[selinux-policy/f18] * Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-73 - Allow gnome keyring to create keyri
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 21 22:56:02 UTC 2013
commit f2175b6e0a914b90280992c0ab27f3194bd476f5
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jan 21 23:54:35 2013 +0100
* Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-73
- Allow gnome keyring to create keyrings dir in ~/.local/share
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
- Allow colord_t to read cupsd_t state
- Add interface to colord_t dbus_chat to allow it to read remote process state
policy-f18-base.patch | 120 ++++++++++++++++++++++++++++------------------
policy-f18-contrib.patch | 91 ++++++++++++++++++++++------------
selinux-policy.spec | 8 +++-
3 files changed, 139 insertions(+), 80 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 4bf1f98..1de0bf5 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -112953,7 +112953,7 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..7ac4630 100644
+index 07126bd..4aecd37 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@@ -113022,7 +113022,33 @@ index 07126bd..7ac4630 100644
## Bind TCP sockets to generic nodes.
## </summary>
## <desc>
-@@ -928,6 +966,24 @@ interface(`corenet_inout_generic_node',`
+@@ -855,6 +893,25 @@ interface(`corenet_udp_bind_generic_node',`
+
+ ########################################
+ ## <summary>
++## Dontaudit attempts to bind UDP sockets to generic nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="read" weight="1"/>
++#
++interface(`corenet_dontaudit_udp_bind_generic_node',`
++ gen_require(`
++ type node_t;
++ ')
++
++ dontaudit $1 node_t:udp_socket node_bind;
++')
++
++########################################
++## <summary>
+ ## Bind raw sockets to genric nodes.
+ ## </summary>
+ ## <param name="domain">
+@@ -928,6 +985,24 @@ interface(`corenet_inout_generic_node',`
########################################
## <summary>
@@ -113047,7 +113073,7 @@ index 07126bd..7ac4630 100644
## Send and receive TCP network traffic on all nodes.
## </summary>
## <param name="domain">
-@@ -1102,6 +1158,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
+@@ -1102,6 +1177,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
########################################
## <summary>
@@ -113072,7 +113098,7 @@ index 07126bd..7ac4630 100644
## Bind TCP sockets to all nodes.
## </summary>
## <param name="domain">
-@@ -1157,6 +1231,24 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1157,6 +1250,24 @@ interface(`corenet_raw_bind_all_nodes',`
########################################
## <summary>
@@ -113097,15 +113123,14 @@ index 07126bd..7ac4630 100644
## Send and receive TCP network traffic on generic ports.
## </summary>
## <param name="domain">
-@@ -1167,10 +1259,30 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1167,10 +1278,30 @@ interface(`corenet_raw_bind_all_nodes',`
#
interface(`corenet_tcp_sendrecv_generic_port',`
gen_require(`
- type port_t;
+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:tcp_socket { send_msg recv_msg };
++ ')
++
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
+')
+
@@ -113124,13 +113149,14 @@ index 07126bd..7ac4630 100644
+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
+ ')
+
+- allow $1 port_t:tcp_socket { send_msg recv_msg };
+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
')
########################################
-@@ -1185,10 +1297,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+@@ -1185,10 +1316,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
#
interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
gen_require(`
@@ -113143,7 +113169,7 @@ index 07126bd..7ac4630 100644
')
########################################
-@@ -1203,10 +1315,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+@@ -1203,10 +1334,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
#
interface(`corenet_udp_send_generic_port',`
gen_require(`
@@ -113156,7 +113182,7 @@ index 07126bd..7ac4630 100644
')
########################################
-@@ -1221,10 +1333,10 @@ interface(`corenet_udp_send_generic_port',`
+@@ -1221,10 +1352,10 @@ interface(`corenet_udp_send_generic_port',`
#
interface(`corenet_udp_receive_generic_port',`
gen_require(`
@@ -113169,7 +113195,7 @@ index 07126bd..7ac4630 100644
')
########################################
-@@ -1244,6 +1356,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1244,6 +1375,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
