[selinux-policy/f17] * Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-103 - Add a new type for /etc/firewalld
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 19 16:26:05 UTC 2012
commit ffb9a931f2e4ffae9bd419c0db064cccf0c7ba78
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Mar 19 17:25:49 2012 +0100
* Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-103
- Add a new type for /etc/firewalld and allow firewalld to write to this directory
- Add definition for ~/Maildir, and allow mail deliver domains to write there
- Allow polipo to run from a cron job
- Allow rtkit to schedule wine processes
- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to th
- Allow users domains to send signals to consolehelper domains
policy-F16.patch | 159 +++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 10 +++-
2 files changed, 120 insertions(+), 49 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 9e1d2c3..4dc5ccb 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -56151,10 +56151,10 @@ index 1308871..c994c93 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index bf24160..adfca50 100644
+index bf24160..4c5554c 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
-@@ -862,3 +862,17 @@ inherits database
+@@ -862,3 +862,26 @@ inherits database
implement
execute
}
@@ -56166,6 +56166,15 @@ index bf24160..adfca50 100644
+ status
+ reload
+ kill
++ load
++ enable
++ disable
++}
++
++class systemd
++{
++ halt
++ reboot
+}
+
+class proxy
@@ -56173,16 +56182,19 @@ index bf24160..adfca50 100644
+ read
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
-index 14a4799..db2e4a0 100644
+index 14a4799..4582f92 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
-@@ -131,4 +131,11 @@ class db_view # userspace
+@@ -131,4 +131,14 @@ class db_view # userspace
class db_sequence # userspace
class db_language # userspace
+# systemd services
+class service
+
++# systemd commands
++class systemd
++
+# gssd services
+class proxy
+
@@ -64612,7 +64624,7 @@ index fbb5c5a..094d03b 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..ac078ba 100644
+index 2e9318b..15a4200 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -64846,7 +64858,12 @@ index 2e9318b..ac078ba 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -425,7 +443,13 @@ optional_policy(`
+@@ -421,11 +439,19 @@ optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
++ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
')
optional_policy(`
@@ -64857,10 +64874,11 @@ index 2e9318b..ac078ba 100644
+optional_policy(`
gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
++ gnome_filetrans_home_content(mozilla_plugin_t)
')
optional_policy(`
-@@ -438,18 +462,98 @@ optional_policy(`
+@@ -438,18 +464,98 @@ optional_policy(`
')
optional_policy(`
@@ -68691,7 +68709,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index ced285a..bdfe8dd 100644
+index ced285a..d2e2ce8 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -68731,7 +68749,7 @@ index ced285a..bdfe8dd 100644
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -256,3 +248,87 @@ interface(`userhelper_exec',`
+@@ -256,3 +248,88 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
@@ -68776,6 +68794,7 @@ index ced285a..bdfe8dd 100644
+
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
++ allow $3 $1_consolehelper_t:process signal;
+ allow $3 $1_consolehelper_t:dbus send_msg;
+ allow $1_consolehelper_t $3:dbus send_msg;
+
@@ -69167,7 +69186,7 @@ index f9a73d0..00a98f1 100644
xserver_role($1_r, $1_wine_t)
')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
-index be9246b..e3de8fa 100644
+index be9246b..90848c7 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -40,7 +40,7 @@ domain_mmap_low(wine_t)
@@ -69179,6 +69198,17 @@ index be9246b..e3de8fa 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
+@@ -55,6 +55,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rtkit_scheduled(wine_t)
++')
++
++optional_policy(`
+ unconfined_domain(wine_t)
+ ')
+
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 8bfe97d..356e2a1 100644
--- a/policy/modules/apps/wireshark.te
@@ -92787,7 +92817,7 @@ index 1a1becd..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..4327f89 100644
+index 1bff6ee..eac8b72 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -92877,7 +92907,7 @@ index 1bff6ee..4327f89 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +174,156 @@ optional_policy(`
+@@ -151,12 +174,160 @@ optional_policy(`
')
optional_policy(`
@@ -92898,7 +92928,7 @@ index 1bff6ee..4327f89 100644
#
-# Unconfined access to this module
+# system_bus_type rules
-+#
+ #
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
@@ -92912,7 +92942,7 @@ index 1bff6ee..4327f89 100644
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
-+
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
