[selinux-policy/f14/master] - Update to upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Oct 13 15:56:50 UTC 2010
commit 0ba469963d4da01c6f7a6934f7f7031e3d08e4ca
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Oct 13 11:56:29 2010 -0400
- Update to upstream
policy-F14.patch | 211 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 7 +-
sources | 2 +-
3 files changed, 139 insertions(+), 81 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index c9db2fc..5e583d2 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -344,10 +344,10 @@ index a2e9cb5..cec5c56 100644
optional_policy(`
apache_exec_modules(certwatch_t)
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index a768511..c07eff8 100644
+index 66fee7d..6ddebdb 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
-@@ -82,10 +82,7 @@ optional_policy(`
+@@ -85,10 +85,7 @@ optional_policy(`
')
optional_policy(`
@@ -1447,10 +1447,10 @@ index 3863241..5280124 100644
xserver_dontaudit_write_log(shutdown_t)
')
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index a0aa8c5..1b60ad8 100644
+index 8c5fa3c..1a46f56 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
-@@ -212,7 +212,7 @@ template(`su_role_template',`
+@@ -210,7 +210,7 @@ template(`su_role_template',`
auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
@@ -1459,7 +1459,7 @@ index a0aa8c5..1b60ad8 100644
auth_rw_faillog($1_su_t)
corecmd_search_bin($1_su_t)
-@@ -236,6 +236,7 @@ template(`su_role_template',`
+@@ -234,6 +234,7 @@ template(`su_role_template',`
userdom_use_user_terminals($1_su_t)
userdom_search_user_home_dirs($1_su_t)
@@ -1477,7 +1477,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 5f44f1b..bb95e79 100644
+index 975af1a..30a7f38 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -1505,10 +1505,10 @@ index 5f44f1b..bb95e79 100644
+ userdom_domtrans_user_home($1_sudo_t, $3)
+ userdom_domtrans_user_tmp($1_sudo_t, $3)
allow $3 $1_sudo_t:fd use;
- allow $3 $1_sudo_t:fifo_file rw_file_perms;
+ allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms;
-@@ -111,12 +117,15 @@ template(`sudo_role_template',`
-
+@@ -113,12 +119,15 @@ template(`sudo_role_template',`
+ term_getattr_pty_fs($1_sudo_t)
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
+ term_getattr_pty_fs($1_sudo_t)
@@ -1523,7 +1523,7 @@ index 5f44f1b..bb95e79 100644
init_rw_utmp($1_sudo_t)
logging_send_audit_msgs($1_sudo_t)
-@@ -133,13 +142,18 @@ template(`sudo_role_template',`
+@@ -135,13 +144,18 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
@@ -1544,7 +1544,7 @@ index 5f44f1b..bb95e79 100644
fs_manage_nfs_files($1_sudo_t)
')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index c368bdc..c927b85 100644
+index 91944a8..d1c11b9 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,7 @@ attribute sudodomain;
@@ -1555,14 +1555,6 @@ index c368bdc..c927b85 100644
+type sudo_db_t;
+files_type(sudo_db_t)
+
-diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
-index 81077db..8208e86 100644
---- a/policy/modules/admin/tmpreaper.fc
-+++ b/policy/modules/admin/tmpreaper.fc
-@@ -1,2 +1,3 @@
- /usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
- /usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
-+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index 6a5004b..c59c3cd 100644
--- a/policy/modules/admin/tmpreaper.te
@@ -7636,10 +7628,10 @@ index 3b2da10..7c29e17 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 8b09281..3fb8756 100644
