rpms/selinux-policy/devel policy-20061106.patch, 1.53, 1.54 selinux-policy.spec, 1.375, 1.376
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Dec 29 20:01:13 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv9113
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Fri Dec 29 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-20
- fix mplayer to work under strict policy
- Allow iptables to use nscd
Resolves: #220794
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
policy/flask/access_vectors | 2
policy/global_tunables | 48 ++
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 9
policy/modules/admin/consoletype.te | 15
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 2
policy/modules/admin/netutils.te | 1
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 46 --
policy/modules/admin/su.if | 28 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 10
policy/modules/admin/usermanage.te | 21 -
policy/modules/apps/evolution.if | 100 +++++
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 +++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 38 ++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17
policy/modules/apps/mozilla.if | 209 +++++++++--
policy/modules/apps/mplayer.if | 84 ++++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 2
policy/modules/apps/thunderbird.if | 80 +++-
policy/modules/apps/userhelper.if | 19 -
policy/modules/kernel/corecommands.fc | 10
policy/modules/kernel/corecommands.if | 58 +++
policy/modules/kernel/corenetwork.if.in | 97 +++++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 21 +
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 180 +++++++++
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.if | 61 +++
policy/modules/kernel/kernel.te | 4
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16
policy/modules/services/apm.te | 3
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 5
policy/modules/services/cron.if | 92 ++--
policy/modules/services/cron.te | 39 +-
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 41 ++
policy/modules/services/ftp.te | 14
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 57 +++
policy/modules/services/hal.te | 8
policy/modules/services/inetd.te | 9
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 56 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 15
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 +++
policy/modules/services/pcscd.te | 74 +++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 ++++
policy/modules/services/rhgb.te | 3
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/sendmail.te | 4
policy/modules/services/setroubleshoot.if | 20 +
policy/modules/services/setroubleshoot.te | 1
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 8
policy/modules/services/ssh.if | 40 ++
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 +++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 186 +++++++++
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.if | 74 +++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 10
policy/modules/system/init.if | 3
policy/modules/system/init.te | 31 +
policy/modules/system/iptables.te | 11
policy/modules/system/libraries.fc | 29 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 9
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 79 ++++
policy/modules/system/modutils.te | 14
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 113 +++++-
policy/modules/system/selinuxutil.te | 107 +----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 34 +
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 19 +
policy/modules/system/userdomain.if | 560 ++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 61 +--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 +
161 files changed, 3567 insertions(+), 534 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -r1.53 -r1.54
--- policy-20061106.patch 28 Dec 2006 17:39:12 -0000 1.53
+++ policy-20061106.patch 29 Dec 2006 20:01:11 -0000 1.54