########################################
## <summary>
@@ -113196,7 +113222,7 @@ index 07126bd..7ac4630 100644
## Bind TCP sockets to generic ports.
## </summary>
## <param name="domain">
-@@ -1254,16 +1386,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1254,16 +1405,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
#
interface(`corenet_tcp_bind_generic_port',`
gen_require(`
@@ -113234,7 +113260,7 @@ index 07126bd..7ac4630 100644
## Do not audit bind TCP sockets to generic ports.
## </summary>
## <param name="domain">
-@@ -1274,10 +1425,10 @@ interface(`corenet_tcp_bind_generic_port',`
+@@ -1274,10 +1444,10 @@ interface(`corenet_tcp_bind_generic_port',`
#
interface(`corenet_dontaudit_tcp_bind_generic_port',`
gen_require(`
@@ -113247,7 +113273,7 @@ index 07126bd..7ac4630 100644
')
########################################
-@@ -1292,16 +1443,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+@@ -1292,16 +1462,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
#
interface(`corenet_udp_bind_generic_port',`
gen_require(`
@@ -113284,7 +113310,7 @@ index 07126bd..7ac4630 100644
## Connect TCP sockets to generic ports.
## </summary>
## <param name="domain">
-@@ -1312,10 +1481,28 @@ interface(`corenet_udp_bind_generic_port',`
+@@ -1312,10 +1500,28 @@ interface(`corenet_udp_bind_generic_port',`
#
interface(`corenet_tcp_connect_generic_port',`
gen_require(`
@@ -113315,7 +113341,7 @@ index 07126bd..7ac4630 100644
')
########################################
-@@ -1439,6 +1626,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
+@@ -1439,6 +1645,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
########################################
## <summary>
@@ -113341,7 +113367,7 @@ index 07126bd..7ac4630 100644
## Bind TCP sockets to all ports.
## </summary>
## <param name="domain">
-@@ -1458,6 +1664,24 @@ interface(`corenet_tcp_bind_all_ports',`
+@@ -1458,6 +1683,24 @@ interface(`corenet_tcp_bind_all_ports',`
########################################
## <summary>
@@ -113366,7 +113392,7 @@ index 07126bd..7ac4630 100644
## Do not audit attepts to bind TCP sockets to any ports.
## </summary>
## <param name="domain">
-@@ -1513,6 +1737,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
+@@ -1513,6 +1756,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
########################################
## <summary>
@@ -113391,7 +113417,7 @@ index 07126bd..7ac4630 100644
## Connect TCP sockets to all ports.
## </summary>
## <desc>
-@@ -1559,6 +1801,25 @@ interface(`corenet_tcp_connect_all_ports',`
+@@ -1559,6 +1820,25 @@ interface(`corenet_tcp_connect_all_ports',`
########################################
## <summary>
@@ -113417,7 +113443,7 @@ index 07126bd..7ac4630 100644
## Do not audit attempts to connect TCP sockets
## to all ports.
## </summary>
-@@ -1578,6 +1839,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
+@@ -1578,6 +1858,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
########################################
## <summary>
@@ -113442,7 +113468,7 @@ index 07126bd..7ac4630 100644
## Send and receive TCP network traffic on generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1647,6 +1926,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,6 +1945,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
## <summary>
@@ -113468,7 +113494,7 @@ index 07126bd..7ac4630 100644
## Bind TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1685,6 +1983,24 @@ interface(`corenet_udp_bind_reserved_port',`
+@@ -1685,6 +2002,24 @@ interface(`corenet_udp_bind_reserved_port',`
########################################
## <summary>
@@ -113493,7 +113519,7 @@ index 07126bd..7ac4630 100644
## Connect TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1703,6 +2019,24 @@ interface(`corenet_tcp_connect_reserved_port',`