+index 99482ca..8d34173 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
-@@ -318,6 +318,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
########################################
## <summary>
@@ -7664,7 +7656,7 @@ index 8b09281..3fb8756 100644
## Read and write generic files in /dev.
## </summary>
## <param name="domain">
-@@ -498,6 +516,24 @@ interface(`dev_getattr_generic_chr_files',`
+@@ -516,6 +534,24 @@ interface(`dev_getattr_generic_chr_files',`
########################################
## <summary>
@@ -7689,7 +7681,7 @@ index 8b09281..3fb8756 100644
## Dontaudit getattr for generic character device files.
## </summary>
## <param name="domain">
-@@ -534,6 +570,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+@@ -552,6 +588,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
## <summary>
@@ -7714,7 +7706,7 @@ index 8b09281..3fb8756 100644
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -552,6 +606,24 @@ interface(`dev_rw_generic_chr_files',`
+@@ -570,6 +624,24 @@ interface(`dev_rw_generic_chr_files',`
########################################
## <summary>
@@ -7739,7 +7731,7 @@ index 8b09281..3fb8756 100644
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
-@@ -661,6 +733,24 @@ interface(`dev_delete_generic_symlinks',`
+@@ -679,6 +751,24 @@ interface(`dev_delete_generic_symlinks',`
########################################
## <summary>
@@ -7764,7 +7756,7 @@ index 8b09281..3fb8756 100644
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1070,6 +1160,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1088,6 +1178,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -7807,7 +7799,7 @@ index 8b09281..3fb8756 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1332,6 +1458,24 @@ interface(`dev_getattr_autofs_dev',`
+@@ -1350,6 +1476,24 @@ interface(`dev_getattr_autofs_dev',`
########################################
## <summary>
@@ -7832,7 +7824,7 @@ index 8b09281..3fb8756 100644
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -3595,6 +3739,24 @@ interface(`dev_manage_smartcard',`
+@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
@@ -7857,7 +7849,7 @@ index 8b09281..3fb8756 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3737,6 +3899,24 @@ interface(`dev_rw_sysfs',`
+@@ -3755,6 +3917,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -7882,7 +7874,7 @@ index 8b09281..3fb8756 100644
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
-@@ -3906,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3924,6 +4104,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -7907,7 +7899,7 @@ index 8b09281..3fb8756 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4216,11 +4414,10 @@ interface(`dev_write_video_dev',`
+@@ -4234,11 +4432,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -7922,7 +7914,7 @@ index 8b09281..3fb8756 100644
########################################
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index eb9c360..20c2d34 100644
+index 7047f2f..ef76289 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -102,6 +102,7 @@ dev_node(ksm_device_t)
@@ -8291,7 +8283,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..c0b844e 100644
+index 5302dac..c73febc 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8725,10 +8717,28 @@ index 5302dac..c0b844e 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5524,6 +5832,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5832,44 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
++## Relable all pid directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
+## manage all pidfile directories
+## in the /var/run directory.
+## </summary>
@@ -8752,15 +8762,52 @@ index 5302dac..c0b844e 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5541,6 +5869,7 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5887,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## Relable all pid files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_pid_files',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## manage all pidfiles
++## in the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ manage_files_pattern($1,pidfile,pidfile)
')
########################################
-@@ -5826,3 +6155,247 @@ interface(`files_unconfined',`
+@@ -5826,3 +6210,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -18206,7 +18253,7 @@ index e182bf4..f80e725 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..74fa3d6 100644
+index 0d5711c..ea74262 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -18328,7 +18375,7 @@ index 39e901a..74fa3d6 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -479,3 +503,22 @@ interface(`dbus_unconfined',`
+@@ -497,3 +521,22 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -18352,7 +18399,7 @@ index 39e901a..74fa3d6 100644
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index b354128..d9416fc 100644
+index 9ce6713..ea78dc1 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
@@ -38418,7 +38465,7 @@ index 9775375..b338481 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 8419a01..5865dba 100644
+index df3fa64..73dc579 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -38669,7 +38716,7 @@ index 8419a01..5865dba 100644
')
########################################
-@@ -1356,6 +1447,27 @@ interface(`init_dbus_send_script',`
+@@ -1374,6 +1465,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -38697,7 +38744,7 @@ index 8419a01..5865dba 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1442,6 +1554,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1460,6 +1572,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -38723,7 +38770,7 @@ index 8419a01..5865dba 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1655,7 +1786,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1673,7 +1804,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -38732,7 +38779,7 @@ index 8419a01..5865dba 100644
')
########################################
-@@ -1730,3 +1861,74 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1748,3 +1879,74 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -38808,7 +38855,7 @@ index 8419a01..5865dba 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 698c11e..63030ba 100644
+index 8a105fd..2b0a437 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -38937,7 +38984,7 @@ index 698c11e..63030ba 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +220,81 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +220,89 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -38994,6 +39041,14 @@ index 698c11e..63030ba 100644
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
++
++ # Permissions for systemd-tmpfiles, needs its own policy.