@@ -281,7 +281,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.6/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/consoletype.te 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/consoletype.te 2006-12-28 17:45:55.000000000 -0500
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -304,7 +304,19 @@
########################################
#
-@@ -84,7 +90,7 @@
+@@ -71,7 +77,10 @@
+ apm_use_fds(consoletype_t)
+ apm_write_pipes(consoletype_t)
+ ')
+-
++optional_policy(`
++ hal_dontaudit_use_fds(consoletype_t)
++ hal_dontaudit_rw_pipes(consoletype_t)
++')
+ optional_policy(`
+ auth_read_pam_pid(consoletype_t)
+ ')
+@@ -84,7 +93,7 @@
optional_policy(`
files_read_etc_files(consoletype_t)
firstboot_use_fds(consoletype_t)
@@ -1002,9 +1014,18 @@
+ allow $1_evolution_alarm_t $2:dbus send_msg;
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-2.4.6/policy/modules/apps/gnome.fc
+--- nsaserefpolicy/policy/modules/apps/gnome.fc 2006-11-16 17:15:07.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/gnome.fc 2006-12-29 11:30:43.000000000 -0500
+@@ -7,3 +7,5 @@
+
+ /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
+ ')
++
++HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-2.4.6/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/gnome.if 2006-12-28 12:01:14.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/gnome.if 2006-12-29 11:33:22.000000000 -0500
@@ -35,13 +35,15 @@
template(`gnome_per_role_template',`
gen_require(`
@@ -1022,7 +1043,17 @@
domain_type($1_gconfd_t)
domain_entry_file($1_gconfd_t, gconfd_exec_t)
role $3 types $1_gconfd_t;
-@@ -58,15 +60,25 @@
+@@ -49,6 +51,9 @@
+ type $1_gconf_home_t;
+ files_type($1_gconf_home_t)
+
++ type $1_gnome_home_t;
++ files_type($1_gnome_home_t)
++
+ type $1_gconf_tmp_t;
+ files_tmp_file($1_gconf_tmp_t)
+
+@@ -58,15 +63,25 @@
#
allow $1_gconfd_t self:process getsched;
@@ -1048,7 +1079,18 @@
domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
allow $1_gconfd_t $2:fd use;
allow $1_gconfd_t $2:fifo_file write;
-@@ -124,6 +136,66 @@
+@@ -97,6 +112,10 @@
+ ')
+
+ optional_policy(`
++ ssh_dontaudit_use_user_ssh_agent_fds($1,$1_gconfd_t)
++ ')
++
++ optional_policy(`
+ xserver_use_xdm_fds($1_gconfd_t)
+ xserver_rw_xdm_pipes($1_gconfd_t)
+ ')
+@@ -124,6 +143,91 @@
type $1_gconf_tmp_t;
')
@@ -1057,7 +1099,7 @@
allow $2 $1_gconf_tmp_t:file r_file_perms;
+ allow $2 $1_gconfd_t:unix_stream_socket connectto;
+ allow $1_gconfd_t $2:unix_stream_socket connectto;
- ')
++')
+
+
+########################################
@@ -1116,10 +1158,35 @@
+ allow $1_gconfd_t $2:process sigchld;
+')
+
++########################################
++## <summary>
++## manage gnome homedir content (.config)
++## </summary>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++template(`gnome_manage_user_gnome_config',`
++ gen_require(`
++ type $1_gnome_home_t;
++ ')
++
++ allow $2 $1_gnome_home_t:dir manage_dir_perms;
++ allow $2 $1_gnome_home_t:file manage_file_perms;
++
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-2.4.6/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/gnome.te 2006-12-23 23:41:40.000000000 -0500
-@@ -6,8 +6,11 @@
++++ serefpolicy-2.4.6/policy/modules/apps/gnome.te 2006-12-29 11:27:58.000000000 -0500
+@@ -6,8 +6,13 @@
# Declarations
#
@@ -1131,6 +1198,8 @@
type gconfd_exec_t;
corecmd_executable_file(gconfd_exec_t)
+
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-2.4.6/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/apps/gpg.if 2006-12-23 22:41:19.000000000 -0500
@@ -1156,7 +1225,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.4.6/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/java.if 2006-12-26 10:57:01.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/java.if 2006-12-28 13:03:08.000000000 -0500
@@ -199,3 +199,41 @@
refpolicywarn(`$0($1) has no effect in strict policy.')
')
@@ -1239,7 +1308,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.4.6/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2006-11-29 09:27:46.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/mozilla.if 2006-12-26 11:39:47.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/mozilla.if 2006-12-29 12:50:16.000000000 -0500
