[selinux-policy/f13/master] - Allow system_mail_t to append ~/dead.letter - Allow mount to communicate with gfs_controld - Donta
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Oct 13 08:18:38 UTC 2010
commit a4f71b48025a206f304753a9d70ebef01941b719
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Oct 13 10:18:34 2010 +0200
- Allow system_mail_t to append ~/dead.letter
- Allow mount to communicate with gfs_controld
- Dontaudit hal leaks in setfiles
- gpm needs to use the user terminal
policy-F13.patch | 277 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 8 ++-
2 files changed, 193 insertions(+), 92 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 6a63f66..e040fd7 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -403,8 +403,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.7.19/policy/modules/admin/brctl.if
--- nsaserefpolicy/policy/modules/admin/brctl.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/brctl.if 2010-08-04 14:41:54.102084891 +0200
-@@ -17,3 +17,23 @@
++++ serefpolicy-3.7.19/policy/modules/admin/brctl.if 2010-10-13 09:27:42.212650392 +0200
+@@ -17,3 +17,29 @@
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
@@ -415,9 +415,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.i
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
+interface(`brctl_run',`
+ gen_require(`
@@ -6638,7 +6644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.19/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-09-09 13:11:47.340085075 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-10-13 09:36:16.697649887 +0200
@@ -127,12 +127,14 @@
template(`qemu_role',`
gen_require(`
@@ -6654,7 +6660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
')
########################################
-@@ -153,6 +155,24 @@
+@@ -153,13 +155,31 @@
domtrans_pattern($1, qemu_exec_t, qemu_t)
')
@@ -6679,7 +6685,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
########################################
## <summary>
## Execute qemu in the qemu domain.
-@@ -273,6 +293,67 @@
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ ## <param name="role">
+@@ -167,6 +187,7 @@
+ ## The role to allow the qemu domain.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+ interface(`qemu_run',`
+ gen_require(`
+@@ -175,10 +196,6 @@
+
+ qemu_domtrans($1)
+ role $2 types qemu_t;
+-
+- optional_policy(`
+- samba_run_smb(qemu_t, $2, $3)
+- ')
+ ')
+
+ ########################################
+@@ -273,6 +290,67 @@
########################################
## <summary>
@@ -6747,7 +6780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
## Manage qemu temporary dirs.
## </summary>
## <param name="domain">
-@@ -306,3 +387,24 @@
+@@ -306,3 +384,24 @@
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@@ -18359,7 +18392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.19/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/clogd.if 2010-05-28 09:42:00.079610731 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clogd.if 2010-10-13 09:52:30.479899693 +0200
@@ -0,0 +1,82 @@
+## <summary>clogd - clustered mirror log server</summary>
+
@@ -18433,7 +18466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+#
+interface(`clogd_rw_shm',`
+ gen_require(`
-+ type clogd_t;
++ type clogd_t, clogd_tmpfs_t;
+ ')
+
+ allow $1 clogd_t:shm { rw_shm_perms destroy };
@@ -19991,7 +20024,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.7.19/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cups.if 2010-06-28 18:43:30.174401225 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cups.if 2010-10-13 09:46:06.858649491 +0200
+@@ -6,7 +6,7 @@
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## The type of the process performing this action.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
@@ -314,7 +314,7 @@
interface(`cups_admin',`
gen_require(`
@@ -21220,7 +21262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.19/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te 2010-06-16 21:56:20.245859614 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te 2010-10-13 08:36:11.278650255 +0200
@@ -19,6 +19,9 @@
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
@@ -21257,7 +21299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
-@@ -87,6 +93,18 @@
+@@ -87,6 +93,22 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
@@ -21273,6 +21315,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+')
+
+optional_policy(`
++ ppp_read_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(dnsmasq_t)
')
@@ -22832,6 +22878,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+ dontaudit $1 gnomeclock_t:dbus send_msg;
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.7.19/policy/modules/services/gpm.te
+--- nsaserefpolicy/policy/modules/services/gpm.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/gpm.te 2010-10-13 08:34:38.732649366 +0200
+@@ -70,6 +70,7 @@
+
+ userdom_dontaudit_use_unpriv_user_fds(gpm_t)
+ userdom_dontaudit_search_user_home_dirs(gpm_t)
++userdom_use_user_terminals(gpm_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(gpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.19/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/gpsd.te 2010-05-28 09:42:00.114610776 +0200
@@ -24698,7 +24755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-08-24 13:50:13.396084105 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-10-13 08:30:08.233650680 +0200
@@ -21,8 +21,8 @@
