[selinux-policy/f16] +- Allow pwupdate to send mail +- Fix execmem_execmod() interface +- Allow pwupdate to send mail +-
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Sep 21 14:12:55 UTC 2011
commit 379dc13cd5c2b24ecfa274194227d8bd3460c2e8
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Sep 21 16:12:36 2011 +0200
+- Allow pwupdate to send mail
+- Fix execmem_execmod() interface
+- Allow pwupdate to send mail
+- nfsd is binding to the nfs port 2049
+- Add additional gitweb file context labeling
+- Allow logrotate to set its own keys
policy-F16.patch | 139 ++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 12 ++++-
2 files changed, 99 insertions(+), 52 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 4ff9a1d..45d7e6a 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1048,10 +1048,18 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..6eac7b9 100644
+index 7090dae..c4bbe69 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
-@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
+ allow logrotate_t self:process setfscreate;
+
+ allow logrotate_t self:fd use;
++allow logrotate_t self:key manage_key_perms;
+ allow logrotate_t self:fifo_file rw_fifo_file_perms;
+ allow logrotate_t self:unix_dgram_socket create_socket_perms;
+ allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+@@ -61,6 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
@@ -1059,7 +1067,7 @@ index 7090dae..6eac7b9 100644
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)
-@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -1067,7 +1075,7 @@ index 7090dae..6eac7b9 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -1090,7 +1098,7 @@ index 7090dae..6eac7b9 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -162,10 +162,20 @@ optional_policy(`
+@@ -162,10 +163,20 @@ optional_policy(`
')
optional_policy(`
@@ -1111,7 +1119,7 @@ index 7090dae..6eac7b9 100644
cups_domtrans(logrotate_t)
')
-@@ -203,7 +213,6 @@ optional_policy(`
+@@ -203,7 +214,6 @@ optional_policy(`
psad_domtrans(logrotate_t)
')
@@ -1119,7 +1127,7 @@ index 7090dae..6eac7b9 100644
optional_policy(`
samba_exec_log(logrotate_t)
')
-@@ -228,3 +237,14 @@ optional_policy(`
+@@ -228,3 +238,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -12389,7 +12397,7 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..9a30b71 100644
+index 99b71cb..5287f7a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@@ -12506,13 +12514,11 @@ index 99b71cb..9a30b71 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -114,12 +148,13 @@ network_port(hadoop_namenode, tcp,8020,s0)
- network_port(hddtemp, tcp,7634,s0)
+@@ -115,11 +149,12 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
--network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+ network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
-+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,18001,s0) #8443 is mod_nss default port #18001 is used for jboss
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
@@ -12530,7 +12536,7 @@ index 99b71cb..9a30b71 100644
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
-+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
@@ -12551,7 +12557,11 @@ index 99b71cb..9a30b71 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -155,13 +195,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+@@ -152,16 +192,25 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+ network_port(nessus, tcp,1241,s0)
+ network_port(netport, tcp,3129,s0, udp,3129,s0)
+ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
++network_port(nfs, tcp,2049,s0, udp,2049,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
@@ -12574,7 +12584,7 @@ index 99b71cb..9a30b71 100644
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -179,30 +227,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,30 +228,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -12614,7 +12624,7 @@ index 99b71cb..9a30b71 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -215,7 +268,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,7 +269,7 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -12623,7 +12633,7 @@ index 99b71cb..9a30b71 100644
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +282,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +283,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -12631,7 +12641,7 @@ index 99b71cb..9a30b71 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +292,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +293,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -12640,7 +12650,7 @@ index 99b71cb..9a30b71 100644
########################################
#
-@@ -282,9 +338,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +339,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -21416,7 +21426,7 @@ index 0b827c5..bfb68b2 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..ee2d7f1 100644
+index 30861ec..bd5ff95 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -21513,15 +21523,17 @@ index 30861ec..ee2d7f1 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +119,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +118,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+ # abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
++manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +134,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -21533,7 +21545,7 @@ index 30861ec..ee2d7f1 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +155,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -21541,7 +21553,7 @@ index 30861ec..ee2d7f1 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -21551,7 +21563,7 @@ index 30861ec..ee2d7f1 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -21560,7 +21572,7 @@ index 30861ec..ee2d7f1 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,15 +185,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +186,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -21587,7 +21599,7 @@ index 30861ec..ee2d7f1 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +212,11 @@ optional_policy(`
+@@ -150,6 +213,11 @@ optional_policy(`
')
optional_policy(`
@@ -21599,7 +21611,7 @@ index 30861ec..ee2d7f1 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +234,7 @@ optional_policy(`