@@ -59,7 +59,7 @@
#
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
@@ -1249,7 +1318,15 @@
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
allow $1_mozilla_t self:sem create_sem_perms;
allow $1_mozilla_t self:socket create_socket_perms;
-@@ -154,6 +154,7 @@
+@@ -94,6 +94,7 @@
+ allow $2 $1_mozilla_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_mozilla_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ userdom_search_user_home_dirs($1,$1_mozilla_t)
++ userdom_dontaudit_list_user_files($1, $1_mozilla_t)
+
+ allow $1_mozilla_t $1_mozilla_tmpfs_t:dir rw_dir_perms;
+ allow $1_mozilla_t $1_mozilla_tmpfs_t:file manage_file_perms;
+@@ -154,6 +155,7 @@
dev_write_sound($1_mozilla_t)
dev_read_sound($1_mozilla_t)
dev_dontaudit_rw_dri($1_mozilla_t)
@@ -1257,7 +1334,7 @@
files_read_etc_runtime_files($1_mozilla_t)
files_read_usr_files($1_mozilla_t)
-@@ -163,8 +164,9 @@
+@@ -163,8 +165,9 @@
# interacting with gstreamer
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
@@ -1268,7 +1345,7 @@
fs_rw_tmpfs_files($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
-@@ -180,6 +182,8 @@
+@@ -180,6 +183,8 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
@@ -1277,7 +1354,7 @@
userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
userdom_manage_user_home_content_files($1,$1_mozilla_t)
userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
-@@ -188,7 +192,9 @@
+@@ -188,7 +193,9 @@
userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
@@ -1288,7 +1365,7 @@
tunable_policy(`allow_execmem',`
allow $1_mozilla_t self:process { execmem execstack };
')
-@@ -336,6 +342,14 @@
+@@ -336,6 +343,14 @@
')
optional_policy(`
@@ -1303,7 +1380,16 @@
apache_read_user_scripts($1,$1_mozilla_t)
apache_read_user_content($1,$1_mozilla_t)
')
-@@ -359,34 +373,24 @@
+@@ -347,6 +362,8 @@
+ optional_policy(`
+ dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
+ dbus_send_system_bus($1_mozilla_t)
++ dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
++ dbus_send_user_bus($1,$1_mozilla_t)
+ ifdef(`TODO',`
+ optional_policy(`
+ allow cupsd_t $1_mozilla_t:dbus send_msg;
+@@ -359,44 +376,34 @@
')
optional_policy(`
@@ -1337,7 +1423,7 @@
- java_per_role_template($1_mozilla,$2,$3)
- ')
+ optional_policy(`
-+ java_domtrans_user_javaplugin($1, $1_mozilla_t)
++ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
+ ')
- ######### Launch mplayer
@@ -1347,11 +1433,25 @@
- dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
- dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
- ')
++ optional_policy(`
++ java_domtrans_user_javaplugin($1, $1_mozilla_t)
++ ')
++
+ ifdef(`TODO',`
#NOTE commented out in strict.
######### Launch email client, and make webcal links work
#ifdef(`evolution.te', `
-@@ -406,7 +410,41 @@
+ #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
+ #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+ #')
+- #NOTE commented out in strict
+- #ifdef(`thunderbird.te', `
+- #domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
+- #')
+
+ # Macros for mozilla/mozilla (or other browser) domains.
+ # FIXME: Rules were removed to centralize policy in a gnome_app macro
+@@ -406,7 +413,147 @@
# GNOME integration
optional_policy(`
gnome_application($1_mozilla, $1)
@@ -1394,10 +1494,155 @@
+ allow $2 $1_mozilla_home_t:dir list_dir_perms;
+ allow $2 $1_mozilla_home_t:file r_file_perms;
+')
++
++########################################
++## <summary>
++## write mozilla per user homedir
++## </summary>
++## <desc>
++## <p>
++## Read mozilla per user homedir
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`mozilla_write_user_home_files',`
++ gen_require(`
++ type $1_mozilla_home_t;
++ ')
++
++ allow $2 $1_mozilla_home_t:dir list_dir_perms;
++ allow $2 $1_mozilla_home_t:file write;
++')
++
++########################################
++## <summary>
++## Run mozilla in user mozilla domain.
