[selinux-policy/f13/master] - Fixes for jabberd policy - Fixes for sandbox policy
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Sep 1 14:34:19 UTC 2010
commit 5e25d306ca2e2c7dafa1770c00834c0817b2d976
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Sep 1 16:34:12 2010 +0200
- Fixes for jabberd policy
- Fixes for sandbox policy
policy-F13.patch | 513 +++++++++++++++++++++++++++++++++++++++++++++------
selinux-policy.spec | 6 +-
2 files changed, 462 insertions(+), 57 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 180b020..34dd0cc 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -48,6 +48,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
+--- nsaserefpolicy/policy/mcs 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/mcs 2010-09-01 12:09:30.921083663 +0200
+@@ -86,10 +86,10 @@
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+ # new file labels must be dominated by the relabeling subject clearance
+-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
++mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom }
+ ( h1 dom h2 );
+
+-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
++mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+ mlsconstrain process { transition dyntransition }
+@@ -98,7 +98,7 @@
+ mlsconstrain process { ptrace }
+ (( h1 dom h2) or ( t1 == mcsptraceall ));
+
+-mlsconstrain process { sigkill sigstop }
++mlsconstrain process { signal sigkill sigstop }
+ (( h1 dom h2 ) or ( t1 == mcskillall ));
+
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls
--- nsaserefpolicy/policy/mls 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/mls 2010-05-28 09:41:59.943612109 +0200
@@ -452,7 +477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.19/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/firstboot.te 2010-05-28 09:41:59.950610882 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/firstboot.te 2010-09-01 16:15:20.344336196 +0200
@@ -77,6 +77,7 @@
miscfiles_read_localization(firstboot_t)
@@ -461,7 +486,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
modutils_read_module_config(firstboot_t)
modutils_read_module_deps(firstboot_t)
-@@ -121,6 +122,12 @@
+@@ -99,6 +100,10 @@
+ ')
+
+ optional_policy(`
++ iptables_domtrans(firstboot_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(firstboot_t)
+ ')
+
+@@ -121,6 +126,12 @@
')
optional_policy(`
@@ -6587,8 +6623,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-08-25 16:02:58.406085258 +0200
-@@ -0,0 +1,315 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-09-01 12:14:39.094335217 +0200
+@@ -0,0 +1,335 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -6640,6 +6676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
++ dontaudit sandbox_x_domain $1:process signal;
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
@@ -6676,7 +6713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ ')
+
+ type $1_t, sandbox_domain, sandbox_x_type;
-+ domain_type($1_t)
++ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
+
@@ -6711,7 +6748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ ')
+
+ type $1_t, sandbox_x_domain;
-+ domain_type($1_t)
++ application_type($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
@@ -6733,7 +6770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain;
-+ domain_type($1_client_t)
++ application_type($1_client_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
@@ -6795,7 +6832,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
+
-+########################################
++#######################################
++## <summary>
++## allow domain to read
++## sandbox tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`sandbox_read_tmpfs_files',`
++ gen_require(`
++ attribute sandbox_tmpfs_type;
++ ')
++
++ allow $1 sandbox_tmpfs_type:file read_file_perms;
++')
++
++#########################################
+## <summary>
+## allow domain to manage
+## sandbox tmpfs files
@@ -6906,7 +6962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-25 16:17:36.953085328 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-09-01 12:20:15.387083633 +0200
@@ -0,0 +1,402 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
@@ -6955,6 +7011,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
++kernel_dontaudit_request_load_module(sandbox_xserver_t)
++
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
@@ -6973,7 +7031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+dev_rwx_zero(sandbox_xserver_t)
+
-+files_read_etc_files(sandbox_xserver_t)
++files_read_config_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
@@ -7032,7 +7090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+files_entrypoint_all_files(sandbox_domain)
+
-+files_read_etc_files(sandbox_domain)
++files_read_config_files(sandbox_domain)
+files_read_usr_files(sandbox_domain)