+@@ -167,6 +235,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -21607,7 +21619,7 @@ index 30861ec..ee2d7f1 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +246,35 @@ optional_policy(`
+@@ -178,12 +247,35 @@ optional_policy(`
')
optional_policy(`
@@ -21644,7 +21656,7 @@ index 30861ec..ee2d7f1 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +291,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -21673,7 +21685,7 @@ index 30861ec..ee2d7f1 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +314,126 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +315,126 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -30227,7 +30239,7 @@ index 25546bc..4def4f7 100644
/var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
-index a01be9d..f82c32f 100644
+index a01be9d..01f2f23 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -30239,7 +30251,15 @@ index a01be9d..f82c32f 100644
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
-@@ -119,6 +119,10 @@ optional_policy(`
+@@ -73,6 +73,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t)
+ corenet_tcp_bind_generic_node(cyrus_t)
+ corenet_tcp_bind_mail_port(cyrus_t)
+ corenet_tcp_bind_lmtp_port(cyrus_t)
++corenet_tcp_bind_innd_port(cyrus_t)
+ corenet_tcp_bind_pop_port(cyrus_t)
+ corenet_tcp_bind_sieve_port(cyrus_t)
+ corenet_tcp_connect_all_ports(cyrus_t)
+@@ -119,6 +120,10 @@ optional_policy(`
')
optional_policy(`
@@ -30250,7 +30270,7 @@ index a01be9d..f82c32f 100644
kerberos_keytab_template(cyrus, cyrus_t)
')
-@@ -135,6 +139,7 @@ optional_policy(`
+@@ -135,6 +140,7 @@ optional_policy(`
')
optional_policy(`
@@ -34674,10 +34694,10 @@ index 99a94de..6dbc203 100644
files_search_etc(gatekeeper_t)
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
-index 54f0737..2b552c5 100644
+index 54f0737..44a9663 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
-@@ -1,3 +1,13 @@
+@@ -1,3 +1,17 @@
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
@@ -34688,10 +34708,14 @@ index 54f0737..2b552c5 100644
+
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
++
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
++
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
-+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..8e83609 100644
--- a/policy/modules/services/git.if
@@ -42732,7 +42756,7 @@ index abe3f7f..2de87de 100644
+ nis_systemctl($1)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..5f29ad9 100644
+index 4876cae..dccdc78 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t)
@@ -42783,7 +42807,18 @@ index 4876cae..5f29ad9 100644
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -224,8 +231,8 @@ optional_policy(`
+@@ -211,6 +218,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mta_send_mail(yppasswdd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(yppasswdd_t)
+ ')
+
+@@ -224,8 +235,8 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
@@ -50680,7 +50715,7 @@ index cda37bb..484e552 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..fb0f852 100644
+index b1468ed..66a585d 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -50758,7 +50793,7 @@ index b1468ed..fb0f852 100644
########################################
#
# NFSD local policy
-@@ -120,6 +133,9 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +133,13 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -50768,7 +50803,11 @@ index b1468ed..fb0f852 100644
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -148,6 +164,8 @@ storage_raw_read_removable_device(nfsd_t)
++corenet_tcp_bind_nfs_port(nfsd_t)
+
+ dev_dontaudit_getattr_all_blk_files(nfsd_t)
+ dev_dontaudit_getattr_all_chr_files(nfsd_t)
+@@ -148,6 +165,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -50777,7 +50816,7 @@ index b1468ed..fb0f852 100644
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +176,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +177,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -50785,7 +50824,7 @@ index b1468ed..fb0f852 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +187,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +188,7 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -50795,7 +50834,7 @@ index b1468ed..fb0f852 100644
')
########################################
-@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +198,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -50804,7 +50843,7 @@ index b1468ed..fb0f852 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +215,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +216,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -50812,7 +50851,7 @@ index b1468ed..fb0f852 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +227,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +228,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -50829,7 +50868,7 @@ index b1468ed..fb0f852 100644
')
optional_policy(`
-@@ -229,6 +246,10 @@ optional_policy(`
+@@ -229,6 +247,10 @@ optional_policy(`
')
optional_policy(`
@@ -53773,7 +53812,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..d9c1d90 100644
+index 22adaca..0d987fd 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -53870,7 +53909,7 @@ index 22adaca..d9c1d90 100644
kernel_read_kernel_sysctls($1_t)
kernel_read_network_state($1_t)
-+ kernel_request_load_module(ssh_t)
++ kernel_request_load_module($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6dfe590..f1c7240 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -13,11 +13,11 @@
%define POLICYVER 26
%define libsepolver 2.0.44-2
%define POLICYCOREUTILSVER 2.0.86-12
-%define CHECKPOLICYVER 2.1.3-1.1
+%define CHECKPOLICYVER 2.1.3-1.2
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 31%{?dist}
+Release: 32%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,6 +468,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Sep 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-32
+- Allow pwupdate to send mail
+- Fix execmem_execmod() interface
+- Allow pwupdate to send mail
+- nfsd is binding to the nfs port 2049
+- Add additional gitweb file context labeling
+- Allow logrotate to set its own keys
+
* Tue Sep 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-31
- Needs to require a new version of checkpolicy
- Interface fixes
More information about the scm-commits
mailing list