[selinux-policy/f13/master] - Move c2s to run in jabber_router_t domain - Allow domains with different mcs levels to send each o
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Sep 24 13:02:00 UTC 2010
commit 096557a9591de3f2fc81ac10ce2e307b171178d8
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Sep 24 15:01:46 2010 +0200
- Move c2s to run in jabber_router_t domain
- Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc
- Allow nrpe to send signal and sigkill to the plugins
- Fix up xguest to allow it to read hwdata and gconf_etc_t
policy-F13.patch | 443 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 8 +-
2 files changed, 283 insertions(+), 168 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index e1eee2c..a95636a 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -71,7 +71,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
--- nsaserefpolicy/policy/mcs 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/mcs 2010-09-01 12:09:30.921083663 +0200
++++ serefpolicy-3.7.19/policy/mcs 2010-09-23 12:57:46.199386949 +0200
@@ -86,10 +86,10 @@
(( h1 dom h2 ) and ( l2 eq h2 ));
@@ -85,14 +85,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
-@@ -98,7 +98,7 @@
- mlsconstrain process { ptrace }
- (( h1 dom h2) or ( t1 == mcsptraceall ));
-
--mlsconstrain process { sigkill sigstop }
-+mlsconstrain process { signal sigkill sigstop }
+@@ -101,6 +101,9 @@
+ mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
++mlsconstrain process { signal }
++ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
++
+ #
+ # MCS policy for SELinux-enabled databases
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls
--- nsaserefpolicy/policy/mls 2010-04-13 20:44:37.000000000 +0200
@@ -2463,8 +2464,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-08-24 15:45:05.100083585 +0200
-@@ -0,0 +1,66 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-09-24 14:23:58.850635407 +0200
+@@ -0,0 +1,67 @@
+policy_module(shutdown,1.0.0)
+
+########################################
@@ -2510,10 +2511,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+auth_use_nsswitch(shutdown_t)
+auth_write_login_records(shutdown_t)
+
-+init_dontaudit_write_utmp(shutdown_t)
+init_read_utmp(shutdown_t)
++init_rw_utmp(shutdown_t)
+init_telinit(shutdown_t)
+
++logging_search_logs(shutdown_t)
+logging_send_audit_msgs(shutdown_t)
+
+miscfiles_read_localization(shutdown_t)
@@ -3530,7 +3532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.19/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/gnome.if 2010-05-28 09:41:59.977610927 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gnome.if 2010-09-23 13:21:33.431386911 +0200
@@ -74,6 +74,24 @@
########################################
@@ -6764,8 +6766,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-09-01 12:14:39.094335217 +0200
-@@ -0,0 +1,335 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-09-23 13:00:53.092386606 +0200
+@@ -0,0 +1,338 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -6857,6 +6859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
@@ -6890,6 +6893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+ type $1_t, sandbox_x_domain;
+ application_type($1_t)
++ mcs_untrusted_proc($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
@@ -6912,6 +6916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+ type $1_client_t, sandbox_x_domain;
+ application_type($1_client_t)
++ mcs_untrusted_proc($1_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
@@ -11693,6 +11698,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
########################################
#
# Unlabeled process local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.if serefpolicy-3.7.19/policy/modules/kernel/mcs.if
+--- nsaserefpolicy/policy/modules/kernel/mcs.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/mcs.if 2010-09-23 12:59:03.197386946 +0200
+@@ -102,3 +102,29 @@
+
+ typeattribute $1 mcssetcats;
+ ')
++
++#######################################
++## <summary>
++## Make specified process type MCS untrusted.
++## </summary>
++## <desc>
++## <p>
++## Make specified process type MCS untrusted. This
++## prevents this process from sending signals to other processes
++## with different mcs labels
++## object.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## The type of the process.