+files_read_var_files(sandbox_domain)
+files_dontaudit_search_all_dirs(sandbox_domain)
@@ -7080,7 +7138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+dev_read_sysfs(sandbox_x_domain)
+
+files_entrypoint_all_files(sandbox_x_domain)
-+files_read_etc_files(sandbox_x_domain)
++files_read_config_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
@@ -7146,7 +7204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+# sandbox_x_client_t local policy
+#
-+allow sandbox_x_client_t self:tcp_socket create_socket_perms;
++allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
@@ -7180,7 +7238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_web_type self:process setsched;
+dontaudit sandbox_web_type self:process setrlimit;
+
-+allow sandbox_web_type self:tcp_socket create_socket_perms;
++allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
+allow sandbox_web_type self:udp_socket create_socket_perms;
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
@@ -7201,10 +7259,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+corenet_raw_sendrecv_all_nodes(sandbox_web_type)
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
++corenet_tcp_sendrecv_squid_port(sandbox_web_type)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
+corenet_tcp_connect_http_port(sandbox_web_type)
+corenet_tcp_connect_http_cache_port(sandbox_web_type)
++corenet_tcp_connect_squid_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
@@ -7216,12 +7276,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_sendrecv_http_client_packets(sandbox_web_type)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
++corenet_sendrecv_squid_client_packets(sandbox_web_type)
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
-+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
-+corenet_sendrecv_squid_client_packets(sandbox_web_type)
-+corenet_tcp_connect_squid_port(sandbox_web_type)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
@@ -7233,7 +7291,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+fs_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
-+storage_dontaudit_rw_fuse(sandbox_web_type)
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
+
+auth_use_nsswitch(sandbox_web_type)
@@ -7265,8 +7322,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_type)
-+ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
++ nsplugin_manage_rw(sandbox_web_type)
+')
+
+optional_policy(`
@@ -7284,7 +7341,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+optional_policy(`
+ udev_read_state(sandbox_web_type)
-+ udev_read_db(sandbox_web_type)
+')
+
+########################################
@@ -8543,7 +8599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-08-05 11:50:26.359085282 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-09-01 11:58:19.510084657 +0200
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -8612,9 +8668,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-@@ -125,39 +133,53 @@
+@@ -124,40 +132,55 @@
+ network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
++network_port(jabber_router, tcp,5347,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+network_port(kerberos_admin, tcp,749,s0)
@@ -8668,7 +8726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,18 +199,22 @@
+@@ -177,18 +200,22 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -8692,7 +8750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,23 +227,23 @@
+@@ -201,23 +228,23 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14966,7 +15024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-08-24 14:39:54.754083905 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-09-01 12:22:03.915084400 +0200
@@ -19,11 +19,13 @@
# Declarations
#
@@ -15277,19 +15335,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -500,8 +621,11 @@
+@@ -500,8 +621,13 @@
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
+ userdom_use_user_terminals(httpd_suexec_t)
++ userdom_use_user_terminals(httpd_user_script_t)
+
',`
userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
++ userdom_dontaudit_use_user_terminals(httpd_user_script_t)
')
optional_policy(`
-@@ -514,6 +638,9 @@
+@@ -514,6 +640,9 @@
optional_policy(`
cobbler_search_lib(httpd_t)
@@ -15299,7 +15359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +655,7 @@
+@@ -528,7 +657,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -15308,7 +15368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +664,12 @@
+@@ -537,8 +666,12 @@
')
optional_policy(`
@@ -15322,7 +15382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -557,6 +688,7 @@
+@@ -557,6 +690,7 @@
optional_policy(`
# Allow httpd to work with mysql
@@ -15330,7 +15390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +699,7 @@
+@@ -567,6 +701,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -15338,7 +15398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +710,23 @@
