[selinux-policy: 1790/3172] trunk: updates from dan on 9 modules
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:39:41 UTC 2010
commit 8d2c34195e66dd4d4a776aed8e3975f03bc61c3f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Aug 22 20:02:41 2007 +0000
trunk: updates from dan on 9 modules
policy/modules/admin/logwatch.te | 18 ++++++++----------
policy/modules/apps/usernetctl.te | 12 +-----------
policy/modules/apps/vmware.fc | 1 +
policy/modules/apps/vmware.te | 4 +++-
policy/modules/services/avahi.te | 3 ++-
policy/modules/system/fstools.if | 18 ++++++++++++++++++
policy/modules/system/fstools.te | 7 ++++++-
policy/modules/system/iptables.te | 8 +++-----
policy/modules/system/miscfiles.fc | 1 +
policy/modules/system/miscfiles.te | 2 +-
10 files changed, 44 insertions(+), 30 deletions(-)
---
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 4f56927..02db5ae 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
-policy_module(logwatch,1.5.1)
+policy_module(logwatch,1.5.2)
#################################
#
@@ -29,7 +29,6 @@ allow logwatch_t self:capability { dac_override dac_read_search setgid };
allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
-allow logwatch_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
@@ -73,6 +72,9 @@ term_dontaudit_list_ptys(logwatch_t)
auth_dontaudit_read_shadow(logwatch_t)
+init_read_utmp(logwatch_t)
+init_dontaudit_write_utmp(logwatch_t)
+
libs_use_ld_so(logwatch_t)
libs_use_shared_libs(logwatch_t)
libs_read_lib_files(logwatch_t)
@@ -96,6 +98,10 @@ optional_policy(`
')
optional_policy(`
+ auth_use_nsswitch(logwatch_t)
+')
+
+optional_policy(`
avahi_dontaudit_search_pid(logwatch_t)
')
@@ -117,14 +123,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(logwatch_t)
-')
-
-optional_policy(`
- nscd_socket_use(logwatch_t)
-')
-
-optional_policy(`
ntp_domtrans(logwatch_t)
')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index 72aa5af..76e8186 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -1,21 +1,11 @@
-policy_module(usernetctl,1.1.1)
+policy_module(usernetctl,1.1.2)
########################################
#
# Declarations
#
-ifdef(`strict_policy',`
-## <desc>
-## <p>
-## Allow users to control network interfaces
-## (also needs USERCTL=true)
-## </p>
-## </desc>
-gen_tunable(user_net_control,false)
-')
-
type usernetctl_t;
type usernetctl_exec_t;
application_domain(usernetctl_t,usernetctl_exec_t)
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index 8a9f1e3..ea0b7ef 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -25,6 +25,7 @@ HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 5d0b2ac..458b766 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
-policy_module(vmware,1.2.0)
+policy_module(vmware,1.2.1)
########################################
#
@@ -56,6 +56,8 @@ corenet_raw_sendrecv_all_nodes(vmware_host_t)
corenet_tcp_sendrecv_all_ports(vmware_host_t)
corenet_udp_sendrecv_all_ports(vmware_host_t)
corenet_raw_bind_all_nodes(vmware_host_t)
+corenet_tcp_bind_all_nodes(vmware_host_t)
+corenet_udp_bind_all_nodes(vmware_host_t)
corenet_tcp_connect_all_ports(vmware_host_t)
corenet_sendrecv_all_client_packets(vmware_host_t)
corenet_sendrecv_all_server_packets(vmware_host_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index ef97cdc..d03f3ad 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi,1.6.0)
+policy_module(avahi,1.6.1)
########################################
#
@@ -57,6 +57,7 @@ dev_read_urand(avahi_t)
fs_getattr_all_fs(avahi_t)
fs_search_auto_mountpoints(avahi_t)
+fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 34d07e8..640ce61 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -71,6 +71,24 @@ interface(`fstools_exec',`
########################################
## <summary>
+## Read fstools unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_read_pipes',`
+ gen_require(`
+ type fsdaemon_t;
+ ')
+
+ allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Relabel a file to the type used by the
## filesystem tools programs.
## </summary>
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 4d7854e..6a80c3c 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
-policy_module(fstools,1.7.0)
+policy_module(fstools,1.7.1)
########################################
#
@@ -69,6 +69,7 @@ files_getattr_boot_dirs(fsadm_t)
dev_getattr_all_chr_files(fsadm_t)
dev_dontaudit_getattr_all_blk_files(fsadm_t)
+dev_dontaudit_getattr_generic_files(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
@@ -184,3 +185,7 @@ optional_policy(`
fs_dontaudit_write_ramfs_pipes(fsadm_t)
rhgb_stub(fsadm_t)
')
+
+optional_policy(`
+ xen_append_log(fsadm_t)
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index c5decd8..d665bd1 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
-policy_module(iptables,1.4.0)
+policy_module(iptables,1.4.1)
########################################
#
@@ -58,6 +58,8 @@ domain_use_interactive_fds(iptables_t)
files_read_etc_files(iptables_t)
files_read_etc_runtime_files(iptables_t)
+auth_use_nsswitch(iptables_t)
+
init_use_fds(iptables_t)
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
@@ -103,10 +105,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(iptables_t)
-')
-
-optional_policy(`
ppp_dontaudit_use_fds(iptables_t)
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 0c142e4..e17dd1e 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 6db54ff..b51fec1 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,5 +1,5 @@
-policy_module(miscfiles,1.3.0)
+policy_module(miscfiles,1.3.1)
########################################
#
More information about the scm-commits
mailing list