++## </summary>
++## <desc>
++## <p>
++## Run mozilla in mozilla domain.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`mozilla_domtrans_user_mozilla',`
++ gen_require(`
++ type $1_mozilla_t, mozilla_exec_t;
++ ')
++
++ domain_auto_trans($2,mozilla_exec_t,$1_mozilla_t)
++
++ allow $2 $1_mozilla_t:fd use;
++ allow $1_mozilla_t $2:fd use;
++ allow $1_mozilla_t $2:fifo_file rw_file_perms;
++ allow $1_mozilla_t $2:process sigchld;
++')
++
++########################################
++## <summary>
++## read/write mozilla per user tcp_socket
++## </summary>
++## <desc>
++## <p>
++## read/write mozilla per user tcp_socket
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`mozilla_rw_user_tcp_sockets',`
++ gen_require(`
++ type $1_mozilla_t;
++ ')
++
++ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-2.4.6/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/mplayer.if 2006-12-26 07:25:26.000000000 -0500
-@@ -446,3 +446,76 @@
++++ serefpolicy-2.4.6/policy/modules/apps/mplayer.if 2006-12-29 08:10:38.000000000 -0500
+@@ -184,6 +184,10 @@
+ files_dontaudit_list_default($1_mencoder_t)
+ ')
+
++ tunable_policy(`write_untrusted_content',`
++ userdom_manage_user_untrusted_content_files($1, $1_mplayer_t)
++ ')
++
+ tunable_policy(`read_untrusted_content',`
+ files_list_tmp($1_mencoder_t)
+ files_list_home($1_mencoder_t)
+@@ -255,6 +259,7 @@
+
+ allow $1_mplayer_t self:process { signal_perms getsched };
+ allow $1_mplayer_t self:fifo_file rw_file_perms;
++ allow $1_mplayer_t self:sem create_sem_perms;
+
+ allow $1_mplayer_t $1_mplayer_home_t:dir manage_dir_perms;
+ allow $1_mplayer_t $1_mplayer_home_t:file manage_file_perms;
+@@ -331,6 +336,7 @@
+
+ fs_dontaudit_getattr_all_fs($1_mplayer_t)
+ fs_search_auto_mountpoints($1_mplayer_t)
++ fs_list_inotifyfs($1_mplayer_t)
+
+ libs_use_ld_so($1_mplayer_t)
+ libs_use_shared_libs($1_mplayer_t)
+@@ -439,6 +445,11 @@
+ ')
+
+ optional_policy(`
++ mozilla_write_user_home_files($1, $1_mplayer_t)
++ mozilla_rw_user_tcp_sockets($1, $1_mplayer_t)
++ ')
++
++ optional_policy(`
+ alsa_read_rw_config($1_mplayer_t)
+ ')
+
+@@ -446,3 +457,76 @@
nscd_socket_use($1_mplayer_t)
')
')
@@ -1474,6 +1719,14 @@
+ allow $2 $1_mplayer_home_t:file r_file_perms;
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-2.4.6/policy/modules/apps/mplayer.te
+--- nsaserefpolicy/policy/modules/apps/mplayer.te 2006-11-16 17:15:07.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/mplayer.te 2006-12-29 08:04:53.000000000 -0500
+@@ -21,3 +21,4 @@
+ unconfined_execmem_alias_program(mencoder_exec_t)
+ unconfined_execmem_alias_program(mplayer_exec_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.4.6/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/apps/slocate.te 2006-12-23 22:41:19.000000000 -0500
@@ -1488,8 +1741,8 @@
# mls Higher level directories will be refused, so dontaudit
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-2.4.6/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/thunderbird.if 2006-12-28 12:04:29.000000000 -0500
-@@ -62,6 +62,9 @@
++++ serefpolicy-2.4.6/policy/modules/apps/thunderbird.if 2006-12-29 12:50:08.000000000 -0500
+@@ -62,12 +62,16 @@
allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
allow $1_thunderbird_t self:tcp_socket create_socket_perms;
allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
@@ -1499,7 +1752,14 @@
# Access ~/.thunderbird
allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms;
-@@ -96,10 +99,13 @@
+ allow $1_thunderbird_t $1_thunderbird_home_t:file manage_file_perms;
+ allow $1_thunderbird_t $1_thunderbird_home_t:lnk_file create_lnk_perms;
+ userdom_search_user_home_dirs($1,$1_thunderbird_t)
++ userdom_dontaudit_list_user_files($1, $1_thunderbird_t)
+
+ allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms;
+ allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms;
+@@ -96,10 +100,13 @@
# Allow netstat
kernel_read_network_state($1_thunderbird_t)
@@ -1513,7 +1773,7 @@
corenet_non_ipsec_sendrecv($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
-@@ -126,15 +132,20 @@
+@@ -126,15 +133,20 @@
files_list_tmp($1_thunderbird_t)
files_read_usr_files($1_thunderbird_t)
files_read_etc_files($1_thunderbird_t)
@@ -1534,7 +1794,7 @@
sysnet_read_config($1_thunderbird_t)
# Allow DNS
-@@ -148,7 +159,8 @@
+@@ -148,7 +160,8 @@
userdom_read_user_home_content_files($1,$1_thunderbird_t)
xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
@@ -1544,7 +1804,7 @@
# Transition from user type
tunable_policy(`! disable_thunderbird_trans',`
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
-@@ -299,6 +311,10 @@
+@@ -299,6 +312,10 @@
')
optional_policy(`
@@ -1555,7 +1815,7 @@
dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t)
dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t)
dbus_send_system_bus($1_thunderbird_t)
-@@ -321,6 +337,19 @@
+@@ -321,17 +338,26 @@
nis_use_ypbind($1_thunderbird_t)
')
@@ -1566,15 +1826,72 @@
+ optional_policy(`
+ gnome_stream_connect_gconf_template($1,$1_thunderbird_t)
+ gnome_domtrans_user_gconf($1, $1_thunderbird_t)
++ gnome_manage_user_gnome_config($1, $1_thunderbird_t)
+ ')
+
+ optional_policy(`
+ mozilla_read_user_home_files($1, $1_thunderbird_t)
++ mozilla_domtrans_user_mozilla($1, $1_thunderbird_t)
+ ')
+
ifdef(`TODO',`
# FIXME: Rules were removed to centralize policy in a gnome_app macro
# A similar thing might be necessary for mozilla compiled without GNOME
+ # support (is this possible?).
