[selinux-policy: 1790/3172] trunk: updates from dan on 9 modules

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:39:41 UTC 2010 

commit 8d2c34195e66dd4d4a776aed8e3975f03bc61c3f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Aug 22 20:02:41 2007 +0000

    trunk: updates from dan on 9 modules

 policy/modules/admin/logwatch.te   |   18 ++++++++----------
 policy/modules/apps/usernetctl.te  |   12 +-----------
 policy/modules/apps/vmware.fc      |    1 +
 policy/modules/apps/vmware.te      |    4 +++-
 policy/modules/services/avahi.te   |    3 ++-
 policy/modules/system/fstools.if   |   18 ++++++++++++++++++
 policy/modules/system/fstools.te   |    7 ++++++-
 policy/modules/system/iptables.te  |    8 +++-----
 policy/modules/system/miscfiles.fc |    1 +
 policy/modules/system/miscfiles.te |    2 +-
 10 files changed, 44 insertions(+), 30 deletions(-)
---
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 4f56927..02db5ae 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(logwatch,1.5.1)
+policy_module(logwatch,1.5.2)
 
 #################################
 #
@@ -29,7 +29,6 @@ allow logwatch_t self:capability { dac_override dac_read_search setgid };
 allow logwatch_t self:process signal;
 allow logwatch_t self:fifo_file rw_file_perms;
 allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
-allow logwatch_t self:netlink_route_socket r_netlink_socket_perms; 
 
 manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
 manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
@@ -73,6 +72,9 @@ term_dontaudit_list_ptys(logwatch_t)
 
 auth_dontaudit_read_shadow(logwatch_t)
 
+init_read_utmp(logwatch_t)
+init_dontaudit_write_utmp(logwatch_t)
+
 libs_use_ld_so(logwatch_t)
 libs_use_shared_libs(logwatch_t)
 libs_read_lib_files(logwatch_t)
@@ -96,6 +98,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	auth_use_nsswitch(logwatch_t)
+')
+
+optional_policy(`
 	avahi_dontaudit_search_pid(logwatch_t)
 ')
 
@@ -117,14 +123,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nis_use_ypbind(logwatch_t)
-')
-
-optional_policy(`
-	nscd_socket_use(logwatch_t)
-')
-
-optional_policy(`
 	ntp_domtrans(logwatch_t)
 ')
 
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index 72aa5af..76e8186 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -1,21 +1,11 @@
 
-policy_module(usernetctl,1.1.1)
+policy_module(usernetctl,1.1.2)
 
 ########################################
 #
 # Declarations
 #
 
-ifdef(`strict_policy',`
-## <desc>
-## <p>
-## Allow users to control network interfaces
-## (also needs USERCTL=true)
-## </p>
-## </desc>
-gen_tunable(user_net_control,false)
-')
-
 type usernetctl_t;
 type usernetctl_exec_t;
 application_domain(usernetctl_t,usernetctl_exec_t)
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index 8a9f1e3..ea0b7ef 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -25,6 +25,7 @@ HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:ROLE_vmware_conf
 /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-vmx		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-wizard		--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware			--	gen_context(system_u:object_r:vmware_exec_t,s0)
 
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 5d0b2ac..458b766 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
 
-policy_module(vmware,1.2.0)
+policy_module(vmware,1.2.1)
 
 ########################################
 #
@@ -56,6 +56,8 @@ corenet_raw_sendrecv_all_nodes(vmware_host_t)
 corenet_tcp_sendrecv_all_ports(vmware_host_t)
 corenet_udp_sendrecv_all_ports(vmware_host_t)
 corenet_raw_bind_all_nodes(vmware_host_t)
+corenet_tcp_bind_all_nodes(vmware_host_t)
+corenet_udp_bind_all_nodes(vmware_host_t)
 corenet_tcp_connect_all_ports(vmware_host_t)
 corenet_sendrecv_all_client_packets(vmware_host_t)
 corenet_sendrecv_all_server_packets(vmware_host_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index ef97cdc..d03f3ad 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.6.0)
+policy_module(avahi,1.6.1)
 
 ########################################
 #
@@ -57,6 +57,7 @@ dev_read_urand(avahi_t)
 
 fs_getattr_all_fs(avahi_t)
 fs_search_auto_mountpoints(avahi_t)
+fs_list_inotifyfs(avahi_t)
 
 domain_use_interactive_fds(avahi_t)
 
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 34d07e8..640ce61 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -71,6 +71,24 @@ interface(`fstools_exec',`
 
 ########################################
 ## <summary>
+##	Read fstools unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_read_pipes',`
+	gen_require(`
+		type fsdaemon_t;
+	')
+
+	allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel a file to the type used by the
 ##	filesystem tools programs.
 ## </summary>
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 4d7854e..6a80c3c 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.7.0)
+policy_module(fstools,1.7.1)
 
 ########################################
 #
@@ -69,6 +69,7 @@ files_getattr_boot_dirs(fsadm_t)
 
 dev_getattr_all_chr_files(fsadm_t)
 dev_dontaudit_getattr_all_blk_files(fsadm_t)
+dev_dontaudit_getattr_generic_files(fsadm_t)
 # mkreiserfs and other programs need this for UUID
 dev_read_rand(fsadm_t)
 dev_read_urand(fsadm_t)
@@ -184,3 +185,7 @@ optional_policy(`
 	fs_dontaudit_write_ramfs_pipes(fsadm_t)
 	rhgb_stub(fsadm_t)
 ')
+
+optional_policy(`
+	xen_append_log(fsadm_t)
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index c5decd8..d665bd1 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
 
-policy_module(iptables,1.4.0)
+policy_module(iptables,1.4.1)
 
 ########################################
 #
@@ -58,6 +58,8 @@ domain_use_interactive_fds(iptables_t)
 files_read_etc_files(iptables_t)
 files_read_etc_runtime_files(iptables_t)
 
+auth_use_nsswitch(iptables_t)
+
 init_use_fds(iptables_t)
 init_use_script_ptys(iptables_t)
 # to allow rules to be saved on reboot:
@@ -103,10 +105,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nscd_socket_use(iptables_t)
-')
-
-optional_policy(`
 	ppp_dontaudit_use_fds(iptables_t)
 ')
 
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 0c142e4..e17dd1e 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
 
 /var/lib/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 
+/var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 /var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
 
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 6db54ff..b51fec1 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,5 +1,5 @@
 
-policy_module(miscfiles,1.3.0)
+policy_module(miscfiles,1.3.1)
 
 ########################################
 #

More information about the scm-commits mailing list