[selinux-policy/f15/master] - Allow init_t getcap and setcap - Allow namespace_init_t to use nsswitch - aisexec will execute cor
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Apr 27 08:53:35 UTC 2011
commit c6642e13c94497ccd6a7baad5e092c5abdf5715f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Apr 27 10:54:32 2011 +0000
- Allow init_t getcap and setcap
- Allow namespace_init_t to use nsswitch
- aisexec will execute corosync
- colord tries to read files off noxattr file systems
policy-F15.patch | 155 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 8 ++-
2 files changed, 101 insertions(+), 62 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index c3d81f9..de55537 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -5566,7 +5566,7 @@ index 93ac529..aafece7 100644
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..d88c02c 100644
+index 9a6d67d..19de023 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -5677,7 +5677,7 @@ index 9a6d67d..d88c02c 100644
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:process { signal sigkill };
+
-+
++ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
@@ -5703,7 +5703,7 @@ index 9a6d67d..d88c02c 100644
## Send and receive messages from
## mozilla over dbus.
## </summary>
-@@ -204,3 +301,40 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -204,3 +301,39 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -5743,9 +5743,8 @@ index 9a6d67d..d88c02c 100644
+
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
-+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..3188ebc 100644
+index 2a91fa8..584c255 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -5827,7 +5826,7 @@ index 2a91fa8..3188ebc 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,192 @@ optional_policy(`
+@@ -266,3 +291,194 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -5991,6 +5990,7 @@ index 2a91fa8..3188ebc 100644
+ nsplugin_manage_home_files(mozilla_plugin_t)
+ nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
+ nsplugin_user_home_filetrans(mozilla_plugin_t, file)
++ nsplugin_read_rw_files(mozilla_plugin_t);
+ nsplugin_signal(mozilla_plugin_t)
+')
+
@@ -6007,6 +6007,7 @@ index 2a91fa8..3188ebc 100644
+ xserver_use_user_fonts(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
++ xserver_append_xdm_home_files(mozilla_plugin_t);
+')
+
+tunable_policy(`use_nfs_home_dirs',`
@@ -6169,10 +6170,10 @@ index 0000000..8d7c751
+')
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
new file mode 100644
-index 0000000..ce7dbac
+index 0000000..625dc1e
--- /dev/null
+++ b/policy/modules/apps/namespace.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,40 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -6204,6 +6205,8 @@ index 0000000..ce7dbac
+files_read_etc_files(namespace_init_t)
+files_polyinstantiate_all(namespace_init_t)
+
++auth_use_nsswitch(namespace_init_t)
++
+miscfiles_read_localization(namespace_init_t)
+
+userdom_manage_user_home_content_dirs(namespace_init_t)
@@ -10943,7 +10946,7 @@ index bc534c1..b70ea07 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 16108f6..7307872 100644
+index 16108f6..a02d2cc 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -11028,7 +11031,7 @@ index 16108f6..7307872 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -227,6 +242,8 @@ ifndef(`distro_redhat',`
+@@ -227,23 +242,27 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -11037,7 +11040,11 @@ index 16108f6..7307872 100644
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-@@ -237,13 +254,14 @@ ifndef(`distro_redhat',`
+
+ /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
+
+ /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
@@ -11053,7 +11060,7 @@ index 16108f6..7307872 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -252,3 +270,7 @@ ifndef(`distro_redhat',`
+@@ -252,3 +271,7 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -16761,7 +16768,7 @@ index 0370dba..af5d229 100644
#
interface(`aisexec_domtrans',`
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
-index 97c9cae..c24bd66 100644
+index 97c9cae..568e37d 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
@@ -16773,7 +16780,7 @@ index 97c9cae..c24bd66 100644
allow aisexec_t self:process { setrlimit setsched signal };
allow aisexec_t self:fifo_file rw_fifo_file_perms;
allow aisexec_t self:sem create_sem_perms;
-@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t)
+@@ -81,11 +81,18 @@ logging_send_syslog_msg(aisexec_t)
miscfiles_read_localization(aisexec_t)
@@ -16783,6 +16790,15 @@ index 97c9cae..c24bd66 100644
optional_policy(`
ccs_stream_connect(aisexec_t)
')
+
+ optional_policy(`
++ corosync_domtrans(aisexec_t)
++')
++
++optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
new file mode 100644
index 0000000..aeb1888
@@ -20118,6 +20134,16 @@ index 0000000..e7d2a5b
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
+diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc
+index 5432d0e..f77df02 100644
+--- a/policy/modules/services/canna.fc
++++ b/policy/modules/services/canna.fc
