[selinux-policy/f14] - Backport dirsrv-admin changes
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Aug 4 13:23:15 UTC 2011
commit 21f06207feead483fc97020c531a2d45bed2b037
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Aug 4 15:22:54 2011 +0200
- Backport dirsrv-admin changes
policy-F14.patch | 448 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 5 +-
2 files changed, 332 insertions(+), 121 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 47a40af..703e544 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -972,8 +972,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.9.7/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/admin/logrotate.te 2011-02-25 17:40:38.963548919 +0000
-@@ -119,14 +119,20 @@
++++ serefpolicy-3.9.7/policy/modules/admin/logrotate.te 2011-07-19 13:09:53.384523004 +0000
+@@ -102,6 +102,7 @@
+ files_manage_generic_spool(logrotate_t)
+ files_manage_generic_spool_dirs(logrotate_t)
+ files_getattr_generic_locks(logrotate_t)
++files_dontaudit_list_mnt(logrotate_t)
+
+ # cjp: why is this needed?
+ init_domtrans_script(logrotate_t)
+@@ -119,14 +120,20 @@
userdom_use_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
@@ -1073,6 +1081,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
files_getattr_all_file_type_fs(logwatch_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.9.7/policy/modules/admin/mcelog.fc
+--- nsaserefpolicy/policy/modules/admin/mcelog.fc 2010-10-12 20:42:51.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/admin/mcelog.fc 2011-07-12 12:14:12.787029998 +0000
+@@ -1 +1,5 @@
+ /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
++
++/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
++
++/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.9.7/policy/modules/admin/mcelog.te
+--- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-10-12 20:42:51.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/admin/mcelog.te 2011-07-12 12:14:56.852030000 +0000
+@@ -10,6 +10,12 @@
+ application_domain(mcelog_t, mcelog_exec_t)
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+
++type mcelog_var_run_t;
++files_pid_file(mcelog_var_run_t)
++
++type mcelog_log_t;
++logging_log_file(mcelog_log_t)
++
+ ########################################
+ #
+ # mcelog local policy
+@@ -17,6 +23,14 @@
+
+ allow mcelog_t self:capability sys_admin;
+
++manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
++
++manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
++manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
++manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
++
+ kernel_read_system_state(mcelog_t)
+
+ dev_read_raw_memory(mcelog_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.9.7/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2010-10-12 20:42:51.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/admin/mrtg.te 2011-02-25 17:40:38.978548549 +0000
@@ -8681,7 +8729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-05-27 13:54:04.734208002 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-08-04 10:04:15.709523005 +0000
@@ -24,6 +24,7 @@
#
type tun_tap_device_t;
@@ -8794,7 +8842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9446, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
@@ -8933,7 +8981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.9.7/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/devices.if 2011-05-27 09:53:49.237196995 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/devices.if 2011-07-26 13:18:06.208523005 +0000
@@ -336,6 +336,24 @@
########################################
@@ -9260,7 +9308,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
-@@ -3924,6 +4123,24 @@
+@@ -3832,6 +4031,25 @@
+ write_chr_files_pattern($1, device_t, urandom_device_t)
+ ')
+
++#######################################
++## <summary>
++## Do not audit attempts to write to pseudo
++## random devices (e.g., /dev/urandom)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_write_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file write;
++')
++
+ ########################################
+ ## <summary>
+ ## Getattr generic the USB devices.
