[selinux-policy/f15] * Tue Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-52 - Fix livecd_run() interface - Add la
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 13 08:14:18 UTC 2012
commit 32e16aa9f4a99a6d0d9f6bfa859f359563c0424f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 13 09:14:03 2012 +0100
* Tue Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-52
- Fix livecd_run() interface
- Add labeling for /var/spool/postfix/dev/log
* support postfix chroot
- Allow sandbox_xserver_t to send signals
- These are needed with CRL fetching is enabled
- Razor labeling is not used no longer
- Add label for /sbin/xtables-multi
- Add support for winshadow port and allow iscsid to connect to this port
- Allow chrome_sandbox_t to send all signals to sandbox_nacl_t
- Allow sandbox_nacl to setsched on its process
- Dontaudit fail2ban looking at gnome content
- fix label for /usr/lib(64)/iscan/network
policy-F15.patch | 144 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 16 +++++-
2 files changed, 111 insertions(+), 49 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 8f00f18..7220002 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -3134,7 +3134,7 @@ index 0000000..1553356
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..48c0b3c
+index 0000000..59d3561
--- /dev/null
+++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,180 @@
@@ -3281,7 +3281,7 @@ index 0000000..48c0b3c
+# chrome_sandbox_nacl local policy
+#
+
-+allow chrome_sandbox_nacl_t self:process execmem;
++allow chrome_sandbox_nacl_t self:process { execmem setsched };
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
@@ -3291,7 +3291,7 @@ index 0000000..48c0b3c
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
@@ -5749,19 +5749,20 @@ index f63c4c2..bf59895 100644
policykit_dbus_chat(kdumpgui_t)
')
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
-index 12b772f..b67cf26 100644
+index 12b772f..1088fe0 100644
--- a/policy/modules/apps/livecd.if
+++ b/policy/modules/apps/livecd.if
-@@ -41,6 +41,8 @@ interface(`livecd_run',`
+@@ -41,6 +41,9 @@ interface(`livecd_run',`
livecd_domtrans($1)
role $2 types livecd_t;
-+
++ role_transition $2 livecd_exec_t system_r;
++
+ seutil_run_setfiles_mac(livecd_t, $2)
optional_policy(`
mount_run(livecd_t, $2)
-@@ -49,6 +51,24 @@ interface(`livecd_run',`
+@@ -49,6 +52,24 @@ interface(`livecd_run',`
########################################
## <summary>
@@ -5786,7 +5787,7 @@ index 12b772f..b67cf26 100644
## Read livecd temporary files.
## </summary>
## <param name="domain">
-@@ -82,7 +102,7 @@ interface(`livecd_rw_tmp_files',`
+@@ -82,7 +103,7 @@ interface(`livecd_rw_tmp_files',`
')
files_search_tmp($1)
@@ -8626,11 +8627,12 @@ index 0000000..6efdeca
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..1bc545e
+index 0000000..96ad58e
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,484 @@
+policy_module(sandbox,1.0.0)
++
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
@@ -10404,7 +10406,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..94d031b 100644
+index 34c9d01..de77a15 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -10532,7 +10534,7 @@ index 34c9d01..94d031b 100644
+# /usr/lib
+#
+
-+/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
@@ -11606,7 +11608,7 @@ index 5a07a43..096bc60 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..d0b509a 100644
+index 0757523..79f6f19 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11814,7 +11816,7 @@ index 0757523..d0b509a 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -205,20 +253,23 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,20 +253,25 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -11827,6 +11829,8 @@ index 0757523..d0b509a 100644
network_port(wccp, udp,2048,s0)
+network_port(websm, tcp,9090,s0, udp,9090,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
++network_port(winshadow, tcp, 3261, s0, udp, 3261,s0)
++network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
@@ -11841,7 +11845,7 @@ index 0757523..d0b509a 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -272,9 +323,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -272,9 +325,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -29307,7 +29311,7 @@ index f590a1f..26a6299 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..284cdfd 100644
+index 2a69e5e..04ca6a0 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t)
@@ -29364,7 +29368,7 @@ index 2a69e5e..284cdfd 100644
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +110,40 @@ optional_policy(`
+@@ -94,5 +110,45 @@ optional_policy(`
')
optional_policy(`
@@ -29405,6 +29409,11 @@ index 2a69e5e..284cdfd 100644
+files_search_pids(fail2ban_client_t)
+
+miscfiles_read_localization(fail2ban_client_t)
++
++optional_policy(`
++ gnome_dontaudit_search_config(fail2ban_client_t)
++')
++
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index 6537214..7d64c0a 100644
--- a/policy/modules/services/fetchmail.if
@@ -41719,14 +41728,24 @@ index be05bff..2bd662a 100644
allow $1 radvd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
-index 1efba0c..71d657c 100644
+index 1efba0c..bfda924 100644
--- a/policy/modules/services/razor.fc
+++ b/policy/modules/services/razor.fc
-@@ -1,3 +1,4 @@
-+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
- HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+@@ -1,8 +1,9 @@
+-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
++#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
++#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+
+-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
++#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+
+-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
++#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
- /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+-/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0)
++#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
++#/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index f04a595..3203212 100644
--- a/policy/modules/services/razor.if
@@ -45257,10 +45276,10 @@ index 93fe7bf..4a15633 100644
allow $1 soundd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
-index 6b3abf9..a785741 100644
+index 6b3abf9..21f3e07 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
-@@ -1,15 +1,28 @@
+@@ -1,15 +1,38 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -45291,6 +45310,16 @@ index 6b3abf9..a785741 100644
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
++
++/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++
++/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0)
++
++/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0)
++
++/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
++/var/log/razor-agent\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index c954f31..7f57f22 100644
--- a/policy/modules/services/spamassassin.if
@@ -55230,7 +55259,7 @@ index 8232f91..8897e32 100644
+ allow ipsec_mgmt_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 98d6081..dc6114a 100644
+index 98d6081..a68d175 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,7 +73,7 @@ role system_r types setkey_t;
@@ -55265,7 +55294,7 @@ index 98d6081..dc6114a 100644
kernel_read_kernel_sysctls(ipsec_t)
kernel_list_proc(ipsec_t)
-@@ -127,13 +128,13 @@ corecmd_exec_bin(ipsec_t)
+@@ -127,19 +128,21 @@ corecmd_exec_bin(ipsec_t)
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
@@ -55285,7 +55314,15 @@ index 98d6081..dc6114a 100644
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
-@@ -150,6 +151,7 @@ domain_use_interactive_fds(ipsec_t)
+ corenet_udp_bind_ipsecnat_port(ipsec_t)
+ corenet_sendrecv_generic_server_packets(ipsec_t)
+ corenet_sendrecv_isakmp_server_packets(ipsec_t)
++corenet_tcp_connect_http_port(ipsec_t)
++corenet_tcp_connect_ldap_port(ipsec_t)
+
+ dev_read_sysfs(ipsec_t)
+ dev_read_rand(ipsec_t)
+@@ -150,6 +153,7 @@ domain_use_interactive_fds(ipsec_t)
files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
@@ -55293,7 +55330,7 @@ index 98d6081..dc6114a 100644
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
-@@ -167,6 +169,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -167,6 +171,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -55302,7 +55339,7 @@ index 98d6081..dc6114a 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -185,8 +189,8 @@ optional_policy(`
+@@ -185,8 +191,8 @@ optional_policy(`
#
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
@@ -55313,7 +55350,7 @@ index 98d6081..dc6114a 100644
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +229,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
+@@ -225,7 +231,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -55321,7 +55358,7 @@ index 98d6081..dc6114a 100644
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -244,6 +247,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -244,6 +249,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -55339,7 +55376,7 @@ index 98d6081..dc6114a 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -258,7 +272,7 @@ dev_read_urand(ipsec_mgmt_t)
+@@ -258,7 +274,7 @@ dev_read_urand(ipsec_mgmt_t)
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -55348,7 +55385,7 @@ index 98d6081..dc6114a 100644
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -276,8 +290,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -276,8 +292,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -55361,7 +55398,7 @@ index 98d6081..dc6114a 100644
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
-@@ -287,11 +304,11 @@ logging_send_syslog_msg(ipsec_mgmt_t)
+@@ -287,11 +306,11 @@ logging_send_syslog_msg(ipsec_mgmt_t)
miscfiles_read_localization(ipsec_mgmt_t)
@@ -55375,7 +55412,7 @@ index 98d6081..dc6114a 100644
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -300,6 +317,27 @@ optional_policy(`
+@@ -300,6 +319,27 @@ optional_policy(`
')
optional_policy(`
@@ -55403,7 +55440,7 @@ index 98d6081..dc6114a 100644
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -352,12 +390,12 @@ corecmd_exec_shell(racoon_t)
+@@ -352,12 +392,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -55422,7 +55459,7 @@ index 98d6081..dc6114a 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -386,6 +424,8 @@ miscfiles_read_localization(racoon_t)
+@@ -386,6 +426,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -55431,7 +55468,7 @@ index 98d6081..dc6114a 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +452,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
+@@ -412,6 +454,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -55439,17 +55476,17 @@ index 98d6081..dc6114a 100644
