[selinux-policy/f15] * Tue Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-52 - Fix livecd_run() interface - Add la

Miroslav Grepl mgrepl at fedoraproject.org
Tue Mar 13 08:14:18 UTC 2012 

commit 32e16aa9f4a99a6d0d9f6bfa859f359563c0424f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Mar 13 09:14:03 2012 +0100

    * Tue Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-52
    - Fix livecd_run() interface
    - Add labeling for /var/spool/postfix/dev/log
     * support postfix chroot
    - Allow sandbox_xserver_t to send signals
    - These are needed with CRL fetching is enabled
    - Razor labeling is not used no longer
    - Add label for /sbin/xtables-multi
    - Add support for winshadow port and allow iscsid to connect to this port
    - Allow chrome_sandbox_t to send all signals to sandbox_nacl_t
    - Allow sandbox_nacl to setsched on its process
    - Dontaudit fail2ban looking at gnome content
    - fix label for /usr/lib(64)/iscan/network

 policy-F15.patch    |  144 ++++++++++++++++++++++++++++++++++-----------------
 selinux-policy.spec |   16 +++++-
 2 files changed, 111 insertions(+), 49 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 8f00f18..7220002 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -3134,7 +3134,7 @@ index 0000000..1553356
 +')
 diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
 new file mode 100644
-index 0000000..48c0b3c
+index 0000000..59d3561
 --- /dev/null
 +++ b/policy/modules/apps/chrome.te
 @@ -0,0 +1,180 @@
@@ -3281,7 +3281,7 @@ index 0000000..48c0b3c
 +# chrome_sandbox_nacl local policy
 +#
 +
-+allow chrome_sandbox_nacl_t self:process execmem;
++allow chrome_sandbox_nacl_t self:process { execmem setsched };
 +allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
 +allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
 +allow chrome_sandbox_nacl_t self:shm create_shm_perms;
@@ -3291,7 +3291,7 @@ index 0000000..48c0b3c
 +
 +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
 +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
 +
 +manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
 +fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
@@ -5749,19 +5749,20 @@ index f63c4c2..bf59895 100644
  	policykit_dbus_chat(kdumpgui_t)
  ')
 diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
-index 12b772f..b67cf26 100644
+index 12b772f..1088fe0 100644
 --- a/policy/modules/apps/livecd.if
 +++ b/policy/modules/apps/livecd.if
-@@ -41,6 +41,8 @@ interface(`livecd_run',`
+@@ -41,6 +41,9 @@ interface(`livecd_run',`
  
  	livecd_domtrans($1)
  	role $2 types livecd_t;
-+	
++	role_transition $2 livecd_exec_t system_r;	
++
 +	seutil_run_setfiles_mac(livecd_t, $2)
  
  	optional_policy(`
  		mount_run(livecd_t, $2)
-@@ -49,6 +51,24 @@ interface(`livecd_run',`
+@@ -49,6 +52,24 @@ interface(`livecd_run',`
  
  ########################################
  ## <summary>
@@ -5786,7 +5787,7 @@ index 12b772f..b67cf26 100644
  ##	Read livecd temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -82,7 +102,7 @@ interface(`livecd_rw_tmp_files',`
+@@ -82,7 +103,7 @@ interface(`livecd_rw_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -8626,11 +8627,12 @@ index 0000000..6efdeca
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..1bc545e
+index 0000000..96ad58e
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,484 @@
 +policy_module(sandbox,1.0.0)
++
 +dbus_stub()
 +attribute sandbox_domain;
 +attribute sandbox_x_domain;
@@ -10404,7 +10406,7 @@ index 82842a0..4111a1d 100644
  		dbus_system_bus_client($1_wm_t)
  		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..94d031b 100644
+index 34c9d01..de77a15 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -10532,7 +10534,7 @@ index 34c9d01..94d031b 100644
 +# /usr/lib
 +#
 +
-+/usr/lib/iscan/network				--	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/iscan/network				--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/ruby/gems/.*/agents(/.*)?				gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/virtualbox/VBoxManage				--	gen_context(system_u:object_r:bin_t,s0)
@@ -11606,7 +11608,7 @@ index 5a07a43..096bc60 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..d0b509a 100644
+index 0757523..79f6f19 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11814,7 +11816,7 @@ index 0757523..d0b509a 100644
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
-@@ -205,20 +253,23 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,20 +253,25 @@ network_port(transproxy, tcp,8081,s0)
  network_port(ups, tcp,3493,s0)
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
@@ -11827,6 +11829,8 @@ index 0757523..d0b509a 100644
  network_port(wccp, udp,2048,s0)
 +network_port(websm, tcp,9090,s0, udp,9090,s0)
  network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
++network_port(winshadow, tcp, 3261, s0, udp, 3261,s0)
++network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
  network_port(xen, tcp,8002,s0)
  network_port(xfs, tcp,7100,s0)
@@ -11841,7 +11845,7 @@ index 0757523..d0b509a 100644
  network_port(zope, tcp,8021,s0)
  
