[selinux-policy/f12/master] - Allow logwatch to use zz-disk_space logwatch script - Allow radius setrlimit

Tue Oct 26 12:20:32 UTC 2010

commit be062150238db22b883b9e2491d8dc8665723a66
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Oct 26 14:20:16 2010 +0200

    - Allow logwatch to use zz-disk_space logwatch script
    - Allow radius setrlimit

 policy-20100106.patch |   19 +++++++++++++++++--
 selinux-policy.spec   |    6 +++++-
 2 files changed, 22 insertions(+), 3 deletions(-)
---

diff --git a/policy-20100106.patch b/policy-20100106.patch
index 6ad11b0..4369cea 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -704,7 +704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/run/epylog\.pid  gen_context(system_u:object_r:logwatch_var_run_t,s0)    
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2010-01-18 18:24:22.550542523 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te	2010-06-23 09:48:20.982863188 +0200
++++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te	2010-10-26 13:37:29.640651252 +0200
 @@ -20,6 +20,9 @@
  type logwatch_tmp_t;
  files_tmp_file(logwatch_tmp_t)
@@ -725,7 +725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_fs_sysctls(logwatch_t)
  kernel_read_kernel_sysctls(logwatch_t)
  kernel_read_system_state(logwatch_t)
-@@ -103,6 +109,11 @@
+@@ -103,8 +109,14 @@
  
  mta_send_mail(logwatch_t)
  
@@ -736,7 +736,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 + 
  ifdef(`distro_redhat',`
  	files_search_all(logwatch_t)
++	files_getattr_all_files(logwatch_t)
  	files_getattr_all_file_type_fs(logwatch_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.6.32/policy/modules/admin/mcelog.fc
 --- nsaserefpolicy/policy/modules/admin/mcelog.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.6.32/policy/modules/admin/mcelog.fc	2010-02-03 17:54:52.841394806 +0100
@@ -13473,6 +13476,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +miscfiles_read_localization(qpidd_t)
 +
 +sysnet_dns_name_resolve(qpidd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.6.32/policy/modules/services/radius.te
+--- nsaserefpolicy/policy/modules/services/radius.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/radius.te	2010-10-26 13:42:30.532650859 +0200
+@@ -37,7 +37,7 @@
+ # gzip also needs chown access to preserve GID for radwtmp files
+ allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+ dontaudit radiusd_t self:capability sys_tty_config;
+-allow radiusd_t self:process { getsched setsched sigkill signal };
++allow radiusd_t self:process { getsched setsched setrlimit sigkill signal };
+ allow radiusd_t self:fifo_file rw_fifo_file_perms;
+ allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
+ allow radiusd_t self:tcp_socket create_stream_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if
 --- nsaserefpolicy/policy/modules/services/rgmanager.if	2010-01-18 18:24:22.870539995 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if	2010-02-23 19:35:04.211525807 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cecf514..8797b74 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 123%{?dist}
+Release: 124%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 26 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-124
+- Allow logwatch to use zz-disk_space logwatch script
+- Allow radius setrlimit
+
 * Fri Oct 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-123
 - Add label for '/usr/share/sampler/tray/tray'
 - Fixes for abrt policy