+@@ -3924,6 +4142,24 @@
########################################
## <summary>
@@ -9285,7 +9359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4234,11 +4451,10 @@
+@@ -4234,11 +4470,10 @@
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -15043,7 +15117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.9.7/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/apache.if 2011-02-25 17:40:39.622532697 +0000
++++ serefpolicy-3.9.7/policy/modules/services/apache.if 2011-08-04 10:20:52.386523004 +0000
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -15572,7 +15646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1200,14 +1369,43 @@
+@@ -1200,14 +1369,61 @@
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -15620,6 +15694,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
++######################################
++## <summary>
++## Get the attributes of httpd unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_getattr_stream_socket',`
++ gen_require(`
++ type httpd_t;
++ ')
++
++ allow $1 httpd_t:unix_stream_socket { getattr ioctl };
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.9.7/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-10-12 20:42:49.000000000 +0000
@@ -19681,7 +19773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.9.7/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/cron.fc 2011-02-25 17:40:39.780528808 +0000
++++ serefpolicy-3.9.7/policy/modules/services/cron.fc 2011-07-12 12:15:07.756029999 +0000
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -19691,14 +19783,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-@@ -45,3 +45,7 @@
+@@ -45,3 +45,5 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-+
-+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.9.7/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2010-10-12 20:42:48.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/cron.if 2011-02-25 17:40:39.795528438 +0000
@@ -21386,8 +21476,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.fc serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.fc
--- nsaserefpolicy/policy/modules/services/dirsrv-admin.fc 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.fc 2011-02-25 17:40:39.846527184 +0000
-@@ -0,0 +1,11 @@
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.fc 2011-08-04 10:19:57.134523004 +0000
+@@ -0,0 +1,13 @@
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
@@ -21399,10 +21489,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+/usr/lib64/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+
++/usr/lib64/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
++/usr/lib64/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.if serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.if
--- nsaserefpolicy/policy/modules/services/dirsrv-admin.if 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.if 2011-02-25 17:40:39.848527135 +0000
-@@ -0,0 +1,95 @@
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.if 2011-08-04 10:20:01.179523004 +0000
+@@ -0,0 +1,134 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
@@ -21480,6 +21572,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
++#######################################
++## <summary>
++## Read dirsrv-adminserver tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_read_tmp',`
++ gen_require(`
++ type dirsrvadmin_tmp_t;
++ ')
++
++ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++')
++
+########################################
+## <summary>
+## Manage dirsrv-adminserver tmp files.
@@ -21498,10 +21608,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
++
++#######################################
++## <summary>
++## Execute admin cgi programs in caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_domtrans_unconfined_script_t',`
++ gen_require(`
++ type dirsrvadmin_unconfined_script_t;
++ type dirsrvadmin_unconfined_script_exec_t;
++ ')
++
++ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
++ allow httpd_t dirsrvadmin_unconfined_script_t:process signal_perms;
++
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.te serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.te
--- nsaserefpolicy/policy/modules/services/dirsrv-admin.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.te 2011-02-25 17:40:39.848527135 +0000
-@@ -0,0 +1,94 @@
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.te 2011-08-04 10:24:27.244523005 +0000
+@@ -0,0 +1,133 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -21520,6 +21651,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
++type dirsrvadmin_unconfined_script_t;
++type dirsrvadmin_unconfined_script_exec_t;
++domain_type(dirsrvadmin_unconfined_script_t)
++domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
++corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
++role system_r types dirsrvadmin_unconfined_script_t;
++
+########################################
+#
+# Local policy for the daemon
@@ -21540,8 +21678,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+
+files_exec_etc_files(dirsrvadmin_t)
+
-+libs_exec_ld_so(dirsrvadmin_t)
-+
+logging_search_logs(dirsrvadmin_t)
+
+miscfiles_read_localization(dirsrvadmin_t)
@@ -21559,43 +21695,77 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+#
+#
+# Create a domain for the CGI scripts
-+apache_content_template(dirsrvadmin)
-+
-+allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
-+allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
-+allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