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
-@@ -272,9 +323,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -272,9 +325,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -29307,7 +29311,7 @@ index f590a1f..26a6299 100644
 +	admin_pattern($1, fail2ban_tmp_t)
  ')
 diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..284cdfd 100644
+index 2a69e5e..04ca6a0 100644
 --- a/policy/modules/services/fail2ban.te
 +++ b/policy/modules/services/fail2ban.te
 @@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t)
@@ -29364,7 +29368,7 @@ index 2a69e5e..284cdfd 100644
  
  files_read_etc_files(fail2ban_t)
  files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +110,40 @@ optional_policy(`
+@@ -94,5 +110,45 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29405,6 +29409,11 @@ index 2a69e5e..284cdfd 100644
 +files_search_pids(fail2ban_client_t)
 +
 +miscfiles_read_localization(fail2ban_client_t)
++
++optional_policy(`
++	gnome_dontaudit_search_config(fail2ban_client_t)
++')
++
 diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
 index 6537214..7d64c0a 100644
 --- a/policy/modules/services/fetchmail.if
@@ -41719,14 +41728,24 @@ index be05bff..2bd662a 100644
  
  	allow $1 radvd_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
-index 1efba0c..71d657c 100644
+index 1efba0c..bfda924 100644
 --- a/policy/modules/services/razor.fc
 +++ b/policy/modules/services/razor.fc
-@@ -1,3 +1,4 @@
-+/root/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
- HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
+@@ -1,8 +1,9 @@
+-HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
++#/root/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
++#HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
+ 
+-/etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
++#/etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
+ 
+-/usr/bin/razor.*	--	gen_context(system_u:object_r:razor_exec_t,s0)
++#/usr/bin/razor.*	--	gen_context(system_u:object_r:razor_exec_t,s0)
  
- /etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
+-/var/lib/razor(/.*)?		gen_context(system_u:object_r:razor_var_lib_t,s0)
+-/var/log/razor-agent\.log --	gen_context(system_u:object_r:razor_log_t,s0)
++#/var/lib/razor(/.*)?		gen_context(system_u:object_r:razor_var_lib_t,s0)
++#/var/log/razor-agent\.log --	gen_context(system_u:object_r:razor_log_t,s0)
 diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
 index f04a595..3203212 100644
 --- a/policy/modules/services/razor.if
@@ -45257,10 +45276,10 @@ index 93fe7bf..4a15633 100644
  
  	allow $1 soundd_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
-index 6b3abf9..a785741 100644
+index 6b3abf9..21f3e07 100644
 --- a/policy/modules/services/spamassassin.fc
 +++ b/policy/modules/services/spamassassin.fc
-@@ -1,15 +1,28 @@
+@@ -1,15 +1,38 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 +/root/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
@@ -45291,6 +45310,16 @@ index 6b3abf9..a785741 100644
  /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
 +/var/spool/MD-Quarantine(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 +/var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
++
++/root/\.razor(/.*)?     gen_context(system_u:object_r:spamc_home_t,s0)
++HOME_DIR/\.razor(/.*)?      gen_context(system_u:object_r:spamc_home_t,s0)
++
++/etc/razor(/.*)?        gen_context(system_u:object_r:spamd_etc_t,s0)
++
++/usr/bin/razor.*    --  gen_context(system_u:object_r:spamc_exec_t,s0)
++
++/var/lib/razor(/.*)?        gen_context(system_u:object_r:spamd_var_lib_t,s0)
++/var/log/razor-agent\.log --    gen_context(system_u:object_r:spamd_log_t,s0)
 diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
 index c954f31..7f57f22 100644
 --- a/policy/modules/services/spamassassin.if
@@ -55230,7 +55259,7 @@ index 8232f91..8897e32 100644
 +        allow ipsec_mgmt_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 98d6081..dc6114a 100644
+index 98d6081..a68d175 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -73,7 +73,7 @@ role system_r types setkey_t;
@@ -55265,7 +55294,7 @@ index 98d6081..dc6114a 100644
  
  kernel_read_kernel_sysctls(ipsec_t)
  kernel_list_proc(ipsec_t)
-@@ -127,13 +128,13 @@ corecmd_exec_bin(ipsec_t)
+@@ -127,19 +128,21 @@ corecmd_exec_bin(ipsec_t)
  