++## </summary>
++## </param>
++#
++interface(`mcs_untrusted_proc',`
++ gen_require(`
++ attribute mcsuntrustedproc;
++ ')
++
++ typeattribute $1 mcsuntrustedproc;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-3.7.19/policy/modules/kernel/mcs.te
+--- nsaserefpolicy/policy/modules/kernel/mcs.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/mcs.te 2010-09-23 12:58:14.301386891 +0200
+@@ -11,3 +11,4 @@
+ attribute mcssetcats;
+ attribute mcswriteall;
+ attribute mcsreadall;
++attribute mcsuntrustedproc;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.19/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/kernel/selinux.if 2010-05-28 09:42:00.040610567 +0200
@@ -13232,8 +13278,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-09-09 16:58:48.150084581 +0200
-@@ -0,0 +1,455 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-09-23 13:17:47.400386803 +0200
+@@ -0,0 +1,457 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -13598,8 +13644,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
+
+optional_policy(`
++ optional_policy(`
++ samba_run_unconfined_net(unconfined_t, unconfined_r)
++ ')
+ samba_role_notrans(unconfined_r)
-+ samba_run_unconfined_net(unconfined_t, unconfined_r)
+# samba_run_winbind_helper(unconfined_t, unconfined_r)
+ samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
@@ -16685,7 +16733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-09-21 15:44:46.945387235 +0200
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-09-23 15:00:44.162636936 +0200
@@ -0,0 +1,176 @@
+
+policy_module(boinc,1.0.0)
@@ -16718,7 +16766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+role system_r types boinc_project_t;
+
+type boinc_project_tmp_t;
-+files_tmp_file(boinc_tmp_t)
++files_tmp_file(boinc_project_tmp_t)
+
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
@@ -21001,7 +21049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-09-13 12:37:55.230085213 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-09-23 15:00:20.316636690 +0200
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -21146,7 +21194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -234,18 +263,34 @@
+@@ -234,18 +263,35 @@
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
@@ -21177,11 +21225,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
auth_use_nsswitch(dovecot_deliver_t)
logging_send_syslog_msg(dovecot_deliver_t)
++logging_append_all_logs(dovecot_deliver_t)
+logging_search_logs(dovecot_deliver_t)
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,15 +308,24 @@
+@@ -263,15 +309,24 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -22783,16 +22832,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.fc serefpolicy-3.7.19/policy/modules/services/jabber.fc
--- nsaserefpolicy/policy/modules/services/jabber.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/jabber.fc 2010-09-01 11:58:19.516083496 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.fc 2010-09-24 14:38:41.409386147 +0200
@@ -2,5 +2,14 @@
/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+# for new version of jabberd
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+
@@ -22801,7 +22850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.7.19/policy/modules/services/jabber.if
--- nsaserefpolicy/policy/modules/services/jabber.if 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/jabber.if 2010-09-16 15:09:16.987637037 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.if 2010-09-24 14:58:50.065385991 +0200
@@ -1,17 +1,96 @@
## <summary>Jabber instant messaging server</summary>
@@ -22838,7 +22887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
+## </summary>
+## </param>
+#
-+interface(`jabber_domtrans_jabberd_router',`
++interface(`jabber_domtrans_router',`
+ gen_require(`
+ type jabberd_router_t, jabberd_router_exec_t;
+ ')
@@ -22917,14 +22966,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
ps_process_pattern($1, jabberd_t)
+ allow $1 jabberd_router_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, jabberd_router_t)
++ ps_process_pattern($1, jabberd_router_t)
+
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.te serefpolicy-3.7.19/policy/modules/services/jabber.te
--- nsaserefpolicy/policy/modules/services/jabber.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/jabber.te 2010-09-01 11:58:19.543083755 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.te 2010-09-24 14:39:25.654636939 +0200
@@ -6,13 +6,19 @@
# Declarations
#
@@ -22946,18 +22995,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
type jabberd_log_t;
logging_log_file(jabberd_log_t)
-@@ -22,40 +28,78 @@
+@@ -22,74 +28,97 @@
type jabberd_var_run_t;
files_pid_file(jabberd_var_run_t)
-########################################
++
+permissive jabberd_router_t;
+permissive jabberd_t;
+
-+#######################################
++######################################
#
-# Local policy
-+# Local policy for jabberd domains
