to create the file in the directory under /tmp
- allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
- allow $1_crontab_t self:process signal_perms;
+ allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
# create files in /var/spool/cron
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
@@ -250,9 +256,6 @@ template(`cron_per_userdomain_template',`
')
ifdef(`TODO',`
- allow $1_crond_t tmp_t:dir rw_dir_perms;
- type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
-
# Read user crontabs
dontaudit $1_crontab_t $1_home_dir_t:dir write;
') dnl endif TODO
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 05c3cea..803ab2d 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.3.11)
+policy_module(cron,1.3.12)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index de78a50..93d02c7 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
-policy_module(cyrus,1.1.5)
+policy_module(cyrus,1.1.6)
########################################
#
@@ -93,6 +93,7 @@ domain_use_interactive_fds(cyrus_t)
files_list_var_lib(cyrus_t)
files_read_etc_files(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
+files_read_usr_files(cyrus_t)
init_use_fds(cyrus_t)
init_use_script_ptys(cyrus_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 5f47c5f..a062730 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -38,7 +38,6 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 4c862e6..36ec84e 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -50,7 +50,6 @@ allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
-allow ftpd_t self:netlink_route_socket r_netlink_socket_perms;
allow ftpd_t ftpd_etc_t:file r_file_perms;
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 71b1ab9..e2adeef 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.11)
+policy_module(hal,1.3.12)
########################################
#
@@ -28,7 +28,6 @@ allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
-allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:tcp_socket create_stream_socket_perms;
@@ -78,6 +77,7 @@ dev_setattr_usbfs_files(hald_t)
dev_rw_sysfs(hald_t)
domain_use_interactive_fds(hald_t)
+domain_read_all_domains_state(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index f5b2c81..fb1482b 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
-policy_module(ldap,1.2.5)
+policy_module(ldap,1.2.6)
########################################
#
@@ -70,9 +70,10 @@ allow slapd_t slapd_tmp_t:dir create_dir_perms;
allow slapd_t slapd_tmp_t:file create_file_perms;
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
-allow slapd_t slapd_var_run_t:file create_file_perms;
+allow slapd_t slapd_var_run_t:file manage_file_perms;
+allow slapd_t slapd_var_run_t:sock_file manage_file_perms;
allow slapd_t slapd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(slapd_t,slapd_var_run_t,file)
+files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 418ba83..a9de827 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.3.6)
+policy_module(networkmanager,1.3.7)
########################################
#
@@ -18,9 +18,11 @@ files_pid_file(NetworkManager_var_run_t)
# Local policy
#
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
dontaudit NetworkManager_t self:capability sys_tty_config;
-allow NetworkManager_t self:process { setcap getsched signal_perms };
+allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index d68749a..534d219 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -38,7 +38,6 @@ allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
-allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
allow ntpd_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 59ebed0..2931b2a 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
-policy_module(stunnel,1.1.2)
+policy_module(stunnel,1.1.3)
########################################
#
@@ -38,6 +38,7 @@ allow stunnel_t self:process signal_perms;
allow stunnel_t self:fifo_file rw_file_perms;
allow stunnel_t self:tcp_socket create_stream_socket_perms;
allow stunnel_t self:udp_socket create_socket_perms;
+allow stunnel_t self:netlink_route_socket r_netlink_socket_perms;
allow stunnel_t stunnel_etc_t:dir { getattr read search };
allow stunnel_t stunnel_etc_t:file { read getattr };
@@ -63,7 +64,7 @@ corenet_udp_sendrecv_all_nodes(stunnel_t)
corenet_tcp_sendrecv_all_ports(stunnel_t)
corenet_udp_sendrecv_all_ports(stunnel_t)
corenet_tcp_bind_all_nodes(stunnel_t)
-#corenet_tcp_bind_stunnel_port(stunnel_t)
+corenet_tcp_connect_all_ports(stunnel_t)
fs_getattr_all_fs(stunnel_t)
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 1a7e566..1d5d4d2 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -23,6 +23,7 @@
#
/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/sbin/restorecon -- gen_context(system_u:object_r:restorecon_exec_t,s0)
+/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
#
# /usr
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 6808918..02e30cb 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.2.13)
+policy_module(selinuxutil,1.2.14)
ifdef(`strict_policy',`
gen_require(`
More information about the scm-commits
mailing list