  # Pluto needs network access
  corenet_all_recvfrom_unlabeled(ipsec_t)
@@ -55285,7 +55314,15 @@ index 98d6081..dc6114a 100644
  corenet_tcp_bind_reserved_port(ipsec_t)
  corenet_tcp_bind_isakmp_port(ipsec_t)
  corenet_udp_bind_isakmp_port(ipsec_t)
-@@ -150,6 +151,7 @@ domain_use_interactive_fds(ipsec_t)
+ corenet_udp_bind_ipsecnat_port(ipsec_t)
+ corenet_sendrecv_generic_server_packets(ipsec_t)
+ corenet_sendrecv_isakmp_server_packets(ipsec_t)
++corenet_tcp_connect_http_port(ipsec_t)
++corenet_tcp_connect_ldap_port(ipsec_t)
+ 
+ dev_read_sysfs(ipsec_t)
+ dev_read_rand(ipsec_t)
+@@ -150,6 +153,7 @@ domain_use_interactive_fds(ipsec_t)
  files_list_tmp(ipsec_t)
  files_read_etc_files(ipsec_t)
  files_read_usr_files(ipsec_t)
@@ -55293,7 +55330,7 @@ index 98d6081..dc6114a 100644
  
  fs_getattr_all_fs(ipsec_t)
  fs_search_auto_mountpoints(ipsec_t)
-@@ -167,6 +169,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -167,6 +171,8 @@ logging_send_syslog_msg(ipsec_t)
  miscfiles_read_localization(ipsec_t)
  
  sysnet_domtrans_ifconfig(ipsec_t)
@@ -55302,7 +55339,7 @@ index 98d6081..dc6114a 100644
  
  userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
  userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -185,8 +189,8 @@ optional_policy(`
+@@ -185,8 +191,8 @@ optional_policy(`
  #
  
  allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
@@ -55313,7 +55350,7 @@ index 98d6081..dc6114a 100644
  allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +229,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
+@@ -225,7 +231,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
  
  manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
  manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -55321,7 +55358,7 @@ index 98d6081..dc6114a 100644
  
  # whack needs to connect to pluto
  stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -244,6 +247,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -244,6 +249,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -55339,7 +55376,7 @@ index 98d6081..dc6114a 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -258,7 +272,7 @@ dev_read_urand(ipsec_mgmt_t)
+@@ -258,7 +274,7 @@ dev_read_urand(ipsec_mgmt_t)
  
  domain_use_interactive_fds(ipsec_mgmt_t)
  # denials when ps tries to search /proc. Do not audit these denials.
@@ -55348,7 +55385,7 @@ index 98d6081..dc6114a 100644
  # suppress audit messages about unnecessary socket access
  # cjp: this seems excessive
  domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -276,8 +290,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -276,8 +292,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -55361,7 +55398,7 @@ index 98d6081..dc6114a 100644
  init_use_script_ptys(ipsec_mgmt_t)
  init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
-@@ -287,11 +304,11 @@ logging_send_syslog_msg(ipsec_mgmt_t)
+@@ -287,11 +306,11 @@ logging_send_syslog_msg(ipsec_mgmt_t)
  
  miscfiles_read_localization(ipsec_mgmt_t)
  
@@ -55375,7 +55412,7 @@ index 98d6081..dc6114a 100644
  
  userdom_use_user_terminals(ipsec_mgmt_t)
  
-@@ -300,6 +317,27 @@ optional_policy(`
+@@ -300,6 +319,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55403,7 +55440,7 @@ index 98d6081..dc6114a 100644
  	nscd_socket_use(ipsec_mgmt_t)
  ')
  
-@@ -352,12 +390,12 @@ corecmd_exec_shell(racoon_t)
+@@ -352,12 +392,12 @@ corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
  corenet_all_recvfrom_unlabeled(racoon_t)
@@ -55422,7 +55459,7 @@ index 98d6081..dc6114a 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -386,6 +424,8 @@ miscfiles_read_localization(racoon_t)
+@@ -386,6 +426,8 @@ miscfiles_read_localization(racoon_t)
  
  sysnet_exec_ifconfig(racoon_t)
  
@@ -55431,7 +55468,7 @@ index 98d6081..dc6114a 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +452,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
+@@ -412,6 +454,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
  files_read_etc_files(setkey_t)
  
  init_dontaudit_use_fds(setkey_t)
@@ -55439,17 +55476,17 @@ index 98d6081..dc6114a 100644
  
