[selinux-policy/f16] - Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/do
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Dec 2 11:57:18 UTC 2011
commit efa1438b312e66e0fc6583d5af07ed5aba526a75
Author: Miroslav <mgrepl at redhat.com>
Date: Fri Dec 2 12:57:04 2011 +0100
- Use fs_use_xattr for squashf
- Fix procs_type interface
- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
- Dovecot has a new fifo_file /var/run/stats-mail
- Colord does not need to connect to network
- Allow system_cronjob to dbus chat with NetworkManager
- Puppet manages content, want to make sure it labels everything correctly
policy-F16.patch | 182 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 11 +++-
2 files changed, 122 insertions(+), 71 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 90d2dcb..d880889 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -19233,10 +19233,18 @@ index 97fcdac..630ff53 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index f125dc2..3c6e827 100644
+index f125dc2..f5e522e 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -52,6 +52,7 @@ type anon_inodefs_t;
+@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
+
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -52,6 +53,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -19244,7 +19252,7 @@ index f125dc2..3c6e827 100644
type bdev_t;
fs_type(bdev_t)
-@@ -67,7 +68,7 @@ fs_type(capifs_t)
+@@ -67,7 +69,7 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@@ -19253,7 +19261,7 @@ index f125dc2..3c6e827 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -96,6 +97,7 @@ type hugetlbfs_t;
+@@ -96,6 +98,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -19261,7 +19269,19 @@ index f125dc2..3c6e827 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -175,6 +177,7 @@ fs_type(tmpfs_t)
+@@ -144,11 +147,6 @@ fs_type(spufs_t)
+ genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+ files_mountpoint(spufs_t)
+
+-type squash_t;
+-fs_type(squash_t)
+-genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+-files_mountpoint(squash_t)
+-
+ type sysv_t;
+ fs_noxattr_type(sysv_t)
+ files_mountpoint(sysv_t)
+@@ -175,6 +173,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -19269,7 +19289,7 @@ index f125dc2..3c6e827 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +257,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +253,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -19278,7 +19298,7 @@ index f125dc2..3c6e827 100644
files_mountpoint(removable_t)
#
-@@ -273,6 +278,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +274,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -32034,7 +32054,7 @@ index 35241ed..445ced4 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..1d71121 100644
+index f7583ab..9b5a52f 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -32437,7 +32457,18 @@ index f7583ab..1d71121 100644
')
optional_policy(`
-@@ -480,7 +591,7 @@ optional_policy(`
+@@ -472,6 +583,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
+ postfix_read_config(system_cronjob_t)
+ ')
+
+@@ -480,7 +595,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -32446,7 +32477,7 @@ index f7583ab..1d71121 100644
')
optional_policy(`
-@@ -495,6 +606,7 @@ optional_policy(`
+@@ -495,6 +610,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -32454,7 +32485,7 @@ index f7583ab..1d71121 100644
')
optional_policy(`
-@@ -502,7 +614,13 @@ optional_policy(`
+@@ -502,7 +618,13 @@ optional_policy(`
')
optional_policy(`
@@ -32468,7 +32499,7 @@ index f7583ab..1d71121 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +713,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +717,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -35990,10 +36021,10 @@ index fdaeeba..b1ea136 100644
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
-index bfc880b..9a1dcba 100644
+index bfc880b..9089c1a 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
-@@ -25,7 +25,7 @@ ifdef(`distro_debian', `
+@@ -25,13 +25,14 @@ ifdef(`distro_debian', `
ifdef(`distro_redhat', `
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
@@ -36002,6 +36033,13 @@ index bfc880b..9a1dcba 100644
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
')
+ #
+ # /var
+ #
++/var/run/stats-mail gen_context(system_u:object_r:dovecot_var_run_t,s0)
+ /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+ /var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index e1d7dc5..673f185 100644
--- a/policy/modules/services/dovecot.if
@@ -36096,7 +36134,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..2fbb869 100644
+index acf6d4f..aa446e9 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -36150,7 +36188,7 @@ index acf6d4f..2fbb869 100644
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,10 +99,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -36159,11 +36197,12 @@ index acf6d4f..2fbb869 100644
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
++manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -110,6 +116,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,6 +117,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
@@ -36171,7 +36210,7 @@ index acf6d4f..2fbb869 100644
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -160,6 +167,15 @@ optional_policy(`
+@@ -160,6 +168,15 @@ optional_policy(`
')
optional_policy(`
@@ -36187,7 +36226,7 @@ index acf6d4f..2fbb869 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -180,8 +196,8 @@ optional_policy(`
+@@ -180,8 +197,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -36198,7 +36237,7 @@ index acf6d4f..2fbb869 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +207,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -36208,7 +36247,7 @@ index acf6d4f..2fbb869 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +220,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +221,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -36221,7 +36260,7 @@ index acf6d4f..2fbb869 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -218,6 +240,8 @@ files_read_var_lib_files(dovecot_auth_t)
+@@ -218,6 +241,8 @@ files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
@@ -36230,7 +36269,7 @@ index acf6d4f..2fbb869 100644
init_rw_utmp(dovecot_auth_t)
miscfiles_read_localization(dovecot_auth_t)
-@@ -236,6 +260,8 @@ optional_policy(`
+@@ -236,6 +261,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -36239,7 +36278,7 @@ index acf6d4f..2fbb869 100644
')
optional_policy(`
-@@ -243,6 +269,8 @@ optional_policy(`
+@@ -243,6 +270,8 @@ optional_policy(`
')
optional_policy(`
@@ -36248,7 +36287,7 @@ index acf6d4f..2fbb869 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +278,42 @@ optional_policy(`
+@@ -250,23 +279,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -36293,7 +36332,7 @@ index acf6d4f..2fbb869 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,5 +349,19 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,5 +350,19 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -39438,10 +39477,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..4978f18 100644
+index 4fde46b..9f468a5 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -15,18 +15,27 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -39463,15 +39502,16 @@ index 4fde46b..4978f18 100644
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
--auth_use_nsswitch(gnomeclock_t)
+fs_getattr_xattr_fs(gnomeclock_t)
++
+ auth_use_nsswitch(gnomeclock_t)
-clock_domtrans(gnomeclock_t)
-+auth_use_nsswitch(gnomeclock_t)
++logging_send_syslog_msg(gnomeclock_t)
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -63689,7 +63729,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..b6fb17a 100644
+index 130ced9..351ed06 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -63774,13 +63814,15 @@ index 130ced9..b6fb17a 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -106,12 +116,24 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,26 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ xserver_read_xdm_etc_files($2)
+ xserver_xdm_append_log($2)
+
++ term_use_virtio_console($2)
++
+ modutils_run_insmod(xserver_t, $1)