-+allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
-+allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
-+allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
-+allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
-+
-+kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
-+
-+corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t)
-+corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
-+corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
-+corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
-+
-+files_search_var_lib(httpd_dirsrvadmin_script_t)
-+
-+sysnet_read_config(httpd_dirsrvadmin_script_t)
-+
-+manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
-+
-+# The CGI scripts must be able to manage dirsrv-admin
-+dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
-+dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
-+dirsrv_domtrans(httpd_dirsrvadmin_script_t)
-+dirsrv_signal(httpd_dirsrvadmin_script_t)
-+dirsrv_signull(httpd_dirsrvadmin_script_t)
-+dirsrv_manage_log(httpd_dirsrvadmin_script_t)
-+dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
-+dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
-+dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
-+dirsrv_manage_config(httpd_dirsrvadmin_script_t)
-+dirsrv_read_share(httpd_dirsrvadmin_script_t)
++
++optional_policy(`
++ apache_content_template(dirsrvadmin)
++
++ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
++ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
++
++ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
++
++ corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
++
++ files_search_var_lib(httpd_dirsrvadmin_script_t)
++
++ sysnet_read_config(httpd_dirsrvadmin_script_t)
++
++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
++
++ # The CGI scripts must be able to manage dirsrv-admin
++ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
++ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
++ dirsrv_signal(httpd_dirsrvadmin_script_t)
++ dirsrv_signull(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
++ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_read_share(httpd_dirsrvadmin_script_t)
++
++ optional_policy(`
++ httpd_getattr_stream_socket(httpd_dirsrvadmin_script_t)
++ ')
++')
++
++######################################
++#
++# Local policy for the admin CGIs
++#
++#
++
++manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
++
++# needed because of filetrans rules
++dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
++dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
++dirsrv_signal(dirsrvadmin_unconfined_script_t)
++dirsrv_signull(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
++dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_read_share(dirsrvadmin_unconfined_script_t)
++
++optional_policy(`
++ unconfined_domain(dirsrvadmin_unconfined_script_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.fc serefpolicy-3.9.7/policy/modules/services/dirsrv.fc
--- nsaserefpolicy/policy/modules/services/dirsrv.fc 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/dirsrv.fc 2011-02-25 17:40:39.862526790 +0000
@@ -22559,8 +22729,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/drbd
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/drbd.te serefpolicy-3.9.7/policy/modules/services/drbd.te
--- nsaserefpolicy/policy/modules/services/drbd.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/drbd.te 2011-02-25 17:40:39.906525706 +0000
-@@ -0,0 +1,57 @@
++++ serefpolicy-3.9.7/policy/modules/services/drbd.te 2011-08-04 11:34:46.874523005 +0000
+@@ -0,0 +1,55 @@
+
+policy_module(drbd,1.0.0)
+
@@ -22586,10 +22756,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/drbd
+# drbd local policy
+#
+
-+allow drbd_t self:capability net_admin;
-+
-+allow drbd_t self:capability { kill };
-+allow drbd_t self:process { fork };
++allow drbd_t self:capability { kill net_admin };
++dontaudit drbd_t self:capability sys_tty_config;
+
+allow drbd_t self:fifo_file rw_fifo_file_perms;
+allow drbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -23046,7 +23214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
## Allow domain dyntransition to sftpd_anon domain.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.9.7/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/ftp.te 2011-02-25 17:40:39.956524475 +0000
++++ serefpolicy-3.9.7/policy/modules/services/ftp.te 2011-08-04 11:31:53.122523005 +0000
@@ -40,6 +40,13 @@
## <desc>
@@ -23087,7 +23255,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
########################################
#
# anon-sftp local policy
-@@ -133,7 +152,7 @@
+@@ -124,6 +143,8 @@
+
+ miscfiles_read_public_files(anon_sftpd_t)
+
++miscfiles_read_localization(sftpd_t)
++
+ tunable_policy(`sftpd_anon_write',`
+ miscfiles_manage_public_files(anon_sftpd_t)
+ ')
+@@ -133,7 +154,7 @@
# ftpd local policy
#
@@ -23096,7 +23273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +170,6 @@
+@@ -151,7 +172,6 @@
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -23104,7 +23281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +181,13 @@
+@@ -163,13 +183,13 @@
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -23120,7 +23297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -270,10 +288,13 @@
+@@ -270,10 +290,13 @@
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -23138,7 +23315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -316,6 +337,23 @@
+@@ -316,6 +339,23 @@
')
optional_policy(`