  # allow setkey to set the context for ipsec SAs and policy.
  corenet_setcontext_all_spds(setkey_t)
-@@ -423,4 +464,5 @@ miscfiles_read_localization(setkey_t)
+@@ -423,4 +466,5 @@ miscfiles_read_localization(setkey_t)
  seutil_read_config(setkey_t)
  
  userdom_use_user_terminals(setkey_t)
 +userdom_read_user_tmp_files(setkey_t)
  
 diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 13f62a6..fd99a6e 100644
+index 13f62a6..99a492e 100644
 --- a/policy/modules/system/iptables.fc
 +++ b/policy/modules/system/iptables.fc
-@@ -1,12 +1,19 @@
+@@ -1,13 +1,22 @@
  /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
 -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -55459,7 +55496,8 @@ index 13f62a6..fd99a6e 100644
  /sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ip6?tables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
- 
++/sbin/xtables-multi --  gen_context(system_u:object_r:iptables_exec_t,s0)
++
 +/sbin/ebtables			--  gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ebtables-restore	--  gen_context(system_u:object_r:iptables_exec_t,s0)
 +
@@ -55467,10 +55505,12 @@ index 13f62a6..fd99a6e 100644
 +/sbin/ipvsadm-restore   --  gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ipvsadm-save      --  gen_context(system_u:object_r:iptables_exec_t,s0)
 +
-+
+ 
  /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/xtables-multi --  gen_context(system_u:object_r:iptables_exec_t,s0)
 diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
 index 5c94dfe..59bfb17 100644
 --- a/policy/modules/system/iptables.if
@@ -55609,7 +55649,7 @@ index 663a47b..ad0b864 100644
 +	allow $1 iscsid_t:sem create_sem_perms;
 +')
 diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index 1d1c399..b8f623a 100644
+index 1d1c399..57df496 100644
 --- a/policy/modules/system/iscsi.te
 +++ b/policy/modules/system/iscsi.te
 @@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t)
@@ -55639,7 +55679,11 @@ index 1d1c399..b8f623a 100644
  
  corenet_all_recvfrom_unlabeled(iscsid_t)
  corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -76,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -73,9 +76,12 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
+ corenet_tcp_connect_http_port(iscsid_t)
+ corenet_tcp_connect_iscsi_port(iscsid_t)
+ corenet_tcp_connect_isns_port(iscsid_t)
++corenet_tcp_connect_winshadow(iscsid_t)
  
  dev_rw_sysfs(iscsid_t)
  dev_rw_userio_dev(iscsid_t)
@@ -55648,7 +55692,7 @@ index 1d1c399..b8f623a 100644
  
  domain_use_interactive_fds(iscsid_t)
  domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -91,5 +96,5 @@ logging_send_syslog_msg(iscsid_t)
+@@ -91,5 +97,5 @@ logging_send_syslog_msg(iscsid_t)
  miscfiles_read_localization(iscsid_t)
  
  optional_policy(`
@@ -56167,7 +56211,7 @@ index 2b7e5f3..76b4ce1 100644
 -	nscd_socket_use(sulogin_t)
 -')
 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..ddaf246 100644
+index 571599b..60f4899 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
 @@ -17,6 +17,13 @@
@@ -56208,8 +56252,12 @@ index 571599b..ddaf246 100644
  
  ifndef(`distro_gentoo',`
  /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,18 +63,25 @@ ifdef(`distro_redhat',`
+@@ -52,20 +61,29 @@ ifndef(`distro_gentoo',`
+ ifdef(`distro_redhat',`
+ /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
  /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
++/var/spool/postfix/dev	  -d	gen_context(system_u:object_r:var_log_t,s0)	
++/var/spool/postfix/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
  ')
  
 -/var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f304304..ea276e2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 51%{?dist}
+Release: 52%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,20 @@ exit 0
 %endif
 
 %changelog
+* Tue Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-52
+- Fix livecd_run() interface
+- Add labeling for /var/spool/postfix/dev/log
+ * support postfix chroot
+- Allow sandbox_xserver_t to send signals
+- These are needed with CRL fetching is enabled
+- Razor labeling is not used no longer
+- Add label for /sbin/xtables-multi
+- Add support for winshadow port and allow iscsid to connect to this port
+- Allow chrome_sandbox_t to send all signals to sandbox_nacl_t
+- Allow sandbox_nacl to setsched on its process
+- Dontaudit fail2ban looking at gnome content
+- fix label for /usr/lib(64)/iscan/network
+
 * Thu Jan 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-51
 - Fix BOINC bug

More information about the scm-commits mailing list