++# Local policy for jabberd router and c2s components
#
-allow jabberd_t self:capability dac_override;
@@ -22966,6 +23016,95 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
-allow jabberd_t self:fifo_file read_fifo_file_perms;
-allow jabberd_t self:tcp_socket create_stream_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
+-
+-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
+-
+-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+-
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+-
+-kernel_read_kernel_sysctls(jabberd_t)
+-kernel_list_proc(jabberd_t)
+-kernel_read_proc_symlinks(jabberd_t)
+-
+-corenet_all_recvfrom_unlabeled(jabberd_t)
+-corenet_all_recvfrom_netlabel(jabberd_t)
+-corenet_tcp_sendrecv_generic_if(jabberd_t)
+-corenet_udp_sendrecv_generic_if(jabberd_t)
+-corenet_tcp_sendrecv_generic_node(jabberd_t)
+-corenet_udp_sendrecv_generic_node(jabberd_t)
+-corenet_tcp_sendrecv_all_ports(jabberd_t)
+-corenet_udp_sendrecv_all_ports(jabberd_t)
+-corenet_tcp_bind_generic_node(jabberd_t)
+-corenet_tcp_bind_jabber_client_port(jabberd_t)
+-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
++allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+-dev_read_sysfs(jabberd_t)
+-# For SSL
+-dev_read_rand(jabberd_t)
++corenet_tcp_bind_jabber_client_port(jabberd_router_t)
++corenet_tcp_bind_jabber_router_port(jabberd_router_t)
++corenet_tcp_connect_jabber_router_port(jabberd_router_t)
++corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
++corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+
+-domain_use_interactive_fds(jabberd_t)
++fs_getattr_all_fs(jabberd_router_t)
+
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
++miscfiles_read_certs(jabberd_router_t)
+
+-fs_getattr_all_fs(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
++optional_policy(`
++ kerberos_use(jabberd_router_t)
++')
++
++optional_policy(`
++ nis_use_ypbind(jabberd_router_t)
++')
+
+-logging_send_syslog_msg(jabberd_t)
++#####################################
++#
++# Local policy for other jabberd components
++#
+
+-miscfiles_read_localization(jabberd_t)
++kernel_read_system_state(jabberd_t)
+
+-sysnet_read_config(jabberd_t)
++corenet_tcp_bind_jabber_interserver_port(jabberd_t)
++corenet_tcp_connect_jabber_router_port(jabberd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+ userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
+ optional_policy(`
+- nis_use_ypbind(jabberd_t)
++ seutil_sigchld_newrole(jabberd_t)
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(jabberd_t)
++ udev_read_db(jabberd_t)
+ ')
+
+-optional_policy(`
+- udev_read_db(jabberd_t)
+-')
++#######################################
++#
++# Local policy for jabberd domains
++#
++
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file read_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
@@ -22977,14 +23116,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
+# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
+manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
+logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
-
--manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
--files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
++
+manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
+files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
-
--manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
--logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
++
+corenet_all_recvfrom_unlabeled(jabberd_domain)
+corenet_all_recvfrom_netlabel(jabberd_domain)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
@@ -22995,8 +23130,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
+
++# For SSL
++dev_read_rand(jabberd_domain)
+dev_read_urand(jabberd_domain)
-+dev_read_urand(jabberd_domain)
++dev_read_sysfs(jabberd_domain)
+
+files_read_etc_files(jabberd_domain)
+files_read_etc_runtime_files(jabberd_domain)
@@ -23007,67 +23144,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
+
+sysnet_read_config(jabberd_domain)
+
-+######################################
-+#
-+# Local policy for jabberd-router
-+#
-
--manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
--files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
-+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-+
-+optional_policy(`
-+ kerberos_use(jabberd_router_t)
-+')
-+
-+########################################
-+#
-+# Local policy for jabberd
-+#
-+
-+allow jabberd_t self:capability dac_override;
-+dontaudit jabberd_t self:capability sys_tty_config;
-
- kernel_read_kernel_sysctls(jabberd_t)
--kernel_list_proc(jabberd_t)
- kernel_read_proc_symlinks(jabberd_t)
-+kernel_read_system_state(jabberd_t)
-
--corenet_all_recvfrom_unlabeled(jabberd_t)
--corenet_all_recvfrom_netlabel(jabberd_t)
--corenet_tcp_sendrecv_generic_if(jabberd_t)
--corenet_udp_sendrecv_generic_if(jabberd_t)
--corenet_tcp_sendrecv_generic_node(jabberd_t)