+
+- # Start links in web browser
+- ifdef(`mozilla.te', `
+- can_exec($1_thunderbird_t, shell_exec_t)
+- domain_auto_trans($1_thunderbird_t, mozilla_exec_t, $1_mozilla_t)
+- ')
+-
+ # GNOME support
+ optional_policy(`
+ gnome_application($1_thunderbird, $1)
+@@ -347,3 +373,43 @@
+
+ ')
+ ')
++
++########################################
++## <summary>
++## Run thunderbird in user thunderbird domain.
++## </summary>
++## <desc>
++## <p>
++## Run thunderbird in thunderbird domain.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`thunderbird_domtrans_user_thunderbird',`
++ gen_require(`
++ type $1_thunderbird_t, thunderbird_exec_t;
++ ')
++
++ domain_auto_trans($2,thunderbird_exec_t,$1_thunderbird_t)
++
++ allow $2 $1_thunderbird_t:fd use;
++ allow $1_thunderbird_t $2:fd use;
++ allow $1_thunderbird_t $2:fifo_file rw_file_perms;
++ allow $1_thunderbird_t $2:process sigchld;
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-2.4.6/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/apps/userhelper.if 2006-12-23 22:41:19.000000000 -0500
@@ -1610,7 +1927,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2006-12-28 09:38:30.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2006-12-28 22:54:35.000000000 -0500
@@ -1,4 +1,3 @@
-
#
@@ -1624,18 +1941,20 @@
')
#
-@@ -188,7 +188,10 @@
+@@ -188,7 +188,12 @@
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -247,3 +250,6 @@
+@@ -247,3 +252,6 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -2774,8 +3093,8 @@
corenet_tcp_sendrecv_all_nodes(clamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-2.4.6/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.fc 2006-12-23 22:41:19.000000000 -0500
-@@ -5,7 +5,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/cron.fc 2006-12-28 14:25:37.000000000 -0500
+@@ -5,11 +5,11 @@
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
@@ -2784,6 +3103,19 @@
/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+-
++/var/lock/subsys/anacron -- gen_context(system_u:object_r:cron_lock_t,s0)
+ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+@@ -17,6 +17,7 @@
+ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
++/var/spool/anacron -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/at/[^/]* -- <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.6/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/cron.if 2006-12-23 22:41:19.000000000 -0500
@@ -2969,7 +3301,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.6/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-12-28 14:32:57.000000000 -0500
@@ -11,9 +11,6 @@
#
attribute cron_spool_type;
@@ -2980,7 +3312,17 @@
type cron_spool_t;
files_type(cron_spool_t)
-@@ -33,6 +30,7 @@
+@@ -25,6 +22,9 @@
+ type cron_log_t;
+ logging_log_file(cron_log_t)
+
++type cron_lock_t;
++files_lock_file(cron_lock_t)
++
+ type crond_t;
+ type crond_exec_t;
+ init_daemon_domain(crond_t,crond_exec_t)
+@@ -33,6 +33,7 @@
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
@@ -2988,7 +3330,7 @@
type crond_var_run_t;
files_pid_file(crond_var_run_t)
-@@ -47,8 +45,8 @@
+@@ -47,8 +48,8 @@
typealias crond_t alias system_crond_t;
',`
type system_crond_t;
@@ -2998,7 +3340,7 @@
corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t;
-@@ -86,7 +84,7 @@
+@@ -86,18 +87,19 @@
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
@@ -3007,7 +3349,12 @@
allow crond_t crond_var_run_t:file create_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
-@@ -98,6 +96,7 @@
+
+ allow crond_t cron_spool_t:dir rw_dir_perms;
+-allow crond_t cron_spool_t:file r_file_perms;
++allow crond_t cron_spool_t:file create_file_perms;
+ allow crond_t system_cron_spool_t:dir r_dir_perms;
+ allow crond_t system_cron_spool_t:file r_file_perms;
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
