rpms/selinux-policy/devel booleans-targeted.conf, 1.10, 1.11 policy-20060505.patch, 1.18, 1.19 policy-20060608.patch, 1.1, 1.2 selinux-policy.spec, 1.203, 1.204
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Jun 9 02:55:46 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv16459
Modified Files:
booleans-targeted.conf policy-20060505.patch
policy-20060608.patch selinux-policy.spec
Log Message:
* Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.44-1
- Update from upstream
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- booleans-targeted.conf 28 May 2006 10:52:17 -0000 1.10
+++ booleans-targeted.conf 9 Jun 2006 02:55:43 -0000 1.11
@@ -10,10 +10,26 @@
#
allow_execstack = false
+# Allow ftpd to read cifs directories.
+#
+allow_ftpd_use_cifs = false
+
+# Allow ftpd to read nfs directories.
+#
+allow_ftpd_use_nfs = false
+
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
+# Allow ftpd to read cifs directories.
+#
+allow_ftpd_use_cifs = false
+
+# Allow ftpd to read nfs directories.
+#
+allow_ftpd_use_nfs = false
+
# Allow gssd to read temp directory.
#
allow_gssd_read_tmp = true
@@ -162,10 +178,6 @@
#
allow_user_mysql_connect = false
-# Allow system cron jobs to relabel filesystemfor restoring file contexts.
-#
-cron_can_relabel = false
-
# Allow pppd to be run for a regular user
#
pppd_for_user = false
policy-20060505.patch:
config/appconfig-strict-mls/default_type | 1
policy/modules/admin/consoletype.te | 7 ++++-
policy/modules/admin/prelink.fc | 2 -
policy/modules/admin/rpm.te | 8 ++++-
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/files.if | 35 +++++++++++++++++++++++++
policy/modules/kernel/filesystem.te | 3 +-
policy/modules/kernel/kernel.te | 1
policy/modules/services/automount.te | 8 +++++
policy/modules/services/cron.te | 1
policy/modules/services/cups.te | 4 ++
policy/modules/services/ftp.te | 1
policy/modules/services/hal.te | 2 +
policy/modules/services/mysql.te | 2 -
policy/modules/services/ntp.te | 2 +
policy/modules/services/pegasus.if | 31 ++++++++++++++++++++++
policy/modules/services/pegasus.te | 5 +--
policy/modules/services/procmail.te | 5 +++
policy/modules/services/pyzor.te | 4 ++
policy/modules/services/xfs.te | 2 +
policy/modules/system/authlogin.if | 1
policy/modules/system/hostname.te | 5 ++-
policy/modules/system/init.te | 1
policy/modules/system/logging.fc | 6 ++--
policy/modules/system/logging.te | 10 ++++---
policy/modules/system/unconfined.fc | 8 +++--
policy/modules/system/unconfined.if | 28 ++++++++++++++++++++
policy/modules/system/unconfined.te | 13 +++++++--
policy/modules/system/userdomain.if | 28 --------------------
policy/modules/system/userdomain.te | 43 +++++++++++++++++++++++++++----
policy/rolemap | 1
policy/support/misc_macros.spt | 2 -
policy/users | 6 ++--
33 files changed, 216 insertions(+), 61 deletions(-)
Index: policy-20060505.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060505.patch,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- policy-20060505.patch 8 Jun 2006 14:03:38 -0000 1.18
+++ policy-20060505.patch 9 Jun 2006 02:55:43 -0000 1.19
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.44/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.44/config/appconfig-strict-mls/default_type 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/config/appconfig-strict-mls/default_type 2006-06-08 16:10:33.000000000 -0400
@@ -2,3 +2,4 @@
secadm_r:secadm_t
staff_r:staff_t
@@ -8,7 +8,7 @@
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.44/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/admin/consoletype.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/admin/consoletype.te 2006-06-08 16:10:33.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -23,9 +23,20 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-2.2.44/policy/modules/admin/prelink.fc
+--- nsaserefpolicy/policy/modules/admin/prelink.fc 2006-01-25 12:52:21.000000000 -0500
++++ serefpolicy-2.2.44/policy/modules/admin/prelink.fc 2006-06-08 16:10:33.000000000 -0400
+@@ -3,6 +3,6 @@
+
+ /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
+-/var/lib/misc/prelink\.* -- gen_context(system_u:object_r:prelink_cache_t,s0)
++/var/lib/misc/prelink\..* -- gen_context(system_u:object_r:prelink_cache_t,s0)
+
+ /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.44/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-06-08 08:45:57.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/admin/rpm.te 2006-06-08 09:49:46.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/admin/rpm.te 2006-06-08 16:10:33.000000000 -0400
@@ -341,12 +341,16 @@
optional_policy(`
mono_domtrans(rpm_script_t)
@@ -47,7 +58,7 @@
mta_send_mail(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.44/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2006-06-08 08:45:57.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/apps/webalizer.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/apps/webalizer.te 2006-06-08 16:10:33.000000000 -0400
@@ -44,6 +44,7 @@
allow webalizer_t self:unix_dgram_socket sendto;
allow webalizer_t self:unix_stream_socket connectto;
@@ -58,7 +69,7 @@