+@@ -20,4 +20,4 @@
+
+ /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
+ /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
+-/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
++/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 1d25efe..1b16191 100644
--- a/policy/modules/services/canna.te
@@ -21664,10 +21690,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..5187146
+index 0000000..32289dc
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,98 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -21734,16 +21760,15 @@ index 0000000..5187146
+
+sysnet_dns_name_resolve(colord_t)
+
-+userdom_search_user_home_dirs(colord_t)
++fs_search_all(colord_t)
++fs_read_noxattr_fs_files(colord_t)
+
+tunable_policy(`use_nfs_home_dirs',`
-+ fs_getattr_nfs(colord_t)
-+ fs_search_nfs(colord_t)
++ fs_read_nfs_files(colord_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
-+ fs_getattr_cifs(colord_t)
-+ fs_search_cifs(colord_t)
++ fs_read_cifs_files(colord_t)
+')
+
+optional_policy(`
@@ -21754,6 +21779,10 @@ index 0000000..5187146
+')
+
+optional_policy(`
++ gnome_read_gconf_home_files(colord_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(colord_t)
+ policykit_domtrans_auth(colord_t)
+ policykit_read_lib(colord_t)
@@ -49113,7 +49142,7 @@ index cc83689..e83c909 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..890810e 100644
+index ea29513..f00a023 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -49272,7 +49301,7 @@ index ea29513..890810e 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +234,118 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +234,119 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -49285,6 +49314,7 @@ index ea29513..890810e 100644
+tunable_policy(`init_systemd',`
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate };
++ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
@@ -49391,7 +49421,7 @@ index ea29513..890810e 100644
')
optional_policy(`
-@@ -199,10 +353,25 @@ optional_policy(`
+@@ -199,10 +354,25 @@ optional_policy(`
')
optional_policy(`
@@ -49417,7 +49447,7 @@ index ea29513..890810e 100644
unconfined_domain(init_t)
')
-@@ -212,7 +381,7 @@ optional_policy(`
+@@ -212,7 +382,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -49426,7 +49456,7 @@ index ea29513..890810e 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +410,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +411,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -49442,7 +49472,7 @@ index ea29513..890810e 100644
init_write_initctl(initrc_t)
-@@ -258,20 +430,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +431,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -49479,7 +49509,7 @@ index ea29513..890810e 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +463,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +464,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -49487,7 +49517,7 @@ index ea29513..890810e 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +476,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +477,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -49495,7 +49525,7 @@ index ea29513..890810e 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +484,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +485,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -49511,7 +49541,7 @@ index ea29513..890810e 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +502,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +503,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -49519,7 +49549,7 @@ index ea29513..890810e 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +510,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +511,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -49531,7 +49561,7 @@ index ea29513..890810e 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +529,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +530,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -49545,7 +49575,7 @@ index ea29513..890810e 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +544,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +545,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -49554,7 +49584,7 @@ index ea29513..890810e 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +558,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +559,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -49562,7 +49592,7 @@ index ea29513..890810e 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +570,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +571,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -49570,7 +49600,7 @@ index ea29513..890810e 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +591,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +592,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -49586,7 +49616,7 @@ index ea29513..890810e 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -458,6 +654,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +655,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -49597,7 +49627,7 @@ index ea29513..890810e 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +678,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +679,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -49606,7 +49636,7 @@ index ea29513..890810e 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +693,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +694,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -49614,7 +49644,7 @@ index ea29513..890810e 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +723,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +724,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -49644,7 +49674,7 @@ index ea29513..890810e 100644