+@@ -577,12 +712,23 @@
')
optional_policy(`
@@ -15362,7 +15422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +735,11 @@
+@@ -591,6 +737,11 @@
')
optional_policy(`
@@ -15374,7 +15434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -618,6 +767,10 @@
+@@ -618,6 +769,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -15385,7 +15445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +852,18 @@
+@@ -699,17 +854,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -15407,7 +15467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +894,21 @@
+@@ -740,10 +896,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -15430,7 +15490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +934,12 @@
+@@ -769,6 +936,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -15443,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +963,13 @@
+@@ -792,9 +965,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -15457,7 +15517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +978,28 @@
+@@ -803,6 +980,28 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -15486,7 +15546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1027,16 @@
+@@ -830,6 +1029,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -15503,7 +15563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1049,7 @@
+@@ -842,6 +1051,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -15511,7 +15571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1099,33 @@
+@@ -891,11 +1101,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -21845,7 +21905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.19/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/hal.te 2010-06-09 13:12:04.850507212 +0200
++++ serefpolicy-3.7.19/policy/modules/services/hal.te 2010-09-01 12:01:45.692083773 +0200
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -21932,7 +21992,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -295,6 +309,7 @@
+@@ -282,6 +296,10 @@
+ ')
+
+ optional_policy(`
++ netutils_domtrans(hald_t)
++')
++
++optional_policy(`
+ ntp_domtrans(hald_t)
+ ')
+
+@@ -295,6 +313,7 @@
')
optional_policy(`
@@ -21940,7 +22011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
ppp_read_rw_config(hald_t)
')
-@@ -315,11 +330,19 @@
+@@ -315,11 +334,19 @@
')
optional_policy(`
@@ -21960,7 +22031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
updfstab_domtrans(hald_t)
')
-@@ -331,6 +354,10 @@
+@@ -331,6 +358,10 @@
virt_manage_images(hald_t)
')
@@ -21971,7 +22042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Hal acl local policy
-@@ -351,6 +378,7 @@
+@@ -351,6 +382,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -21979,7 +22050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
corecmd_exec_bin(hald_acl_t)
-@@ -463,6 +491,10 @@
+@@ -463,6 +495,10 @@
miscfiles_read_localization(hald_keymap_t)
@@ -22025,6 +22096,293 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
mta_send_mail(innd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.fc serefpolicy-3.7.19/policy/modules/services/jabber.fc
+--- nsaserefpolicy/policy/modules/services/jabber.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.fc 2010-09-01 11:58:19.516083496 +0200
+@@ -2,5 +2,14 @@
+
+ /usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+
++# for new version of jabberd
++/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
++/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++
++/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
++
++
+ /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+ /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.7.19/policy/modules/services/jabber.if
+--- nsaserefpolicy/policy/modules/services/jabber.if 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.if 2010-09-01 11:58:19.536083725 +0200
+@@ -1,17 +1,96 @@
+ ## <summary>Jabber instant messaging server</summary>
+
+-########################################
++#######################################
+ ## <summary>
+-## Connect to jabber over a TCP socket (Deprecated)
++## Execute a domain transition to run jabberd services
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jabber_domtrans_jabberd',`
++ gen_require(`
++ type jabberd_t, jabberd_exec_t;
++ ')
++
++ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
++')
++
++######################################
++## <summary>
++## Execute a domain transition to run jabberd router service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jabber_domtrans_jabberd_router',`
++ gen_require(`
++ type jabberd_router_t, jabberd_router_exec_t;
++ ')
++
++ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
++')
++
++#######################################
++## <summary>
++## Read jabberd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+-interface(`jabber_tcp_connect',`
+- refpolicywarn(`$0($*) has been deprecated.')