--corenet_udp_sendrecv_generic_node(jabberd_t)
--corenet_tcp_sendrecv_all_ports(jabberd_t)
--corenet_udp_sendrecv_all_ports(jabberd_t)
--corenet_tcp_bind_generic_node(jabberd_t)
-+corenet_tcp_connect_jabber_router_port(jabberd_t)
- corenet_tcp_bind_jabber_client_port(jabberd_t)
- corenet_tcp_bind_jabber_interserver_port(jabberd_t)
- corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-@@ -67,18 +111,9 @@
-
- domain_use_interactive_fds(jabberd_t)
-
--files_read_etc_files(jabberd_t)
--files_read_etc_runtime_files(jabberd_t)
--
- fs_getattr_all_fs(jabberd_t)
- fs_search_auto_mountpoints(jabberd_t)
-
--logging_send_syslog_msg(jabberd_t)
--
--miscfiles_read_localization(jabberd_t)
--
--sysnet_read_config(jabberd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
- userdom_dontaudit_search_user_home_dirs(jabberd_t)
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.7.19/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/kerberos.fc 2010-07-23 13:43:56.367388499 +0200
@@ -25048,7 +25124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.19/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/nagios.if 2010-05-28 09:42:00.132610905 +0200
++++ serefpolicy-3.7.19/policy/modules/services/nagios.if 2010-09-23 15:05:10.602684332 +0200
@@ -64,8 +64,8 @@
########################################
@@ -25077,7 +25153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
')
########################################
-@@ -99,3 +100,152 @@
+@@ -99,3 +100,155 @@
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')
@@ -25153,15 +25229,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+
+ gen_require(`
+ type nagios_t, nrpe_t;
-+ type nagios_log_t;
++ type nagios_log_t;
+ ')
+
-+ type nagios_$1_plugin_t;
-+ type nagios_$1_plugin_exec_t;
-+ application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
-+ role system_r types nagios_$1_plugin_t;
++ type nagios_$1_plugin_t;
++ type nagios_$1_plugin_exec_t;
++ application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
++ role system_r types nagios_$1_plugin_t;
++
++ allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
++
++ allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
+
-+ allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ # automatic transition rules from nrpe domain
+ # to specific nagios plugin domain
@@ -25174,7 +25253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+
+ # cjp: leaked file descriptor
+ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
-+ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
++ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+
+ miscfiles_read_localization(nagios_$1_plugin_t)
+')
@@ -31906,7 +31985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.19/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/rpc.te 2010-07-13 09:40:21.467753409 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rpc.te 2010-09-24 12:39:25.042386720 +0200
@@ -80,6 +80,7 @@
corecmd_exec_bin(rpcd_t)
@@ -31915,7 +31994,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
files_manage_mounttab(rpcd_t)
files_getattr_all_dirs(rpcd_t)
-@@ -98,15 +99,26 @@
+@@ -89,6 +90,7 @@
+ fs_rw_rpc_sockets(rpcd_t)
+ fs_get_all_fs_quotas(rpcd_t)
+ fs_getattr_all_fs(rpcd_t)
++fs_set_xattr_fs_quotas(rpcd_t)
+
+ storage_getattr_fixed_disk_dev(rpcd_t)
+
+@@ -98,15 +100,26 @@
seutil_dontaudit_search_config(rpcd_t)
@@ -31942,7 +32029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
########################################
#
# NFSD local policy
-@@ -120,6 +132,7 @@
+@@ -120,6 +133,7 @@
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
@@ -31950,7 +32037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
kernel_dontaudit_getattr_core_if(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
-@@ -161,6 +174,7 @@
+@@ -161,6 +175,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -31958,7 +32045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -219,6 +233,8 @@
+@@ -219,6 +234,8 @@
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
@@ -32397,7 +32484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-08-30 19:22:59.872334445 +0200
++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-09-23 13:18:50.383386842 +0200
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -32584,15 +32671,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
-@@ -525,6 +562,7 @@
+@@ -518,13 +555,13 @@
+ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow smbcontrol_t nmbd_t:process { signal signull };
++read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
+-allow smbcontrol_t nmbd_var_run_t:file { read lock };
+-
+-allow smbcontrol_t smbd_t:process signal;
+-
++allow smbcontrol_t smbd_t:process { signal signull };
++read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
allow smbcontrol_t winbind_t:process { signal signull };
+files_search_var_lib(smbcontrol_t)
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -536,6 +574,8 @@
+@@ -536,6 +573,8 @@