')
optional_policy(`
-@@ -531,10 +753,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +754,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -49662,7 +49692,7 @@ index ea29513..890810e 100644
')
optional_policy(`
-@@ -549,6 +778,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +779,39 @@ ifdef(`distro_suse',`
')
')
@@ -49702,7 +49732,7 @@ index ea29513..890810e 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +823,8 @@ optional_policy(`
+@@ -561,6 +824,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -49711,7 +49741,7 @@ index ea29513..890810e 100644
')
optional_policy(`
-@@ -577,6 +841,7 @@ optional_policy(`
+@@ -577,6 +842,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -49719,7 +49749,7 @@ index ea29513..890810e 100644
')
optional_policy(`
-@@ -589,6 +854,11 @@ optional_policy(`
+@@ -589,6 +855,11 @@ optional_policy(`
')
optional_policy(`
@@ -49731,7 +49761,7 @@ index ea29513..890810e 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +875,13 @@ optional_policy(`
+@@ -605,9 +876,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -49745,7 +49775,7 @@ index ea29513..890810e 100644
')
optional_policy(`
-@@ -649,6 +923,11 @@ optional_policy(`
+@@ -649,6 +924,11 @@ optional_policy(`
')
optional_policy(`
@@ -49757,7 +49787,7 @@ index ea29513..890810e 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +985,13 @@ optional_policy(`
+@@ -706,7 +986,13 @@ optional_policy(`
')
optional_policy(`
@@ -49771,7 +49801,7 @@ index ea29513..890810e 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1014,10 @@ optional_policy(`
+@@ -729,6 +1015,10 @@ optional_policy(`
')
optional_policy(`
@@ -49782,7 +49812,7 @@ index ea29513..890810e 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1027,20 @@ optional_policy(`
+@@ -738,10 +1028,20 @@ optional_policy(`
')
optional_policy(`
@@ -49803,7 +49833,7 @@ index ea29513..890810e 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1049,10 @@ optional_policy(`
+@@ -750,6 +1050,10 @@ optional_policy(`
')
optional_policy(`
@@ -49814,7 +49844,7 @@ index ea29513..890810e 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1074,6 @@ optional_policy(`
+@@ -771,8 +1075,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -49823,7 +49853,7 @@ index ea29513..890810e 100644
')
optional_policy(`
-@@ -781,14 +1082,21 @@ optional_policy(`
+@@ -781,14 +1083,21 @@ optional_policy(`
')
optional_policy(`
@@ -49845,7 +49875,7 @@ index ea29513..890810e 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1108,6 @@ optional_policy(`
+@@ -800,7 +1109,6 @@ optional_policy(`
')
optional_policy(`
@@ -49853,7 +49883,7 @@ index ea29513..890810e 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1117,24 @@ optional_policy(`
+@@ -810,11 +1118,24 @@ optional_policy(`
')
optional_policy(`
@@ -49879,7 +49909,7 @@ index ea29513..890810e 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1144,25 @@ optional_policy(`
+@@ -824,6 +1145,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -49905,7 +49935,7 @@ index ea29513..890810e 100644
')
optional_policy(`
-@@ -849,3 +1188,42 @@ optional_policy(`
+@@ -849,3 +1189,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -54850,7 +54880,7 @@ index 025348a..4e2ca03 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..5f34c11 100644
+index d88f7c3..1a72d12 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -54950,14 +54980,17 @@ index d88f7c3..5f34c11 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -186,6 +197,7 @@ ifdef(`distro_redhat',`
+@@ -186,8 +197,9 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
+ fs_manage_hugetlbfs_dirs(udev_t)
- term_search_ptys(udev_t)
+- term_search_ptys(udev_t)
++ term_use_generic_ptys(udev_t)
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_domtrans(udev_t)
@@ -216,11 +228,16 @@ optional_policy(`
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fc200a5..c066533 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
%endif
%changelog
+* Wed Apr 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-18
+- Allow init_t getcap and setcap
+- Allow namespace_init_t to use nsswitch
+- aisexec will execute corosync
+- colord tries to read files off noxattr file systems
+
* Tue Apr 26 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-17
- Add back transition from unconfined to telepathy domains
More information about the scm-commits
mailing list