# allow setkey to set the context for ipsec SAs and policy.
corenet_setcontext_all_spds(setkey_t)
-@@ -423,4 +464,5 @@ miscfiles_read_localization(setkey_t)
+@@ -423,4 +466,5 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 13f62a6..fd99a6e 100644
+index 13f62a6..99a492e 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,12 +1,19 @@
+@@ -1,13 +1,22 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -55459,7 +55496,8 @@ index 13f62a6..fd99a6e 100644
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
++/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++
+/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
@@ -55467,10 +55505,12 @@ index 13f62a6..fd99a6e 100644
+/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
-+
+
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 5c94dfe..59bfb17 100644
--- a/policy/modules/system/iptables.if
@@ -55609,7 +55649,7 @@ index 663a47b..ad0b864 100644
+ allow $1 iscsid_t:sem create_sem_perms;
+')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index 1d1c399..b8f623a 100644
+index 1d1c399..57df496 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t)
@@ -55639,7 +55679,11 @@ index 1d1c399..b8f623a 100644
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -76,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -73,9 +76,12 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
+ corenet_tcp_connect_http_port(iscsid_t)
+ corenet_tcp_connect_iscsi_port(iscsid_t)
+ corenet_tcp_connect_isns_port(iscsid_t)
++corenet_tcp_connect_winshadow(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -55648,7 +55692,7 @@ index 1d1c399..b8f623a 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -91,5 +96,5 @@ logging_send_syslog_msg(iscsid_t)
+@@ -91,5 +97,5 @@ logging_send_syslog_msg(iscsid_t)
miscfiles_read_localization(iscsid_t)
optional_policy(`
@@ -56167,7 +56211,7 @@ index 2b7e5f3..76b4ce1 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..ddaf246 100644
+index 571599b..60f4899 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,13 @@
@@ -56208,8 +56252,12 @@ index 571599b..ddaf246 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,18 +63,25 @@ ifdef(`distro_redhat',`
+@@ -52,20 +61,29 @@ ifndef(`distro_gentoo',`
+ ifdef(`distro_redhat',`
+ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
++/var/spool/postfix/dev -d gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
-/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f304304..ea276e2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 51%{?dist}
+Release: 52%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,20 @@ exit 0
%endif
%changelog
+* Tue Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-52
+- Fix livecd_run() interface
+- Add labeling for /var/spool/postfix/dev/log
+ * support postfix chroot
+- Allow sandbox_xserver_t to send signals
+- These are needed with CRL fetching is enabled
+- Razor labeling is not used no longer
+- Add label for /sbin/xtables-multi
+- Add support for winshadow port and allow iscsid to connect to this port
+- Allow chrome_sandbox_t to send all signals to sandbox_nacl_t
+- Allow sandbox_nacl to setsched on its process
+- Dontaudit fail2ban looking at gnome content
+- fix label for /usr/lib(64)/iscan/network
+
* Thu Jan 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-51
- Fix BOINC bug
More information about the scm-commits
mailing list