miscfiles_read_localization(smbcontrol_t)
@@ -32601,7 +32698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbmount Local policy
-@@ -618,7 +658,7 @@
+@@ -618,7 +657,7 @@
# SWAT Local policy
#
@@ -32610,7 +32707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +666,25 @@
+@@ -626,23 +665,25 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
@@ -32644,7 +32741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-@@ -657,11 +699,14 @@
+@@ -657,11 +698,14 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -32660,7 +32757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
kernel_read_network_state(swat_t)
-@@ -700,6 +745,8 @@
+@@ -700,6 +744,8 @@
miscfiles_read_localization(swat_t)
@@ -32669,7 +32766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +760,23 @@
+@@ -713,12 +759,23 @@
kerberos_use(swat_t)
')
@@ -32694,6 +32791,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
+@@ -763,6 +820,7 @@
+
+ kernel_read_kernel_sysctls(winbind_t)
+ kernel_read_system_state(winbind_t)
++kernel_read_network_state(winbind_t)
+
+ corecmd_exec_bin(winbind_t)
+
@@ -779,6 +837,9 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
@@ -35111,16 +35216,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-09-16 16:52:58.485636847 +0200
-@@ -21,6 +21,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-09-23 12:59:31.493386880 +0200
+@@ -21,6 +21,8 @@
type $1_t, virt_domain;
domain_type($1_t)
domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
role system_r types $1_t;
type $1_devpts_t;
-@@ -35,16 +36,16 @@
+@@ -35,16 +37,16 @@
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
@@ -35141,7 +35247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +58,6 @@
+@@ -57,18 +59,6 @@
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -35160,7 +35266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -171,6 +160,7 @@
+@@ -171,6 +161,7 @@
files_search_etc($1)
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -35168,7 +35274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -192,6 +182,7 @@
+@@ -192,6 +183,7 @@
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -35176,7 +35282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -229,6 +220,24 @@
+@@ -229,6 +221,24 @@
')
')
@@ -35201,7 +35307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
## <summary>
## Read virt PID files.
-@@ -306,6 +315,24 @@
+@@ -306,6 +316,24 @@
read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
@@ -35226,7 +35332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
## <summary>
## Create, read, write, and delete
-@@ -386,6 +413,24 @@
+@@ -386,6 +414,24 @@
manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
')
@@ -35251,7 +35357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
## <summary>
## Allow domain to read virt image files
-@@ -433,15 +478,15 @@
+@@ -433,15 +479,15 @@
## </summary>
## </param>
#
@@ -35272,7 +35378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -516,3 +561,50 @@
+@@ -516,3 +562,50 @@
virt_manage_log($1)
')
@@ -35825,7 +35931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-09-16 16:53:59.645636878 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-09-23 13:20:56.798386762 +0200
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -35881,7 +35987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
-@@ -89,14 +95,14 @@
+@@ -89,14 +95,15 @@
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
@@ -35891,6 +35997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
++ miscfiles_read_hwdata($2)
+ miscfiles_setattr_fonts_cache_dirs($2)
xserver_common_x_domain_template(user, $2)
@@ -35898,7 +36005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -107,13 +113,24 @@
+@@ -107,11 +114,25 @@
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
@@ -35917,13 +36024,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ ',`
+ dev_dontaudit_rw_dri($2)
+ ')
++
++ optional_policy(`
++ gnome_read_gconf_config($2)
++ ')
')
-+
########################################
- ## <summary>
- ## Rules required for using the X Windows server
-@@ -143,11 +160,12 @@
+@@ -143,11 +164,12 @@
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -35938,7 +36046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
manage_files_pattern($2, user_fonts_t, user_fonts_t)
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
-@@ -197,7 +215,7 @@
+@@ -197,7 +219,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -35947,7 +36055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +245,7 @@
+@@ -227,7 +249,7 @@
type xserver_t, xserver_tmpfs_t;
')
@@ -35956,7 +36064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -291,12 +309,12 @@
+@@ -291,12 +313,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -35972,7 +36080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -310,7 +328,7 @@
+@@ -310,7 +332,7 @@
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($1)
@@ -35981,7 +36089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_user_fonts($1)