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -24710,11 +24767,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -57,15 +57,14 @@
+@@ -57,15 +57,16 @@
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-allow system_mail_t mail_forward_t:file read_file_perms;
++append_files_pattern(system_mail_t, mail_home_t, mail_home_t)
++
+allow system_mail_t mail_home_t:file read_file_perms;
allow system_mail_t mta_exec_type:file entrypoint;
@@ -24729,7 +24788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
-@@ -75,10 +74,15 @@
+@@ -75,10 +76,15 @@
selinux_getattr_fs(system_mail_t)
@@ -24745,7 +24804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -89,6 +93,7 @@
+@@ -89,6 +95,7 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -24753,7 +24812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -100,6 +105,11 @@
+@@ -100,6 +107,11 @@
')
optional_policy(`
@@ -24765,7 +24824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -107,6 +117,9 @@
+@@ -107,6 +119,9 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -24775,7 +24834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -120,12 +133,8 @@
+@@ -120,12 +135,8 @@
')
optional_policy(`
@@ -24789,7 +24848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -142,6 +151,10 @@
+@@ -142,6 +153,10 @@
')
optional_policy(`
@@ -24800,7 +24859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -154,18 +167,6 @@
+@@ -154,18 +169,6 @@
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -24819,7 +24878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -185,6 +186,10 @@
+@@ -185,6 +188,10 @@
')
optional_policy(`
@@ -24830,7 +24889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -216,7 +221,8 @@
+@@ -216,7 +223,8 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -24840,7 +24899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -245,6 +251,10 @@
+@@ -245,6 +253,10 @@
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -24851,7 +24910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
#
# User send mail local policy
-@@ -288,3 +298,33 @@
+@@ -288,3 +300,33 @@
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -28927,7 +28986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-09-16 15:22:04.119636970 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-10-13 09:17:37.947649885 +0200
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -29100,21 +29159,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_spool($1)
')
-@@ -437,15 +522,34 @@
+@@ -437,11 +522,30 @@
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
- ')
-
-- allow $1 postfix_spool_t:dir list_dir_perms;
++ ')
++
+ allow $1 postfix_spool_type:dir list_dir_perms;
- files_search_spool($1)
- ')
-
- ########################################
- ## <summary>
++ files_search_spool($1)
++')
++
++########################################
++## <summary>
+## Getattr postfix mail spool files.
+## </summary>
+## <param name="domain">
@@ -29126,17 +29184,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
-+ ')
-+
-+ files_search_spool($1)
+ ')
+
+- allow $1 postfix_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
-+')
-+
-+########################################
-+## <summary>
- ## Read postfix mail spool files.
- ## </summary>
- ## <param name="domain">
+ ')
+
+ ########################################
@@ -456,16 +560,16 @@
#
interface(`postfix_read_spool_files',`
@@ -29171,7 +29226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
-@@ -500,3 +604,158 @@
+@@ -500,3 +604,164 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -29242,6 +29297,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+## Domain allowed access.
+## </summary>
+## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the iptables domain.
++## </summary>
++## </param>
++## <rolecap/>
+#
+interface(`postfix_run_postdrop',`
+ gen_require(`
@@ -29807,8 +29868,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_read_usr_files(postgresql_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.19/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ppp.if 2010-09-16 15:24:30.000387099 +0200
-@@ -360,7 +360,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/ppp.if 2010-10-13 09:40:56.718900943 +0200
+@@ -281,7 +281,7 @@
+ type pppd_var_run_t;
+ ')
+
+- allow $1 pppd_var_run_t:file read_file_perms;
++ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
+ ')
+
+ ########################################
+@@ -348,6 +348,11 @@
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
+ ## <rolecap/>
+ #
+ interface(`ppp_admin',`
+@@ -360,7 +365,7 @@
type pppd_initrc_exec_t;
')
@@ -29817,7 +29899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
ps_process_pattern($1, pppd_t)
ppp_initrc_domtrans($1)
-@@ -386,7 +386,7 @@
+@@ -386,7 +391,7 @@
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
@@ -31117,7 +31199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-09-16 17:00:39.817386962 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-10-13 08:11:31.778899963 +0200
@@ -0,0 +1,458 @@
+## <summary>RHCS - Red Hat Cluster Suite</summary>
+
@@ -32246,8 +32328,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.19/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-09-16 15:41:11.666398045 +0200
-@@ -246,6 +246,26 @@
++++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-10-13 09:43:18.320901313 +0200
+@@ -246,6 +246,32 @@
allow rpcd_t $1:process signal;
')
@@ -32258,9 +32340,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The role to be allowed the rpcd domain.