@@ -3015,7 +3362,7 @@
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
-@@ -121,6 +120,16 @@
+@@ -121,6 +123,16 @@
corecmd_list_sbin(crond_t)
corecmd_read_sbin_symlinks(crond_t)
@@ -3032,7 +3379,7 @@
domain_use_interactive_fds(crond_t)
files_read_etc_files(crond_t)
-@@ -151,6 +160,12 @@
+@@ -151,6 +163,12 @@
mta_send_mail(crond_t)
@@ -3045,7 +3392,7 @@
ifdef(`distro_debian',`
optional_policy(`
# Debian logcheck has the home dir set to its cache
-@@ -166,6 +181,11 @@
+@@ -166,6 +184,11 @@
')
')
@@ -3057,6 +3404,17 @@
ifdef(`targeted_policy',`
allow crond_t system_crond_tmp_t:dir create_dir_perms;
allow crond_t system_crond_tmp_t:file create_file_perms;
+@@ -239,6 +262,10 @@
+ # System cron process domain
+ #
+
++# This is to handle creation of files in /var/lock directory. (anacron)
++allow crond_t cron_lock_t:file create_file_perms;
++files_lock_filetrans(crond_t,cron_lock_t,file)
++
+ # This is to handle creation of files in /var/log directory.
+ # Used currently by rpm script log files
+ allow system_crond_t cron_log_t:file manage_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.4.6/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/cups.fc 2006-12-23 22:41:19.000000000 -0500
@@ -3128,7 +3486,7 @@
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.4.6/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/dbus.if 2006-12-23 23:55:11.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/dbus.if 2006-12-29 11:49:03.000000000 -0500
@@ -70,7 +70,7 @@
#
@@ -3180,6 +3538,38 @@
auth_read_pam_console_data($1_dbusd_t)
libs_use_ld_so($1_dbusd_t)
+@@ -279,6 +293,31 @@
+
+ ########################################
+ ## <summary>
++## connectto a message on user/application specific DBUS.
++## </summary>
++## <param name="domain_prefix">
++## <summary>
++## The prefix of the domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`dbus_connectto_user_bus',`
++ gen_require(`
++ type $1_dbusd_t;
++ ')
++
++ allow $2 $1_dbusd_t:unix_stream_socket connectto;
++')
++
++
++########################################
++## <summary>
+ ## Read dbus configuration.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.4.6/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/ftp.te 2006-12-23 22:41:19.000000000 -0500
@@ -3245,8 +3635,8 @@
+/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.4.6/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.if 2006-12-24 01:00:22.000000000 -0500
-@@ -157,3 +157,23 @@
++++ serefpolicy-2.4.6/policy/modules/services/hal.if 2006-12-28 17:46:18.000000000 -0500
+@@ -157,3 +157,60 @@
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
')
@@ -3270,6 +3660,43 @@
+ files_search_pids($1)
+ dontaudit $1 hald_var_lib_t:file ra_file_perms;
+')
++
++########################################
++## <summary>
++## Use file descriptors for hal
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`hal_dontaudit_use_fds',`
++ gen_require(`
++ type hald_t;
++ ')
++
++ dontaudit $1 hald_t:fd use;
++')
++
++########################################
++## <summary>
++## Read/Write to hald unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`hal_dontaudit_rw_pipes',`
++ gen_require(`
++ type hald_t;
++ ')
++
++ dontaudit $1 hald_t:fifo_file rw_file_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.4.6/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/hal.te 2006-12-23 22:41:19.000000000 -0500
@@ -3469,7 +3896,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.6/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/mta.te 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/mta.te 2006-12-28 19:27:41.000000000 -0500
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -4183,6 +4610,20 @@
term_dontaudit_use_console(saslauthd_t)
