rpms/selinux-policy/FC-6 modules-mls.conf, 1.21, 1.22 modules-strict.conf, 1.14, 1.15 modules-targeted.conf, 1.39, 1.40 policy-20061106.patch, 1.4, 1.5 selinux-policy.spec, 1.329, 1.330
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Dec 6 21:33:44 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv29797
Modified Files:
modules-mls.conf modules-strict.conf modules-targeted.conf
policy-20061106.patch selinux-policy.spec
Log Message:
* Wed Dec 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-7
- More Fixes polyinstatiation
- Fix handling of keyrings
Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/modules-mls.conf,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- modules-mls.conf 29 Nov 2006 20:31:17 -0000 1.21
+++ modules-mls.conf 6 Dec 2006 21:33:42 -0000 1.22
@@ -1016,3 +1016,9 @@
#
aide = base
+# Layer: service
+# Module: pcscd
+#
+# PC/SC Smart Card Daemon
+#
+pcscd = module
Index: modules-strict.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/modules-strict.conf,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- modules-strict.conf 28 Jul 2006 17:44:17 -0000 1.14
+++ modules-strict.conf 6 Dec 2006 21:33:42 -0000 1.15
@@ -1290,3 +1290,10 @@
# policy for nagios Host/service/network monitoring program
#
nagios = module
+
+# Layer: service
+# Module: pcscd
+#
+# PC/SC Smart Card Daemon
+#
+pcscd = module
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/modules-targeted.conf,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- modules-targeted.conf 29 Nov 2006 20:31:17 -0000 1.39
+++ modules-targeted.conf 6 Dec 2006 21:33:42 -0000 1.40
@@ -1165,3 +1165,10 @@
#
iscsi = module
+# Layer: service
+# Module: pcscd
+#
+# PC/SC Smart Card Daemon
+#
+pcscd = module
+
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 2
policy/global_tunables | 40 ++
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.te | 4
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 41 --
policy/modules/admin/usermanage.te | 3
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 3
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 49 +++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 114 +++++++
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 -
policy/modules/services/apm.te | 1
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 49 ---
policy/modules/services/cron.te | 13
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 12
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 +
policy/modules/services/pcscd.te | 69 ++++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16 +
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 34 ++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.te | 22 +
policy/modules/system/iptables.te | 6
policy/modules/system/libraries.fc | 28 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++-
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 38 ++
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 109 +++++++
policy/modules/system/selinuxutil.te | 105 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 15
policy/modules/system/userdomain.if | 483 ++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 52 ---
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 ++
121 files changed, 1803 insertions(+), 422 deletions(-)
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.4 -r 1.5 policy-20061106.patch
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20061106.patch 29 Nov 2006 20:31:17 -0000 1.4
+++ policy-20061106.patch 6 Dec 2006 21:33:42 -0000 1.5
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.5/policy/flask/access_vectors
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.6/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-11-16 17:15:00.000000000 -0500
-+++ serefpolicy-2.4.5/policy/flask/access_vectors 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/flask/access_vectors 2006-12-05 13:19:41.000000000 -0500
@@ -619,6 +619,8 @@
send
recv
@@ -10,11 +10,29 @@
}
class key
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.5/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.6/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/global_tunables 2006-11-28 15:33:57.000000000 -0500
-@@ -574,6 +574,13 @@
++++ serefpolicy-2.4.6/policy/global_tunables 2006-12-05 13:19:41.000000000 -0500
+@@ -82,6 +82,14 @@
+
+ ## <desc>
+ ## <p>
++## Allow ftp servers to login to local users and
++## read/write all files on the system, governed by DAC.
++## </p>
++## </desc>
++gen_tunable(allow_ftpd_full_access,false)
++
++## <desc>
++## <p>
+ ## Allow gssd to read temp directory.