@@ -23162,7 +23339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,10 +385,11 @@
+@@ -347,10 +387,11 @@
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -23175,7 +23352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
-@@ -368,15 +407,28 @@
+@@ -368,15 +409,28 @@
# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
@@ -24000,8 +24177,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.9.7/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/gnomeclock.te 2011-03-18 16:32:35.811630000 +0000
-@@ -22,8 +22,11 @@
++++ serefpolicy-3.9.7/policy/modules/services/gnomeclock.te 2011-07-11 10:31:41.281030000 +0000
+@@ -19,11 +19,16 @@
+ allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
+ allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+
++kernel_read_system_state(gnomeclock_t)
++
corecmd_exec_bin(gnomeclock_t)
files_read_etc_files(gnomeclock_t)
@@ -24013,7 +24195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
auth_use_nsswitch(gnomeclock_t)
clock_domtrans(gnomeclock_t)
-@@ -39,6 +42,14 @@
+@@ -39,6 +44,14 @@
')
optional_policy(`
@@ -24911,7 +25093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
+sysnet_read_config(jabberd_domain)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.9.7/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/kerberos.fc 2011-03-25 08:27:37.937630001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/kerberos.fc 2011-07-26 12:55:49.455523005 +0000
@@ -8,7 +8,7 @@
/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -24921,6 +25103,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+@@ -21,6 +21,7 @@
+ /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+ /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+ /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+ /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+ /var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.9.7/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-10-12 20:42:48.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/kerberos.if 2011-03-25 11:18:07.215630001 +0000
@@ -25678,7 +25868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.9.7/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/lircd.te 2011-02-25 17:40:40.108520734 +0000
++++ serefpolicy-3.9.7/policy/modules/services/lircd.te 2011-08-04 10:32:24.780523004 +0000
@@ -24,6 +24,9 @@
#
@@ -25698,7 +25888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
# /dev/lircd socket
dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
-@@ -44,13 +47,13 @@
+@@ -44,13 +47,14 @@
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
@@ -25708,6 +25898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
dev_rw_input_dev(lircd_t)
++dev_read_sysfs(lircd_t)
-files_read_etc_files(lircd_t)
+files_read_config_files(lircd_t)
@@ -33283,8 +33474,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.9.7/policy/modules/services/psad.te
--- nsaserefpolicy/policy/modules/services/psad.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/psad.te 2011-02-25 17:40:40.402513497 +0000
-@@ -53,9 +53,10 @@
++++ serefpolicy-3.9.7/policy/modules/services/psad.te 2011-07-25 13:29:33.310523004 +0000
+@@ -39,6 +39,7 @@
+
+ allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+ dontaudit psad_t self:capability sys_tty_config;
++allow psad_t self:process signal_perms;
+ allow psad_t self:process signull;
+ allow psad_t self:fifo_file rw_fifo_file_perms;
+ allow psad_t self:rawip_socket create_socket_perms;
+@@ -53,9 +54,10 @@
logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
# pid file
@@ -33296,7 +33495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
# tmp files
manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
-@@ -85,6 +86,7 @@
+@@ -85,6 +87,7 @@
dev_read_urand(psad_t)
files_read_etc_runtime_files(psad_t)
@@ -33318,7 +33517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.9.7/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/puppet.te 2011-02-25 17:40:40.403513472 +0000
++++ serefpolicy-3.9.7/policy/modules/services/puppet.te 2011-06-27 12:42:58.153029998 +0000
@@ -6,12 +6,19 @@
#
@@ -33383,19 +33582,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -209,18 +221,39 @@
+@@ -209,18 +221,38 @@
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
- files_read_etc_files(puppetmaster_t)
+-files_read_etc_files(puppetmaster_t)
+-files_search_var_lib(puppetmaster_t)
+files_read_usr_files(puppetmaster_t)
- files_search_var_lib(puppetmaster_t)
-
++
+selinux_validate_context(puppetmaster_t)
+
++auth_use_nsswitch(puppetmaster_t)
+
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_localization(puppetmaster_t)
@@ -33403,7 +33604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
+
+seutil_read_file_contexts(puppetmaster_t)
- sysnet_dns_name_resolve(puppetmaster_t)
+-sysnet_dns_name_resolve(puppetmaster_t)
sysnet_run_ifconfig(puppetmaster_t, system_r)
+mta_send_mail(puppetmaster_t)
@@ -33423,7 +33624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +264,8 @@
+@@ -231,3 +263,8 @@
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -40370,7 +40571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.9.7/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/virt.te 2011-05-17 15:07:13.256889000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/virt.te 2011-07-01 10:26:26.303030000 +0000
@@ -5,80 +5,97 @@
# Declarations
#
@@ -40693,9 +40894,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -40802,7 +41003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +576,117 @@
+@@ -457,8 +576,119 @@