auth_domtrans_chk_passwd(saslauthd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.4.6/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te 2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/sendmail.te 2006-12-28 19:27:59.000000000 -0500
+@@ -140,6 +140,10 @@
+ udev_read_db(sendmail_t)
+ ')
+
++optional_policy(`
++ clamav_search_lib(sendmail_t)
++')
++
+ ifdef(`TODO',`
+ allow sendmail_t etc_mail_t:dir rw_dir_perms;
+ allow sendmail_t etc_mail_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-2.4.6/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/setroubleshoot.if 2006-12-26 07:30:53.000000000 -0500
@@ -4556,7 +4997,7 @@
+logging_search_logs(uux_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.4.6/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/xserver.fc 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/xserver.fc 2006-12-29 11:26:36.000000000 -0500
@@ -44,7 +44,7 @@
# /tmp
#
@@ -5001,7 +5442,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.4.6/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.te 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.te 2006-12-29 10:21:11.000000000 -0500
@@ -9,6 +9,7 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -5267,12 +5708,16 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.4.6/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/iptables.te 2006-12-23 22:41:19.000000000 -0500
-@@ -81,11 +81,12 @@
++++ serefpolicy-2.4.6/policy/modules/system/iptables.te 2006-12-29 10:21:24.000000000 -0500
+@@ -81,11 +81,16 @@
term_dontaudit_use_unallocated_ttys(iptables_t)
term_dontaudit_use_generic_ptys(iptables_t)
files_dontaudit_read_root_files(iptables_t)
+ unconfined_rw_pipes(iptables_t)
++')
++
++optional_policy(`
++ nscd_socket_use(iptables_t)
')
optional_policy(`
@@ -5282,7 +5727,7 @@
')
optional_policy(`
-@@ -104,3 +105,7 @@
+@@ -104,3 +109,7 @@
optional_policy(`
udev_read_db(iptables_t)
')
@@ -6403,7 +6848,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-28 09:59:50.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-29 12:49:27.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
@@ -6747,7 +7192,7 @@
+ type sysadm_home_dir_t, sysadm_home_t;
')
-')
--
+
-########################################
-## <summary>
-## Read files in the sysadm users home directory.
@@ -6763,7 +7208,7 @@
- gen_require(`
- type sysadm_tmp_t;
- ')
-
+-
- files_search_tmp($1)
- allow $1 sysadm_tmp_t:dir list_dir_perms;
- allow $1 sysadm_tmp_t:{ file lnk_file } r_file_perms;
@@ -6814,7 +7259,7 @@
## Read files in generic user home directories.
## </summary>
## <param name="domain">
-@@ -5497,3 +5541,383 @@
+@@ -5497,3 +5541,405 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -7198,6 +7643,28 @@
+ allow $1 user_exec_type:file getattr;
+')
+
++########################################
++## <summary>
++## dontaudit getattr all user file type
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_dontaudit_list_user_files',`
++ gen_require(`
++ attribute $1_file_type;
++ ')
++
++ dontaudit $2 $1_file_type:dir search_dir_perms;
++ dontaudit $2 $1_file_type:file getattr;
++')
++
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-12-24 00:10:55.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.375
retrieving revision 1.376
diff -u -r1.375 -r1.376
--- selinux-policy.spec 28 Dec 2006 17:39:12 -0000 1.375
+++ selinux-policy.spec 29 Dec 2006 20:01:11 -0000 1.376
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,11 @@
%endif
%changelog
+* Fri Dec 29 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-20
+- fix mplayer to work under strict policy
+- Allow iptables to use nscd
+Resolves: #220794
+
* Thu Dec 28 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-19
- Add gconf policy and make it work with strict
More information about the fedora-cvs-commits
mailing list