+ ## </p>
+ ## </desc>
+@@ -572,8 +580,16 @@
+ ## </p>
+ ## </desc>
gen_tunable(xdm_sysadm_login,false)
++
')
+## <desc>
@@ -27,7 +45,7 @@
########################################
#
# Targeted policy specific
-@@ -589,6 +596,13 @@
+@@ -589,6 +605,13 @@
## <desc>
## <p>
@@ -41,7 +59,7 @@
## Allow mount to mount any file
## </p>
## </desc>
-@@ -596,8 +610,30 @@
+@@ -596,8 +619,23 @@
## <desc>
## <p>
@@ -51,13 +69,6 @@
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
+
-+## <desc>
-+## <p>
-+## Allow xen to read/write physical disk devices
-+## </p>
-+## </desc>
-+gen_tunable(xen_use_raw_disk,true)
-+
')
+
+## <desc>
@@ -73,9 +84,9 @@
+## </p>
+## </desc>
+gen_tunable(use_lpd_server,false)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.5/policy/modules/admin/acct.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.6/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/acct.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/acct.te 2006-12-05 13:19:41.000000000 -0500
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -84,9 +95,9 @@
type acct_data_t;
logging_log_file(acct_data_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.4.5/policy/modules/admin/amanda.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.4.6/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/amanda.if 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2006-12-05 13:19:41.000000000 -0500
@@ -127,4 +127,21 @@
allow $1 amanda_log_t:file ra_file_perms;
')
@@ -109,9 +120,9 @@
+ allow $1 amanda_usr_lib_t:dir manage_dir_perms;
+ files_search_usr($1)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.5/policy/modules/admin/amanda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.6/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/amanda.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-05 13:19:41.000000000 -0500
@@ -75,6 +75,7 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -120,9 +131,9 @@
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.4.5/policy/modules/admin/bootloader.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.4.6/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/bootloader.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2006-12-05 13:19:41.000000000 -0500
@@ -218,3 +218,7 @@
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
@@ -131,9 +142,9 @@
+optional_policy(`
+ hal_dontaudit_append_var_lib_files(bootloader_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.5/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.6/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/consoletype.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/consoletype.te 2006-12-05 13:19:41.000000000 -0500
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -165,9 +176,9 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.5/policy/modules/admin/dmesg.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.6/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/dmesg.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/dmesg.te 2006-12-05 13:19:41.000000000 -0500
@@ -10,6 +10,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -176,9 +187,9 @@
role system_r types dmesg_t;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-2.4.5/policy/modules/admin/firstboot.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-2.4.6/policy/modules/admin/firstboot.if
--- nsaserefpolicy/policy/modules/admin/firstboot.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/firstboot.if 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/firstboot.if 2006-12-05 13:19:41.000000000 -0500
@@ -96,7 +96,7 @@
########################################
@@ -201,9 +212,9 @@
- allow $1 firstboot_t:fifo_file write;
+ allow $1 firstboot_t:fifo_file { read write };
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.5/policy/modules/admin/logwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.6/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/logwatch.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/logwatch.te 2006-12-05 13:19:41.000000000 -0500
@@ -53,6 +53,7 @@
corecmd_exec_ls(logwatch_t)
@@ -212,9 +223,9 @@
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.5/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.6/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/netutils.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/netutils.te 2006-12-05 13:19:41.000000000 -0500
@@ -18,10 +18,12 @@
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
@@ -228,9 +239,9 @@
role system_r types traceroute_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.5/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.6/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/admin/prelink.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2006-12-05 13:19:41.000000000 -0500
@@ -57,6 +57,7 @@
[...2198 lines suppressed...]
++ seutil_run_semanage($1,$2,$3)
++ seutil_run_setfiles($1, $2, $3)
++ seutil_run_restorecon($1,$2,$3)
++
++ corecmd_exec_shell($1)
++ consoletype_exec($1)
++
++ dmesg_exec($1)
++
++ domain_obj_id_change_exemption($1)
++
++ files_create_boot_flag($1)
++
++ mls_process_read_up($1)
++ mls_file_read_up($1)
++ mls_file_upgrade($1)
++ mls_file_downgrade($1)
++
++ auth_relabel_all_files_except_shadow($1)
++ auth_relabel_shadow($1)
++
++ dev_relabel_all_dev_nodes($1)
++
++ init_exec($1)
++
++ logging_send_syslog_msg($1)
++ logging_read_audit_log($1)
++ logging_read_generic_logs($1)
++ logging_read_audit_config($1)
++
++ userdom_dontaudit_append_staff_home_content_files($1)
++ userdom_dontaudit_read_sysadm_home_content_files($1)
++
++ optional_policy(`
++ netlabel_run_mgmt($1,$2, $3)
++ ')
++ optional_policy(`
++ aide_run($1,$2, $3)
++ ')
++')
++
++########################################
++## <summary>