@@ -92935,7 +92965,7 @@ index 1bff6ee..4327f89 100644
+########################################
+#
+# session_bus_type rules
- #
++#
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
+dontaudit session_bus_type self:process setrlimit;
@@ -93010,7 +93040,7 @@ index 1bff6ee..4327f89 100644
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
-
++
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
@@ -93020,6 +93050,10 @@ index 1bff6ee..4327f89 100644
+')
+
+optional_policy(`
++ thumb_domtrans(session_bus_type)
++')
++
++optional_policy(`
+ xserver_search_xdm_lib(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
@@ -97159,13 +97193,14 @@ index 9b7036a..4770f61 100644
diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
new file mode 100644
-index 0000000..ba9a7a9
+index 0000000..9e82406
--- /dev/null
+++ b/policy/modules/services/firewalld.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,11 @@
+
+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
+
++/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
+
+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+
@@ -97257,10 +97292,10 @@ index 0000000..06462d4
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
-index 0000000..2cce24c
+index 0000000..1a5d643
--- /dev/null
+++ b/policy/modules/services/firewalld.te
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,81 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -97276,6 +97311,9 @@ index 0000000..2cce24c
+type firewalld_initrc_exec_t;
+init_script_file(firewalld_initrc_exec_t)
+
++type firewalld_etc_rw_t;
++files_config_file(firewalld_etc_rw_t)
++
+type firewalld_var_log_t;
+logging_log_file(firewalld_var_log_t)
+
@@ -97290,6 +97328,8 @@ index 0000000..2cce24c
+allow firewalld_t self:fifo_file rw_fifo_file_perms;
+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
+
++rw_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
++
+append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
@@ -104506,18 +104546,19 @@ index 7f68872..36ff69d 100644
+ xserver_dontaudit_read_xdm_pid(mpd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
-index 256166a..71e7a36 100644
+index 256166a..a8fe27a 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
-@@ -1,4 +1,6 @@
+@@ -1,4 +1,7 @@
-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-@@ -11,20 +13,26 @@ ifdef(`distro_redhat',`
+@@ -11,20 +14,27 @@ ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
@@ -104525,6 +104566,7 @@ index 256166a..71e7a36 100644
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -104552,7 +104594,7 @@ index 256166a..71e7a36 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..62edb77 100644
+index 343cee3..b37f19e 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -104968,7 +105010,7 @@ index 343cee3..62edb77 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -899,3 +939,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +939,118 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -105034,11 +105076,13 @@ index 343cee3..62edb77 100644
+interface(`mta_filetrans_admin_home_content',`
+ gen_require(`
+ type mail_home_t;
++ type mail_home_rw_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
+')
+
+########################################
@@ -105054,11 +105098,13 @@ index 343cee3..62edb77 100644
+interface(`mta_filetrans_home_content',`
+ gen_require(`
+ type mail_home_t;
++ type mail_home_rw_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
+')
+
+########################################
@@ -105084,10 +105130,10 @@ index 343cee3..62edb77 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..642d538 100644
+index 64268e4..8733cb5 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
-@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
+@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -105095,6 +105141,9 @@ index 64268e4..642d538 100644
-files_type(mail_forward_t)
+type mail_home_t alias mail_forward_t;
+userdom_user_home_content(mail_home_t)
++
++type mail_home_rw_t;
++userdom_user_home_content(mail_home_rw_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
@@ -105106,7 +105155,7 @@ index 64268e4..642d538 100644
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -42,6 +44,7 @@ typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
+@@ -42,6 +47,7 @@ typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
ubac_constrained(user_mail_t)
ubac_constrained(user_mail_tmp_t)
@@ -105114,7 +105163,7 @@ index 64268e4..642d538 100644
########################################
#
-@@ -50,22 +53,11 @@ ubac_constrained(user_mail_tmp_t)
+@@ -50,22 +56,11 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
@@ -105138,7 +105187,7 @@ index 64268e4..642d538 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -79,9 +71,18 @@ selinux_getattr_fs(system_mail_t)