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
+interface(`rpc_run_rpcd',`
+ gen_require(`
@@ -32274,7 +32362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
#######################################
## <summary>
## Execute domain in rpcd domain.
-@@ -414,4 +434,5 @@
+@@ -414,4 +440,5 @@
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -37990,7 +38078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-09-16 15:42:52.233637126 +0200
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-10-13 08:41:54.579650714 +0200
@@ -41,7 +41,6 @@
## </param>
#
@@ -38024,11 +38112,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,6 +154,40 @@
+@@ -151,6 +154,41 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
+ userdom_set_rlimitnh($1)
++ userdom_stream_connect($1)
+ userdom_read_user_home_content_symlinks($1)
+ userdom_delete_user_tmp_files($1)
+ userdom_search_admin_dir($1)
@@ -38065,7 +38154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -365,13 +402,15 @@
+@@ -365,13 +403,15 @@
')
optional_policy(`
@@ -38082,7 +38171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -418,6 +457,7 @@
+@@ -418,6 +458,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -38090,7 +38179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -694,7 +734,7 @@
+@@ -694,7 +735,7 @@
')
files_search_etc($1)
@@ -38099,7 +38188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -1500,6 +1540,8 @@
+@@ -1500,6 +1541,8 @@
#
interface(`auth_use_nsswitch',`
@@ -38108,7 +38197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1573,15 @@
+@@ -1531,7 +1574,15 @@
')
optional_policy(`
@@ -40975,7 +41064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-08-24 15:45:51.837083741 +0200
++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-10-13 08:11:09.866910335 +0200
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -41184,7 +41273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +264,11 @@
+@@ -179,6 +264,15 @@
')
')
@@ -41193,10 +41282,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+ lvm_domtrans(mount_t)
+')
+
++optional_policy(`
++ rhcs_stream_connect_gfs_controld(mount_t)
++')
++
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +276,19 @@
+@@ -186,6 +280,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -41216,7 +41309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -194,6 +297,42 @@
+@@ -194,6 +301,42 @@
#
optional_policy(`
@@ -41705,7 +41798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-05-28 09:42:00.514610688 +0200
++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-10-13 09:09:23.135649707 +0200
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -41968,20 +42061,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,112 +483,50 @@
+@@ -499,112 +483,54 @@
userdom_read_user_tmp_files(semanage_t)
')
--########################################
+userdom_search_admin_dir(semanage_t)
+
+####################################n####
- #
--# Setfiles local policy
++#
+# setsebool local policy
- #
++#
+seutil_semanage_policy(setsebool_t)
+selinux_set_all_booleans(setsebool_t)
++
++init_dontaudit_use_fds(setsebool_t)
++
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
++
+ ########################################
+ #
+ # Setfiles local policy
+ #
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-dontaudit setfiles_t self:capability sys_tty_config;
@@ -42051,7 +42155,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
++seutil_setfiles(setfiles_t)
++# During boot in Rawhide
++term_use_generic_ptys(setfiles_t)
++
++seutil_setfiles(setfiles_mac_t)
++allow setfiles_mac_t self:capability2 mac_admin;
++kernel_relabelto_unlabeled(setfiles_mac_t)
-ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
@@ -42059,35 +42169,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
- # /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
-')
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-
+-
-ifdef(`distro_redhat', `
- fs_rw_tmpfs_chr_files(setfiles_t)
- fs_rw_tmpfs_blk_files(setfiles_t)
- fs_relabel_tmpfs_blk_file(setfiles_t)
- fs_relabel_tmpfs_chr_file(setfiles_t)
--')
-+########################################
-+#
-+# Setfiles local policy
-+#
++optional_policy(`
++ hal_dontaudit_read_pid_files(setfiles_t)
+ ')
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(setfiles_t)
- ')
-+seutil_setfiles(setfiles_t)
-+# During boot in Rawhide
-+term_use_generic_ptys(setfiles_t)
-+
-+seutil_setfiles(setfiles_mac_t)
-+allow setfiles_mac_t self:capability2 mac_admin;
-+kernel_relabelto_unlabeled(setfiles_mac_t)
-+
+optional_policy(`
+ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
+ livecd_dontaudit_leaks(setfiles_mac_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0102f2e..7ab531e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 65%{?dist}
+Release: 66%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Wed Oct 13 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-66
+- Allow system_mail_t to append ~/dead.letter
+- Allow mount to communicate with gfs_controld
+- Dontaudit hal leaks in setfiles
+- gpm needs to use the user terminal
+
* Fri Oct 8 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-65
- Allow smbd sys_admin capability
- Allow certmonger to search through directories that contain certs
More information about the scm-commits
mailing list