')
optional_policy(`
@@ -40874,6 +41075,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t)
+
++logging_send_syslog_msg(virsh_t)
++
+miscfiles_read_localization(virsh_t)
+
+sysnet_dns_name_resolve(virsh_t)
@@ -41325,7 +41528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.9.7/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.if 2011-02-25 17:40:40.725505546 +0000
++++ serefpolicy-3.9.7/policy/modules/services/xserver.if 2011-08-04 11:15:24.963523005 +0000
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -41568,7 +41771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +507,25 @@
+@@ -472,20 +507,26 @@
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -41578,6 +41781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_read_xdm_tmp_files($2)
+ xserver_read_xdm_pid($2)
++ xserver_xdm_append_log($2)
# X object manager
xserver_object_types_template($1)
@@ -41596,7 +41800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -517,6 +557,7 @@
+@@ -517,6 +558,7 @@
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -41604,7 +41808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +586,28 @@
+@@ -545,6 +587,28 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -41633,7 +41837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -598,6 +661,7 @@
+@@ -598,6 +662,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -41641,7 +41845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -615,7 +679,7 @@
+@@ -615,7 +680,7 @@
type xconsole_device_t;
')
@@ -41650,7 +41854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -651,7 +715,7 @@
+@@ -651,7 +716,7 @@
type xdm_t;
')
@@ -41659,7 +41863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -670,7 +734,7 @@
+@@ -670,7 +735,7 @@
type xdm_t;
')
@@ -41668,7 +41872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -688,7 +752,7 @@
+@@ -688,7 +753,7 @@
type xdm_t;
')
@@ -41677,7 +41881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -703,12 +767,11 @@
+@@ -703,12 +768,11 @@
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -41691,7 +41895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -724,11 +787,12 @@
+@@ -724,11 +788,12 @@
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -41706,7 +41910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -765,7 +829,7 @@
+@@ -765,7 +830,7 @@
type xdm_tmp_t;
')
@@ -41715,7 +41919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -805,7 +869,26 @@
+@@ -805,7 +870,26 @@
')
files_search_pids($1)
@@ -41743,7 +41947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -897,7 +980,7 @@
+@@ -897,7 +981,7 @@
')
logging_search_logs($1)
@@ -41752,7 +41956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -916,7 +999,7 @@
+@@ -916,7 +1000,7 @@
type xserver_log_t;
')
@@ -41761,7 +41965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -963,6 +1046,45 @@
+@@ -963,6 +1047,45 @@
########################################
## <summary>
@@ -41807,7 +42011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1098,7 @@
+@@ -976,7 +1099,7 @@
type xdm_tmp_t;
')
@@ -41816,7 +42020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1160,24 @@
+@@ -1038,6 +1161,24 @@
########################################
## <summary>
@@ -41841,7 +42045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1192,7 @@
+@@ -1052,7 +1193,7 @@
type xdm_tmp_t;
')
@@ -41850,7 +42054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1070,8 +1210,10 @@
+@@ -1070,8 +1211,10 @@
type xserver_t, xserver_exec_t;
')
@@ -41862,7 +42066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1185,6 +1327,26 @@
+@@ -1185,6 +1328,26 @@
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -41889,7 +42093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1210,7 +1372,7 @@
+@@ -1210,7 +1373,7 @@
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -41898,7 +42102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1382,23 @@
+@@ -1220,13 +1383,23 @@
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -41923,7 +42127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1243,10 +1415,355 @@
+@@ -1243,10 +1416,355 @@
#
interface(`xserver_unconfined',`
gen_require(`
@@ -49657,7 +49861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.9.7/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/sysnetwork.te 2011-02-25 17:40:40.947500082 +0000
++++ serefpolicy-3.9.7/policy/modules/system/sysnetwork.te 2011-07-25 12:41:16.185523004 +0000
@@ -5,6 +5,13 @@
# Declarations
#
@@ -49793,7 +49997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -314,6 +353,10 @@
+@@ -314,7 +353,14 @@
')
')
@@ -49802,9 +50006,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+')
+
ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit ifconfig_t self:capability sys_module;
++
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -327,13 +370,24 @@
+ ')
+@@ -327,13 +373,24 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -49829,7 +50037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_use_ypbind(ifconfig_t)
')
-@@ -355,3 +409,9 @@
+@@ -355,3 +412,9 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8bcc678..ebe1e8c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 43%{?dist}
+Release: 44%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,9 @@ exit 0
%endif
%changelog
+* Thu Aug 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-44
+- Backport dirsrv-admin changes
+
* Mon Jun 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-43
- Fixes for fail2ban and iptables
- Fixes for dovecot
More information about the scm-commits
mailing list