+@@ -79,9 +74,22 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
@@ -105149,16 +105198,20 @@ index 64268e4..642d538 100644
userdom_dontaudit_search_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
++manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
++
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
++
+logging_append_all_logs(system_mail_t)
+
+logging_send_syslog_msg(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,14 +93,21 @@ optional_policy(`
+@@ -92,14 +100,21 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -105183,7 +105236,7 @@ index 64268e4..642d538 100644
')
optional_policy(`
-@@ -108,9 +116,15 @@ optional_policy(`
+@@ -108,9 +123,15 @@ optional_policy(`
')
optional_policy(`
@@ -105199,7 +105252,7 @@ index 64268e4..642d538 100644
')
optional_policy(`
-@@ -124,12 +138,9 @@ optional_policy(`
+@@ -124,12 +145,9 @@ optional_policy(`
')
optional_policy(`
@@ -105214,7 +105267,7 @@ index 64268e4..642d538 100644
')
optional_policy(`
-@@ -146,6 +157,10 @@ optional_policy(`
+@@ -146,6 +164,10 @@ optional_policy(`
')
optional_policy(`
@@ -105225,7 +105278,7 @@ index 64268e4..642d538 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +173,13 @@ optional_policy(`
+@@ -158,22 +180,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -105251,7 +105304,7 @@ index 64268e4..642d538 100644
')
optional_policy(`
-@@ -189,6 +195,10 @@ optional_policy(`
+@@ -189,6 +202,10 @@ optional_policy(`
')
optional_policy(`
@@ -105262,7 +105315,7 @@ index 64268e4..642d538 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,15 +209,16 @@ optional_policy(`
+@@ -199,15 +216,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -105283,31 +105336,34 @@ index 64268e4..642d538 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,28 +231,21 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,21 +238,13 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+-
+-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
- read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
- fs_manage_cifs_symlinks(mailserver_delivery)
-')
--
++manage_dirs_pattern(mailserver_deliver, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(mailserver_deliver, mail_home_rw_t, mail_home_rw_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
- fs_manage_nfs_symlinks(mailserver_delivery)
-')
--
++read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
optional_policy(`
dovecot_manage_spool(mailserver_delivery)
- dovecot_domtrans_deliver(mailserver_delivery)
+@@ -242,6 +252,10 @@ optional_policy(`
')
optional_policy(`
@@ -105318,7 +105374,7 @@ index 64268e4..642d538 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +253,25 @@ optional_policy(`
+@@ -249,16 +263,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -105346,7 +105402,7 @@ index 64268e4..642d538 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -277,14 +290,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,14 +300,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
@@ -105363,7 +105419,7 @@ index 64268e4..642d538 100644
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
-@@ -292,3 +305,114 @@ optional_policy(`
+@@ -292,3 +315,117 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -105382,6 +105438,9 @@ index 64268e4..642d538 100644
+append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
+read_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
+
++manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
++
+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
+
+can_exec(user_mail_domain, mta_exec_type)
@@ -111372,10 +111431,10 @@ index 0000000..64a6d26
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
-index 0000000..a18621f
+index 0000000..a22fe1b
--- /dev/null
+++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,170 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -111508,6 +111567,10 @@ index 0000000..a18621f
+
+logging_send_syslog_msg(polipo_t)
+
++optional_policy(`
++ cron_system_entry(polipo_t, polipo_exec_t)
++')
++
+tunable_policy(`polipo_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4a437ea..bfc1ed8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 102%{?dist}
+Release: 103%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-103
+- Add a new type for /etc/firewalld and allow firewalld to write to this directory
+- Add definition for ~/Maildir, and allow mail deliver domains to write there
+- Allow polipo to run from a cron job
+- Allow rtkit to schedule wine processes
+- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label
+- Allow users domains to send signals to consolehelper domains
+
* Fri Mar 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-102
- More fixes for boinc policy
- Allow polipo domain to create its own cache dir and pid file
More information about the scm-commits
mailing list