++ files_relabel_all_pid_files(init_t)
++ files_relabel_all_pid_files(init_t)
++ files_manage_all_pids(init_t)
++ files_manage_generic_locks(init_t)
++ files_manage_generic_tmp_dirs(init_t)
++ files_manage_generic_tmp_files(init_t)
+')
+
optional_policy(`
@@ -39019,7 +39074,7 @@ index 698c11e..63030ba 100644
')
optional_policy(`
-@@ -199,10 +302,19 @@ optional_policy(`
+@@ -199,10 +310,19 @@ optional_policy(`
')
optional_policy(`
@@ -39039,7 +39094,7 @@ index 698c11e..63030ba 100644
unconfined_domain(init_t)
')
-@@ -212,7 +324,7 @@ optional_policy(`
+@@ -212,7 +332,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -39048,7 +39103,7 @@ index 698c11e..63030ba 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,6 +353,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +361,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -39056,7 +39111,7 @@ index 698c11e..63030ba 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +371,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +379,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -39080,7 +39135,7 @@ index 698c11e..63030ba 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +416,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +424,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -39088,7 +39143,7 @@ index 698c11e..63030ba 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +424,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +432,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -39104,7 +39159,7 @@ index 698c11e..63030ba 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +449,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +457,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -39116,7 +39171,7 @@ index 698c11e..63030ba 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +468,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +476,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -39130,7 +39185,7 @@ index 698c11e..63030ba 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +483,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +491,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -39139,7 +39194,7 @@ index 698c11e..63030ba 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +497,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +505,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -39147,7 +39202,7 @@ index 698c11e..63030ba 100644
selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +515,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +523,7 @@ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@@ -39155,7 +39210,7 @@ index 698c11e..63030ba 100644
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
-@@ -394,13 +530,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +538,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -39171,7 +39226,7 @@ index 698c11e..63030ba 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +610,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +618,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -39180,7 +39235,7 @@ index 698c11e..63030ba 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +656,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +664,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -39200,7 +39255,7 @@ index 698c11e..63030ba 100644
')
optional_policy(`
-@@ -526,10 +676,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +684,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -39218,7 +39273,7 @@ index 698c11e..63030ba 100644
')
optional_policy(`
-@@ -544,6 +701,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +709,35 @@ ifdef(`distro_suse',`
')
')
@@ -39254,7 +39309,7 @@ index 698c11e..63030ba 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +742,8 @@ optional_policy(`
+@@ -556,6 +750,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -39263,7 +39318,7 @@ index 698c11e..63030ba 100644
')
optional_policy(`
-@@ -572,6 +760,7 @@ optional_policy(`
+@@ -572,6 +768,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -39271,7 +39326,7 @@ index 698c11e..63030ba 100644
')
optional_policy(`
-@@ -584,6 +773,11 @@ optional_policy(`
+@@ -584,6 +781,11 @@ optional_policy(`
')
optional_policy(`
@@ -39283,7 +39338,7 @@ index 698c11e..63030ba 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +794,9 @@ optional_policy(`
+@@ -600,6 +802,9 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -39293,7 +39348,7 @@ index 698c11e..63030ba 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +898,13 @@ optional_policy(`
+@@ -701,7 +906,13 @@ optional_policy(`
')
optional_policy(`
@@ -39307,7 +39362,7 @@ index 698c11e..63030ba 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +927,10 @@ optional_policy(`
+@@ -724,6 +935,10 @@ optional_policy(`
')
optional_policy(`
@@ -39318,7 +39373,7 @@ index 698c11e..63030ba 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +952,10 @@ optional_policy(`
+@@ -745,6 +960,10 @@ optional_policy(`
')
optional_policy(`
@@ -39329,7 +39384,7 @@ index 698c11e..63030ba 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +977,6 @@ optional_policy(`
+@@ -766,8 +985,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -39338,7 +39393,7 @@ index 698c11e..63030ba 100644
')
optional_policy(`
-@@ -776,14 +985,21 @@ optional_policy(`
+@@ -776,14 +993,21 @@ optional_policy(`
')
optional_policy(`
@@ -39360,7 +39415,7 @@ index 698c11e..63030ba 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1021,19 @@ optional_policy(`
+@@ -805,11 +1029,19 @@ optional_policy(`
')
optional_policy(`
@@ -39381,7 +39436,7 @@ index 698c11e..63030ba 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1043,25 @@ optional_policy(`
+@@ -819,6 +1051,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -39407,7 +39462,7 @@ index 698c11e..63030ba 100644
')
optional_policy(`
-@@ -844,3 +1087,55 @@ optional_policy(`
+@@ -844,3 +1095,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -46909,7 +46964,7 @@ index 22ca011..df6b5de 100644
#
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index b785e35..d9b0868 100644
+index effb6c5..cabc009 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -47000,9 +47055,9 @@ index b785e35..d9b0868 100644
#
# Use (read and write) terminals
#
--define(`rw_term_perms', `{ getattr open read write ioctl }')
-+define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
-+define(`rw_term_perms', `{ open rw_inherited_term_perms }')
+-define(`rw_term_perms', `{ getattr open read write append ioctl }')
++define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
++define(`rw_term_perms', `{ rw_inherited_term_perms open }')
#
# Sockets
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dffc0de..0a118da 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,8 +20,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.6
-Release: 3%{?dist}
+Version: 3.9.7
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,9 @@ exit 0
%endif
%changelog
+* Wed Oct 13 2010 Dan Walsh <dwalsh at redhat.com> 3.9.7-1
+- Update to upstream
+
* Tue Oct 12 2010 Dan Walsh <dwalsh at redhat.com> 3.9.6-3
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
- dovecot-auth_t needs ipc_lock
diff --git a/sources b/sources
index d834e79..6d66d22 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-21e517616738920ab9db791eec691b00 serefpolicy-3.9.6.tgz
+04730b4c56ff60274b246bcf4576355c serefpolicy-3.9.7.tgz
More information about the scm-commits
mailing list