[selinux-policy/f15] - Allow spamd and clamd to steam connect to each other - Allow colord to execute ifconfig - Allow sm
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Nov 16 14:45:28 UTC 2011
commit f8860b48b302e992d77a10a48e1d750269e638d1
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Nov 16 15:45:15 2011 +0100
- Allow spamd and clamd to steam connect to each other
- Allow colord to execute ifconfig
- Allow smbcontrol to signal themselves
- Make faillog MLS trusted to make sudo_$1_t working
policy-F15.patch | 214 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 8 ++-
2 files changed, 167 insertions(+), 55 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 32d3d4e..23a501e 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -11582,7 +11582,7 @@ index 5a07a43..096bc60 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..794a39b 100644
+index 0757523..d0b509a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11687,7 +11687,7 @@ index 0757523..794a39b 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -126,43 +152,59 @@ network_port(iscsi, tcp,3260,s0)
+@@ -126,43 +152,60 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -11711,6 +11711,7 @@ index 0757523..794a39b 100644
+network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
++network_port(mongod, tcp,27017,s0)
network_port(monopd, tcp,1234,s0)
+network_port(movaz_ssc, tcp,5252,s0)
+network_port(mpd, tcp,6600,s0)
@@ -11753,7 +11754,7 @@ index 0757523..794a39b 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,25 +219,30 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,25 +220,30 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -11789,7 +11790,7 @@ index 0757523..794a39b 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -205,20 +252,23 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,20 +253,23 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -11816,7 +11817,7 @@ index 0757523..794a39b 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -272,9 +322,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -272,9 +323,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -23164,7 +23165,7 @@ index 1f11572..7f6a7ab 100644
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..a2e2d35 100644
+index f758323..73fd6d3 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,9 @@
@@ -23217,30 +23218,42 @@ index f758323..a2e2d35 100644
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
-@@ -127,12 +132,16 @@ logging_send_syslog_msg(clamd_t)
+@@ -127,13 +132,6 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
-cron_use_fds(clamd_t)
-cron_use_system_job_fds(clamd_t)
-cron_rw_pipes(clamd_t)
-+optional_policy(`
+-
+-mta_read_config(clamd_t)
+-mta_send_mail(clamd_t)
+-
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
+@@ -142,13 +140,30 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ cron_use_fds(clamd_t)
+ cron_use_system_job_fds(clamd_t)
+ cron_rw_pipes(clamd_t)
+')
++
++optional_policy(`
+ exim_read_spool_files(clamd_t)
+ ')
--mta_read_config(clamd_t)
--mta_send_mail(clamd_t)
+optional_policy(`
+ mta_read_config(clamd_t)
+ mta_send_mail(clamd_t)
+')
-
- optional_policy(`
- amavis_read_lib_files(clamd_t)
-@@ -147,8 +156,10 @@ optional_policy(`
-
++
++optional_policy(`
++ spamd_stream_connect(clamd_t)
++')
++
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
-', `
@@ -23251,7 +23264,7 @@ index f758323..a2e2d35 100644
')
########################################
-@@ -178,10 +189,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +193,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -23270,7 +23283,7 @@ index f758323..a2e2d35 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +206,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +210,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -23278,7 +23291,7 @@ index f758323..a2e2d35 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +225,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +229,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -23301,7 +23314,7 @@ index f758323..a2e2d35 100644
########################################
#
# clamscam local policy
-@@ -248,9 +268,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t)
+@@ -248,9 +272,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
@@ -23313,7 +23326,7 @@ index f758323..a2e2d35 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +286,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +290,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -23399,10 +23412,10 @@ index 0000000..b5058ac
+
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
new file mode 100644
-index 0000000..917f8d4
+index 0000000..6451167
--- /dev/null
+++ b/policy/modules/services/cloudform.if
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,40 @@
+## <summary>cloudform policy</summary>
+
+#######################################
@@ -23424,11 +23437,28 @@ index 0000000..917f8d4
+ type $1_t, cloudform_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
++')
++
++######################################
++## <summary>
++## Execute mongod in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`cloudform_exec_mongod',`
++ gen_require(`
++ type mogod_exec_t;
++ ')
+
++ can_exec($1, mogod_exec_t)
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..51accbe
+index 0000000..b1f481a
--- /dev/null
+++ b/policy/modules/services/cloudform.te
@@ -0,0 +1,212 @@
@@ -23595,7 +23625,7 @@ index 0000000..51accbe
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+
+corenet_tcp_bind_generic_node(mongod_t)
-+corenet_tcp_bind_generic_port(mongod_t)
++corenet_tcp_bind_mongod_port(mongod_t)
+
+files_read_usr_files(mongod_t)
+
@@ -24642,10 +24672,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..76bf893
+index 0000000..2d54d11
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,135 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -24738,8 +24768,6 @@ index 0000000..76bf893
+
+miscfiles_read_localization(colord_t)
+
-+sysnet_dns_name_resolve(colord_t)
-+
+userdom_read_inherited_user_home_content_files(colord_t)
+userdom_rw_user_tmpfs_files(colord_t)
+
@@ -24770,6 +24798,11 @@ index 0000000..76bf893
+')
+
+optional_policy(`
++ sysnet_exec_ifconfig(colord_t)
++ sysnet_dns_name_resolve(colord_t)
++')
++
++optional_policy(`
+ udev_read_db(colord_t)
+')
+
@@ -44091,7 +44124,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..e27fb71 100644
+index e30bb63..d2dac53 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -44210,7 +44243,14 @@ index e30bb63..e27fb71 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +558,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -555,18 +553,20 @@ optional_policy(`
+ # smbcontrol local policy
+ #
+
++
++allow smbcontrol_t self:process signal;
+ # internal communication is often done using fifo and unix sockets.
+ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -44228,7 +44268,7 @@ index e30bb63..e27fb71 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -644,8 +642,6 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,8 +644,6 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -44237,7 +44277,7 @@ index e30bb63..e27fb71 100644
locallogin_use_fds(smbmount_t)
logging_search_logs(smbmount_t)
-@@ -657,6 +653,10 @@ optional_policy(`
+@@ -657,6 +655,10 @@ optional_policy(`
cups_read_rw_config(smbmount_t)
')
@@ -44248,7 +44288,7 @@ index e30bb63..e27fb71 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +677,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -44257,7 +44297,7 @@ index e30bb63..e27fb71 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +692,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -44272,7 +44312,7 @@ index e30bb63..e27fb71 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +712,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -44280,7 +44320,7 @@ index e30bb63..e27fb71 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +757,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +759,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -44289,7 +44329,7 @@ index e30bb63..e27fb71 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +811,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -44311,7 +44351,7 @@ index e30bb63..e27fb71 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +839,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -44319,7 +44359,7 @@ index e30bb63..e27fb71 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +929,18 @@ optional_policy(`
+@@ -922,6 +931,18 @@ optional_policy(`
#
optional_policy(`
@@ -44338,7 +44378,7 @@ index e30bb63..e27fb71 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +951,12 @@ optional_policy(`
+@@ -932,9 +953,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -45306,7 +45346,7 @@ index c954f31..7f57f22 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..b4c21bd 100644
+index ec1eb1e..29f86b2 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,54 +6,101 @@ policy_module(spamassassin, 2.4.0)
@@ -45624,7 +45664,7 @@ index ec1eb1e..b4c21bd 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +468,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +468,31 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -45642,6 +45682,10 @@ index ec1eb1e..b4c21bd 100644
userdom_search_user_home_dirs(spamd_t)
+optional_policy(`
++ clamav_stream_connect(spamd_t)
++')
++
++optional_policy(`
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
+')
@@ -45656,7 +45700,7 @@ index ec1eb1e..b4c21bd 100644
fs_manage_cifs_files(spamd_t)
')
-@@ -399,24 +505,24 @@ optional_policy(`
+@@ -399,24 +509,24 @@ optional_policy(`
')
optional_policy(`
@@ -45688,7 +45732,7 @@ index ec1eb1e..b4c21bd 100644
')
optional_policy(`
-@@ -424,9 +530,7 @@ optional_policy(`
+@@ -424,9 +534,7 @@ optional_policy(`
')
optional_policy(`
@@ -45699,7 +45743,7 @@ index ec1eb1e..b4c21bd 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +541,10 @@ optional_policy(`
+@@ -437,6 +545,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -45710,7 +45754,7 @@ index ec1eb1e..b4c21bd 100644
')
optional_policy(`
-@@ -451,3 +559,51 @@ optional_policy(`
+@@ -451,3 +563,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -45881,7 +45925,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..7cf2180 100644
+index 22adaca..485666a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -46149,7 +46193,51 @@ index 22adaca..7cf2180 100644
files_search_pids($1)
')
-@@ -680,6 +713,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -643,6 +676,43 @@ interface(`ssh_agent_exec',`
+
+ ########################################
+ ## <summary>
++## Getattr ssh home directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_getattr_user_home_dir',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ allow $1 ssh_home_t:dir getattr;
++')
++
++########################################
++## <summary>
++## Dontaudit search ssh home directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_dontaudit_search_user_home_dir',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ dontaudit $1 ssh_home_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++>>>>>>> 6e8a117... Add ssh_dontaudit_search_home_dir
+ ## Read ssh home directory content
+ ## </summary>
+ ## <param name="domain">
+@@ -680,6 +750,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -46182,7 +46270,7 @@ index 22adaca..7cf2180 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +754,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +791,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -46191,7 +46279,7 @@ index 22adaca..7cf2180 100644
')
######################################
-@@ -735,3 +794,21 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +831,21 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -60917,10 +61005,10 @@ index eae5001..71e46b2 100644
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..392d1ee 100644
+index db75976..1b82cb5 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,17 @@
+@@ -1,4 +1,18 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -60936,11 +61024,12 @@ index db75976..392d1ee 100644
+HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..1ff8612 100644
+index 28b88de..1e62428 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -62861,7 +62950,7 @@ index 28b88de..1ff8612 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3729,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3729,1093 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -63938,6 +64027,23 @@ index 28b88de..1ff8612 100644
+ dontaudit $1 user_tmp_type:file read_file_perms;
+')
+
++#######################################
++## <summary>
++## Read and write unpriviledged user SysV sempaphores.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_unpriv_user_semaphores',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:sem rw_sem_perms;
++')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index df29ca1..2a5c03d 100644
--- a/policy/modules/system/userdomain.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e875335..719a190 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 46%{?dist}
+Release: 47%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
%endif
%changelog
+* Wed Nov 16 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-47
+- Allow spamd and clamd to steam connect to each other
+- Allow colord to execute ifconfig
+- Allow smbcontrol to signal themselves
+- Make faillog MLS trusted to make sudo_$1_t working
+
* Mon Nov 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-46
- Backport MCS fixes from F16
- Other chrome fixes from F16
More information about the scm-commits
mailing list