++interface(`jabberd_read_lib_files',`
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Dontaudit inherited read jabberd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jabberd_dontaudit_read_lib_files',`
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
++
++ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete
++## jabberd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jabberd_manage_lib_files',`
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+ ')
+
+ ########################################
+@@ -35,11 +114,15 @@
+ gen_require(`
+ type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
+ type jabberd_var_run_t, jabberd_initrc_exec_t;
++ type jabberd_router_t;
+ ')
+
+ allow $1 jabberd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jabberd_t)
+
++ allow $1 jabberd_router_t:process { ptrace signal_perms };
++ ps_process_pattern($1, jabberd_router_t)
++
+ init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 jabberd_initrc_exec_t system_r;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.te serefpolicy-3.7.19/policy/modules/services/jabber.te
+--- nsaserefpolicy/policy/modules/services/jabber.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.te 2010-09-01 11:58:19.543083755 +0200
+@@ -6,13 +6,19 @@
+ # Declarations
+ #
+
+-type jabberd_t;
++attribute jabberd_domain;
++
++type jabberd_t, jabberd_domain;
+ type jabberd_exec_t;
+ init_daemon_domain(jabberd_t, jabberd_exec_t)
+
+ type jabberd_initrc_exec_t;
+ init_script_file(jabberd_initrc_exec_t)
+
++type jabberd_router_t, jabberd_domain;
++type jabberd_router_exec_t;
++init_daemon_domain(jabberd_router_t, jabberd_router_exec_t)
++
+ type jabberd_log_t;
+ logging_log_file(jabberd_log_t)
+
+@@ -22,40 +28,78 @@
+ type jabberd_var_run_t;
+ files_pid_file(jabberd_var_run_t)
+
+-########################################
++permissive jabberd_router_t;
++permissive jabberd_t;
++
++#######################################
+ #
+-# Local policy
++# Local policy for jabberd domains
+ #
+
+-allow jabberd_t self:capability dac_override;
+-dontaudit jabberd_t self:capability sys_tty_config;
+-allow jabberd_t self:process signal_perms;
+-allow jabberd_t self:fifo_file read_fifo_file_perms;
+-allow jabberd_t self:tcp_socket create_stream_socket_perms;
+-allow jabberd_t self:udp_socket create_socket_perms;
++allow jabberd_domain self:process signal_perms;
++allow jabberd_domain self:fifo_file read_fifo_file_perms;
++allow jabberd_domain self:tcp_socket create_stream_socket_perms;
++allow jabberd_domain self:udp_socket create_socket_perms;
++
++manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
++manage_dirs_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
++
++# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
++manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
++logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
+
+-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
++manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
++files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
+
+-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
++corenet_all_recvfrom_unlabeled(jabberd_domain)
++corenet_all_recvfrom_netlabel(jabberd_domain)
++corenet_tcp_sendrecv_generic_if(jabberd_domain)
++corenet_udp_sendrecv_generic_if(jabberd_domain)
++corenet_tcp_sendrecv_generic_node(jabberd_domain)
++corenet_udp_sendrecv_generic_node(jabberd_domain)
++corenet_tcp_sendrecv_all_ports(jabberd_domain)
++corenet_udp_sendrecv_all_ports(jabberd_domain)
++corenet_tcp_bind_generic_node(jabberd_domain)
++
++dev_read_urand(jabberd_domain)
++dev_read_urand(jabberd_domain)
++
++files_read_etc_files(jabberd_domain)
++files_read_etc_runtime_files(jabberd_domain)
++
++logging_send_syslog_msg(jabberd_domain)
++
++miscfiles_read_localization(jabberd_domain)
++
++sysnet_read_config(jabberd_domain)
++
++######################################
++#
++# Local policy for jabberd-router
++#
+
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
++allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
++
++corenet_tcp_bind_jabber_router_port(jabberd_router_t)
++corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
++
++optional_policy(`
++ kerberos_use(jabberd_router_t)
++')
++
++########################################
++#
++# Local policy for jabberd
++#
++
++allow jabberd_t self:capability dac_override;
++dontaudit jabberd_t self:capability sys_tty_config;
+
+ kernel_read_kernel_sysctls(jabberd_t)
+-kernel_list_proc(jabberd_t)
+ kernel_read_proc_symlinks(jabberd_t)
++kernel_read_system_state(jabberd_t)
+
+-corenet_all_recvfrom_unlabeled(jabberd_t)
+-corenet_all_recvfrom_netlabel(jabberd_t)
+-corenet_tcp_sendrecv_generic_if(jabberd_t)
+-corenet_udp_sendrecv_generic_if(jabberd_t)