++## allow relabel of home type directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_relabel_user_home_content_dirs',`
++ gen_require(`
++ type user_home_dir_t;
++ ')
++
++ files_search_home($1)
++ allow $1 home_type:dir { relabelfrom relabelto };
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/system/userdomain.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-12-05 13:19:42.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -3623,23 +4437,82 @@
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -155,11 +158,15 @@
- init_exec(secadm_t)
- logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
-+ logging_read_audit_config(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
- optional_policy(`
- netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
- ')
-+ optional_policy(`
-+ aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
-+ ')
+@@ -141,25 +144,6 @@
+ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
+
+- allow secadm_t self:capability { dac_read_search dac_override };
+- corecmd_exec_shell(secadm_t)
+- domain_obj_id_change_exemption(secadm_t)
+- mls_process_read_up(secadm_t)
+- mls_file_read_up(secadm_t)
+- mls_file_write_down(secadm_t)
+- mls_file_upgrade(secadm_t)
+- mls_file_downgrade(secadm_t)
+- auth_relabel_all_files_except_shadow(secadm_t)
+- dev_relabel_all_dev_nodes(secadm_t)
+- auth_relabel_shadow(secadm_t)
+- init_exec(secadm_t)
+- logging_read_audit_log(secadm_t)
+- logging_read_generic_logs(secadm_t)
+- userdom_dontaudit_append_staff_home_content_files(secadm_t)
+- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+- optional_policy(`
+- netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+- ')
',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
-@@ -428,6 +435,9 @@
+@@ -229,7 +213,6 @@
+ consoletype_exec(sysadm_t)
+
+ ifdef(`enable_mls',`
+- consoletype_exec(secadm_t)
+ consoletype_exec(auditadm_t)
+ ')
+ ')
+@@ -248,7 +231,6 @@
+ dmesg_exec(sysadm_t)
+
+ ifdef(`enable_mls',`
+- dmesg_exec(secadm_t)
+ dmesg_exec(auditadm_t)
+ ')
+ ')
+@@ -383,27 +365,12 @@
+ seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+
+ ifdef(`enable_mls',`
+- selinux_set_enforce_mode(secadm_t)
+- selinux_set_boolean(secadm_t)
+- selinux_set_parameters(secadm_t)
+-
+- seutil_manage_bin_policy(secadm_t)
+- seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- logging_send_syslog_msg(secadm_t)
++ userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
++# tunable_policy(`allow_sysadm_manage_security',`
++ userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
++# ')
+ ', `
+- selinux_set_enforce_mode(sysadm_t)
+- selinux_set_boolean(sysadm_t)
+- selinux_set_parameters(sysadm_t)
+-
+- seutil_manage_bin_policy(sysadm_t)
+- seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
+- seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
+- seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal)
+- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
++ userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
+ ')
+ ')
+
+@@ -428,6 +395,9 @@
')
optional_policy(`
@@ -3649,9 +4522,9 @@
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.5/policy/modules/system/xen.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.6/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/system/xen.fc 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/xen.fc 2006-12-05 13:19:42.000000000 -0500
@@ -8,6 +8,7 @@
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
@@ -3660,9 +4533,9 @@
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.5/policy/modules/system/xen.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.6/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.5/policy/modules/system/xen.te 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/xen.te 2006-12-05 13:19:42.000000000 -0500
@@ -86,8 +86,8 @@
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
@@ -3752,9 +4625,9 @@
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.5/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.6/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-11-16 17:15:29.000000000 -0500
-+++ serefpolicy-2.4.5/Rules.modular 2006-11-28 15:28:35.000000000 -0500
++++ serefpolicy-2.4.6/Rules.modular 2006-12-05 13:19:42.000000000 -0500
@@ -219,6 +219,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.329
retrieving revision 1.330
diff -u -r1.329 -r1.330
--- selinux-policy.spec 29 Nov 2006 20:31:17 -0000 1.329
+++ selinux-policy.spec 6 Dec 2006 21:33:42 -0000 1.330
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 1%{?dist}
+Release: 7%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -180,7 +180,7 @@
# Install devel
make clean
-make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 755 ${RPM_SOURCE_DIR}/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@@ -351,6 +351,32 @@
%endif
%changelog
+* Wed Dec 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-7
+- More Fixes polyinstatiation
+- Fix handling of keyrings
+
+Resolves: #216184
+* Mon Dec 4 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-6
+- Fix polyinstatiation
+- Fix pcscd handling of terminal
+Resolves: #218149
+Resolves: #218350
+
+* Fri Dec 1 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-5
+- More fixes for quota
+Resolves: #212957
+
+* Fri Dec 1 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-4
+- ncsd needs to use avahi sockets
+Resolves: #217640
+Resolves: #218014
+
+* Thu Nov 28 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-3
+- Allow login programs to polyinstatiate homedirs
+Resolves: #216184
+- Allow quotacheck to create database files
+Resolves: #212957
+
* Tue Nov 28 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-1
- Dontaudit appending hal_var_lib files
Resolves: #217452
More information about the fedora-cvs-commits
mailing list