xserver_read_xdm_tmp_files($1)
-@@ -355,6 +373,12 @@
+@@ -355,6 +377,12 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -35994,7 +36102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
##############################
-@@ -386,6 +410,15 @@
+@@ -386,6 +414,15 @@
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -36010,7 +36118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
#######################################
-@@ -458,9 +491,9 @@
+@@ -458,9 +495,9 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -36022,7 +36130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,10 +505,11 @@
+@@ -472,10 +509,11 @@
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -36035,7 +36143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X object manager
xserver_object_types_template($1)
-@@ -545,6 +579,27 @@
+@@ -545,6 +583,27 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -36063,7 +36171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -598,6 +653,7 @@
+@@ -598,6 +657,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -36071,7 +36179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -615,7 +671,7 @@
+@@ -615,7 +675,7 @@
type xconsole_device_t;
')
@@ -36080,7 +36188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -724,11 +780,13 @@
+@@ -724,11 +784,13 @@
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -36096,7 +36204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -765,7 +823,7 @@
+@@ -765,7 +827,7 @@
type xdm_tmp_t;
')
@@ -36105,7 +36213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -805,7 +863,7 @@
+@@ -805,7 +867,7 @@
')
files_search_pids($1)
@@ -36114,7 +36222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -897,7 +955,7 @@
+@@ -897,7 +959,7 @@
')
logging_search_logs($1)
@@ -36123,7 +36231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -916,7 +974,7 @@
+@@ -916,7 +978,7 @@
type xserver_log_t;
')
@@ -36132,7 +36240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -964,6 +1022,44 @@
+@@ -964,6 +1026,44 @@
########################################
## <summary>
@@ -36177,7 +36285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1052,7 +1148,7 @@
+@@ -1052,7 +1152,7 @@
type xdm_tmp_t;
')
@@ -36186,7 +36294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1210,7 +1306,7 @@
+@@ -1210,7 +1310,7 @@
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -36195,7 +36303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## </summary>
## <param name="domain">
## <summary>
-@@ -1224,9 +1320,20 @@
+@@ -1224,9 +1324,20 @@
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -36216,7 +36324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1250,3 +1357,330 @@
+@@ -1250,3 +1361,330 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -39309,8 +39417,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
dev_read_sysfs(kdump_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-09-01 11:39:53.971335059 +0200
-@@ -127,17 +127,22 @@
++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-09-24 12:55:11.845386098 +0200
+@@ -127,17 +127,23 @@
/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39318,14 +39426,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib/vlc/plugins/mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/plugins/codec//mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/plugins/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/plugins/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/plugins/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/vlc/codec/plugins/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/plugins/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/codec/plugins/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39337,7 +39446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,6 +156,7 @@
+@@ -151,6 +157,7 @@
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39345,7 +39454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +214,7 @@
+@@ -208,6 +215,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39353,7 +39462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -302,13 +309,8 @@
+@@ -302,13 +310,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39369,7 +39478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -319,14 +321,153 @@
+@@ -319,14 +322,153 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index edd6db2..96801d2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 60%{?dist}
+Release: 61%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Fri Sep 24 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-61
+- Move c2s to run in jabber_router_t domain
+- Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc
+- Allow nrpe to send signal and sigkill to the plugins
+- Fix up xguest to allow it to read hwdata and gconf_etc_t
+
* Tue Sep 21 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-60
- Allow boinc projects to execute java
More information about the scm-commits
mailing list