+-corenet_tcp_sendrecv_generic_node(jabberd_t)
+-corenet_udp_sendrecv_generic_node(jabberd_t)
+-corenet_tcp_sendrecv_all_ports(jabberd_t)
+-corenet_udp_sendrecv_all_ports(jabberd_t)
+-corenet_tcp_bind_generic_node(jabberd_t)
++corenet_tcp_connect_jabber_router_port(jabberd_t)
+ corenet_tcp_bind_jabber_client_port(jabberd_t)
+ corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+ corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+@@ -67,18 +111,9 @@
+
+ domain_use_interactive_fds(jabberd_t)
+
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
+-
+ fs_getattr_all_fs(jabberd_t)
+ fs_search_auto_mountpoints(jabberd_t)
+
+-logging_send_syslog_msg(jabberd_t)
+-
+-miscfiles_read_localization(jabberd_t)
+-
+-sysnet_read_config(jabberd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+ userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.7.19/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/kerberos.fc 2010-07-23 13:43:56.367388499 +0200
@@ -28467,6 +28825,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.7.19/policy/modules/services/qmail.te
+--- nsaserefpolicy/policy/modules/services/qmail.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/qmail.te 2010-09-01 12:03:11.253344636 +0200
+@@ -125,6 +125,10 @@
+ spamassassin_domtrans_client(qmail_local_t)
+ ')
+
++optional_policy(`
++ uucp_domtrans(qmail_local_t)
++')
++
+ ########################################
+ #
+ # qmail-lspawn local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.7.19/policy/modules/services/qpidd.fc
--- nsaserefpolicy/policy/modules/services/qpidd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/services/qpidd.fc 2010-05-28 09:42:00.163610797 +0200
@@ -29330,7 +29702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-07-09 10:11:12.956385549 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-09-01 11:22:33.060333720 +0200
@@ -0,0 +1,439 @@
+## <summary>RHCS - Red Hat Cluster Suite</summary>
+
@@ -29708,7 +30080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+#
+interface(`rhcs_rw_cluster_semaphores',`
+ gen_require(`
-+ type cluster_domain;
++ attribute cluster_domain;
+ ')
+
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
@@ -33082,6 +33454,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
-/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.7.19/policy/modules/services/uucp.if
+--- nsaserefpolicy/policy/modules/services/uucp.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/uucp.if 2010-09-01 12:03:39.662084414 +0200
+@@ -1,5 +1,24 @@
+ ## <summary>Unix to Unix Copy</summary>
+
++#######################################
++## <summary>
++## Execute the uucico program in the
++## uucpd_t domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`uucp_domtrans',`
++ gen_require(`
++ type uucpd_t, uucpd_exec_t;
++ ')
++
++ domtrans_pattern($1, uucpd_exec_t, uucpd_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to append
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.19/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/uucp.te 2010-08-04 15:04:00.352085562 +0200
@@ -37145,13 +37545,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
dev_read_sysfs(kdump_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-30 10:11:52.522085110 +0200
-@@ -127,17 +127,21 @@
++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-09-01 11:39:53.971335059 +0200
+@@ -127,17 +127,22 @@
/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/plugins/mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/plugins/codec//mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/plugins/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -37172,7 +37573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,6 +155,7 @@
+@@ -151,6 +156,7 @@
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -37180,7 +37581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +213,7 @@
+@@ -208,6 +214,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -37188,7 +37589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -302,13 +308,8 @@
+@@ -302,13 +309,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -37204,7 +37605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -319,14 +320,153 @@
+@@ -319,14 +321,153 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 528de8e..7a93695 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 52%{?dist}
+Release: 53%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Wed Sep 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-53
+- Fixes for jabberd policy
+- Fixes for sandbox policy
+
* Mon Aug 30 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-52
- Fix label for /bin/mountpoint
- Allow fsadm to read virt blk image files
More information about the scm-commits
mailing list