# Client write xserver shm
@@ -63799,7 +63841,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -143,13 +165,15 @@ interface(`xserver_role',`
+@@ -143,13 +167,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -63817,7 +63859,7 @@ index 130ced9..b6fb17a 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +186,6 @@ interface(`xserver_role',`
+@@ -162,7 +188,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -63825,7 +63867,7 @@ index 130ced9..b6fb17a 100644
')
#######################################
-@@ -197,7 +220,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +222,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -63834,7 +63876,7 @@ index 130ced9..b6fb17a 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +250,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +252,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -63843,7 +63885,7 @@ index 130ced9..b6fb17a 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +280,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -63852,7 +63894,7 @@ index 130ced9..b6fb17a 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +314,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +316,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -63870,7 +63912,7 @@ index 130ced9..b6fb17a 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +365,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +367,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -63897,7 +63939,7 @@ index 130ced9..b6fb17a 100644
')
##############################
-@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +415,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -63913,7 +63955,7 @@ index 130ced9..b6fb17a 100644
')
#######################################
-@@ -444,8 +480,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +482,9 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -63925,7 +63967,7 @@ index 130ced9..b6fb17a 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +493,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,18 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -63946,7 +63988,7 @@ index 130ced9..b6fb17a 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +516,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +518,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -63975,7 +64017,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -63983,7 +64025,7 @@ index 130ced9..b6fb17a 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -549,6 +600,24 @@ interface(`xserver_domtrans_xauth',`
+@@ -549,6 +602,24 @@ interface(`xserver_domtrans_xauth',`
########################################
## <summary>
@@ -64008,7 +64050,7 @@ index 130ced9..b6fb17a 100644
## Create a Xauthority file in the user home directory.
## </summary>
## <param name="domain">
-@@ -598,6 +667,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +669,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -64016,7 +64058,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -615,7 +685,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +687,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -64025,7 +64067,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -638,6 +708,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +710,25 @@ interface(`xserver_rw_console',`
########################################
## <summary>
@@ -64051,7 +64093,7 @@ index 130ced9..b6fb17a 100644
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
-@@ -651,7 +740,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +742,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -64060,7 +64102,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -670,7 +759,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +761,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -64069,7 +64111,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -688,7 +777,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +779,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -64078,7 +64120,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -703,12 +792,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +794,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -64092,7 +64134,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -724,11 +812,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +814,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -64126,7 +64168,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -752,6 +860,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +862,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -64152,7 +64194,7 @@ index 130ced9..b6fb17a 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -765,7 +892,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +894,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -64161,7 +64203,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -805,7 +932,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +934,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -64189,7 +64231,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -828,6 +974,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +976,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -64214,7 +64256,7 @@ index 130ced9..b6fb17a 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1061,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1063,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -64223,7 +64265,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -916,7 +1080,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1082,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -64232,7 +64274,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -963,6 +1127,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1129,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -64278,7 +64320,7 @@ index 130ced9..b6fb17a 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1179,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1181,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -64287,7 +64329,7 @@ index 130ced9..b6fb17a 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1241,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1243,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -64330,7 +64372,7 @@ index 130ced9..b6fb17a 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1291,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1293,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -64339,7 +64381,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -1070,8 +1309,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1311,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -64351,7 +64393,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -1185,6 +1426,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1428,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -64378,7 +64420,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -1210,7 +1471,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1473,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -64387,7 +64429,7 @@ index 130ced9..b6fb17a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1481,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1483,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -64412,7 +64454,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -1243,10 +1514,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1516,458 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0fee544..7a72978 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 63%{?dist}
+Release: 64%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Dec 2 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-64
+- Use fs_use_xattr for squashf
+- Fix procs_type interface
+- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
+- Dovecot has a new fifo_file /var/run/stats-mail
+- Colord does not need to connect to network
+- Allow system_cronjob to dbus chat with NetworkManager
+- Puppet manages content, want to make sure it labels everything correctly
+
* Tue Nov 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-63
- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
- Allow all postfix domains to use the fifo_file
More information about the scm-commits
mailing list