+@@ -1703,6 +2038,24 @@ interface(`corenet_tcp_connect_reserved_port',`
########################################
## <summary>
@@ -113518,7 +113544,7 @@ index 07126bd..7ac4630 100644
## Send and receive TCP network traffic on all reserved ports.
## </summary>
## <param name="domain">
-@@ -1752,12 +2086,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1752,12 +2105,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
attribute reserved_port_type;
')
@@ -113731,7 +113757,7 @@ index 07126bd..7ac4630 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1765,14 +2297,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1765,14 +2316,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
## </summary>
## </param>
#
@@ -113753,7 +113779,7 @@ index 07126bd..7ac4630 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,36 +2315,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+@@ -1780,36 +2334,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
## </summary>
## </param>
#
@@ -113797,7 +113823,7 @@ index 07126bd..7ac4630 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1817,36 +2351,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+@@ -1817,36 +2370,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
## </summary>
## </param>
#
@@ -113848,7 +113874,7 @@ index 07126bd..7ac4630 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1854,17 +2387,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+@@ -1854,17 +2406,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
## </summary>
## </param>
#
@@ -113869,7 +113895,7 @@ index 07126bd..7ac4630 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,67 +2405,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+@@ -1872,67 +2424,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
## </summary>
## </param>
#
@@ -113956,7 +113982,7 @@ index 07126bd..7ac4630 100644
')
########################################
-@@ -1955,6 +2489,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+@@ -1955,6 +2508,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
########################################
## <summary>
@@ -113982,7 +114008,7 @@ index 07126bd..7ac4630 100644
## Do not audit attempts to connect TCP sockets
## all rpc ports.
## </summary>
-@@ -1993,6 +2546,24 @@ interface(`corenet_rw_tun_tap_dev',`
+@@ -1993,6 +2565,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
@@ -114007,7 +114033,7 @@ index 07126bd..7ac4630 100644
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
-@@ -2049,6 +2620,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2639,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
@@ -114033,7 +114059,7 @@ index 07126bd..7ac4630 100644
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2068,6 +2658,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2677,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
@@ -114058,7 +114084,7 @@ index 07126bd..7ac4630 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2194,6 +2802,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2821,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
@@ -114084,7 +114110,7 @@ index 07126bd..7ac4630 100644
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
-@@ -2213,7 +2840,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,7 +2859,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -114093,7 +114119,7 @@ index 07126bd..7ac4630 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2221,10 +2848,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2221,10 +2867,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </summary>
## </param>
#
@@ -114111,7 +114137,7 @@ index 07126bd..7ac4630 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2881,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2900,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
@@ -114138,7 +114164,7 @@ index 07126bd..7ac4630 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
-@@ -2269,6 +2921,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2940,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -114166,7 +114192,7 @@ index 07126bd..7ac4630 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2533,15 +3206,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,15 +3225,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -114186,7 +114212,7 @@ index 07126bd..7ac4630 100644
')
########################################
-@@ -2567,11 +3235,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+@@ -2567,11 +3254,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
#
interface(`corenet_all_recvfrom_netlabel',`
gen_require(`
@@ -114224,7 +114250,7 @@ index 07126bd..7ac4630 100644
')
########################################
-@@ -2585,6 +3276,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3295,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -114232,7 +114258,7 @@ index 07126bd..7ac4630 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3305,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3324,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -114269,7 +114295,7 @@ index 07126bd..7ac4630 100644
')
########################################
-@@ -2727,6 +3447,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3466,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
@@ -114277,7 +114303,7 @@ index 07126bd..7ac4630 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3855,53 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3874,53 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 2c2a4c5..0cf57d6 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -11104,10 +11104,18 @@ index 78b2fea..ef975ac 100644
/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
-index 733e4e6..fa2c3cb 100644
+index 733e4e6..825f537 100644
--- a/colord.if
+++ b/colord.if
-@@ -57,3 +57,26 @@ interface(`colord_read_lib_files',`
+@@ -37,6 +37,7 @@ interface(`colord_dbus_chat',`
+
+ allow $1 colord_t:dbus send_msg;
+ allow colord_t $1:dbus send_msg;
++ ps_process_pattern(colord_t, $1)
+ ')
+
+ ######################################
+@@ -57,3 +58,26 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
@@ -11135,7 +11143,7 @@ index 733e4e6..fa2c3cb 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 74505cc..69bf8c7 100644
+index 74505cc..e21138f 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
@@ -11232,20 +11240,21 @@ index 74505cc..69bf8c7 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +117,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_read_home_icc_data_content(colord_t)
-+ # Fixes lots of breakage in F16 on upgrade
-+ gnome_read_generic_data_home_files(colord_t)
+@@ -86,6 +114,13 @@ optional_policy(`
+ cups_read_rw_config(colord_t)
+ cups_stream_connect(colord_t)
+ cups_dbus_chat(colord_t)
++ cups_read_state(colord_t)
+')
+
+optional_policy(`
- policykit_dbus_chat(colord_t)
- policykit_domtrans_auth(colord_t)
- policykit_read_lib(colord_t)
-@@ -96,5 +130,20 @@ optional_policy(`
++ gnome_read_home_icc_data_content(colord_t)
++ # Fixes lots of breakage in F16 on upgrade
++ gnome_read_generic_data_home_files(colord_t)
+ ')
+
+ optional_policy(`
+@@ -96,5 +131,20 @@ optional_policy(`
')
optional_policy(`
@@ -14768,7 +14777,7 @@ index 848bb92..600efa5 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 305ddf4..f3cd95f 100644
+index 305ddf4..a682e21 100644
--- a/cups.if
+++ b/cups.if
@@ -9,6 +9,11 @@
@@ -14853,7 +14862,7 @@ index 305ddf4..f3cd95f 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -341,18 +375,53 @@ interface(`cups_admin',`
+@@ -341,18 +375,72 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
@@ -14909,6 +14918,25 @@ index 305ddf4..f3cd95f 100644
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++')
++
++########################################
++## <summary>
++## Allow the domain to read cups state files in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cups_read_state',`
++ gen_require(`
++ type cupsd_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
index e5a8924..e12c890 100644
@@ -25301,7 +25329,7 @@ index f5afe78..f73c152 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/gnome.te b/gnome.te
-index 783c5fb..3a0a272 100644
+index 783c5fb..92214c3 100644
--- a/gnome.te
+++ b/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
@@ -25380,7 +25408,7 @@ index 783c5fb..3a0a272 100644
logging_send_syslog_msg(gconfd_t)
-@@ -73,3 +113,167 @@ optional_policy(`
+@@ -73,3 +113,168 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -25502,6 +25530,7 @@ index 783c5fb..3a0a272 100644
+allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
++filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
@@ -43913,14 +43942,16 @@ index 66a52ee..6db0311 100644
+')
diff --git a/openvswitch.fc b/openvswitch.fc
new file mode 100644
-index 0000000..baf8d21
+index 0000000..8c906ee
--- /dev/null
+++ b/openvswitch.fc
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
+
+/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/sbin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
@@ -62120,7 +62151,7 @@ index 1ed6870..3f1dac5 100644
-/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
+/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --git a/sectoolm.te b/sectoolm.te
-index c8ef84b..ffa81dd 100644
+index c8ef84b..b6a0bbd 100644
--- a/sectoolm.te
+++ b/sectoolm.te
@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.0)
@@ -62132,15 +62163,6 @@ index c8ef84b..ffa81dd 100644
type sectool_var_lib_t;
files_type(sectool_var_lib_t)
-@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
- # sectool local policy
- #
-
--allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
-+allow sectoolm_t self:capability { dac_override net_admin sys_nice };
- allow sectoolm_t self:process { getcap getsched signull setsched };
- dontaudit sectoolm_t self:process { execstack execmem };
- allow sectoolm_t self:fifo_file rw_fifo_file_perms;
@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
auth_use_nsswitch(sectoolm_t)
@@ -68140,10 +68162,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..0f9dcc7
+index 0000000..57708c1
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,135 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -68274,6 +68296,11 @@ index 0000000..0f9dcc7
+optional_policy(`
+ nscd_dontaudit_write_sock_file(thumb_t)
+')
++
++tunable_policy(`nis_enabled',`
++ corenet_dontaudit_udp_bind_all_ports(thumb_t)
++ corenet_dontaudit_udp_bind_generic_node(thumb_t)
++')
diff --git a/thunderbird.te b/thunderbird.te
index bf37d98..0d863fc 100644
--- a/thunderbird.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3c23cc1..67523ed 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 72%{?dist}
+Release: 73%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-73
+- Allow gnome keyring to create keyrings dir in ~/.local/share
+- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
+- Allow colord_t to read cupsd_t state
+- Add interface to colord_t dbus_chat to allow it to read remote process state
+
* Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-72
- Dontaudit net_admin capability for sendmail
- Logwatch does access check on mdadm binary
More information about the scm-commits
mailing list