allow webalizer_t webalizer_etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.44/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-06-06 22:21:53.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/kernel/files.if 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/files.if 2006-06-08 20:41:26.000000000 -0400
@@ -1913,6 +1913,21 @@
')
@@ -81,9 +92,33 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
+@@ -4360,3 +4375,23 @@
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## Mount a filesystem on all files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_mounton_all_files',`
++ gen_require(`
++ attribute file_type, security_file_type;
++ ')
++
++ allow $1 { file_type -security_file_type }:dir mounton;
++ allow $1 { file_type -security_file_type }:file mounton;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.44/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-06-08 08:45:57.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/kernel/filesystem.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/filesystem.te 2006-06-08 16:10:33.000000000 -0400
@@ -23,7 +23,7 @@
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -103,7 +138,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.44/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-06-06 22:21:53.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/kernel/kernel.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/kernel.te 2006-06-08 16:10:33.000000000 -0400
@@ -28,6 +28,7 @@
ifdef(`enable_mls',`
@@ -112,30 +147,92 @@
')
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.44/policy/modules/services/automount.te
+--- nsaserefpolicy/policy/modules/services/automount.te 2006-06-06 22:21:53.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/automount.te 2006-06-08 16:10:33.000000000 -0400
+@@ -30,7 +30,7 @@
+
+ allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
+ dontaudit automount_t self:capability sys_tty_config;
+-allow automount_t self:process { signal_perms getpgid setpgid setsched };
++allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+ allow automount_t self:fifo_file rw_file_perms;
+ allow automount_t self:unix_stream_socket create_socket_perms;
+ allow automount_t self:unix_dgram_socket create_socket_perms;
+@@ -58,9 +58,11 @@
+ files_pid_filetrans(automount_t,automount_var_run_t,file)
+
+ kernel_read_kernel_sysctls(automount_t)
++kernel_read_irq_sysctls(automount_t)
+ kernel_read_fs_sysctls(automount_t)
+ kernel_read_proc_symlinks(automount_t)
+ kernel_read_system_state(automount_t)
++kernel_read_network_state(automount_t)
+ kernel_list_proc(automount_t)
+
+ files_search_boot(automount_t)
+@@ -92,6 +94,7 @@
+ dev_read_urand(automount_t)
+
+ domain_use_interactive_fds(automount_t)
++domain_dontaudit_read_all_domains_state(automount_t)
+
+ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
+@@ -104,11 +107,14 @@
+ files_getattr_default_dirs(automount_t)
+ # because config files can be shell scripts
+ files_exec_etc_files(automount_t)
++files_mounton_mnt(automount_t)
+
+ fs_getattr_all_fs(automount_t)
+ fs_getattr_all_dirs(automount_t)
+ fs_search_auto_mountpoints(automount_t)
+ fs_manage_auto_mountpoints(automount_t)
++fs_unmount_autofs(automount_t)
++fs_mount_autofs(automount_t)
+
+ term_dontaudit_use_console(automount_t)
+ term_dontaudit_getattr_pty_dirs(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.44/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2006-06-06 22:21:53.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/cron.te 2006-06-08 16:10:33.000000000 -0400
+@@ -353,6 +353,7 @@
+
+ tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_crond_t)
++ seutil_domtrans_restorecon(system_crond_t)
+ ',`
+ selinux_get_fs_mount(system_crond_t)
+ selinux_validate_context(system_crond_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.44/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/cups.te 2006-06-08 09:43:08.000000000 -0400
-@@ -647,11 +647,15 @@
++++ serefpolicy-2.2.44/policy/modules/services/cups.te 2006-06-08 16:10:33.000000000 -0400
+@@ -655,6 +655,10 @@
')
optional_policy(`
-- seutil_sigchld_newrole(hplip_t)
-+ snmp_read_snmp_var_lib_files(hplip_t)
- ')
-
- optional_policy(`
-- snmp_read_snmp_var_lib_files(hplip_t)
+ mount_send_nfs_client_request(hplip_t)
+')
+
+optional_policy(`
-+ seutil_sigchld_newrole(hplip_t)
+ udev_read_db(hplip_t)
')
- optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.44/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/ftp.te 2006-06-08 16:10:33.000000000 -0400
+@@ -59,6 +59,7 @@
+
+ allow ftpd_t ftpd_var_run_t:file create_file_perms;
+ allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
++allow ftpd_t ftpd_var_run_t:sock_file create_file_perms;
+ files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
+
+ # Create and modify /var/log/xferlog.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.44/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-06-06 22:21:54.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/hal.te 2006-06-08 09:47:42.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/hal.te 2006-06-08 16:10:33.000000000 -0400
@@ -140,6 +140,8 @@
sysnet_read_config(hald_t)
@@ -147,7 +244,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.44/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/mysql.te 2006-06-08 09:48:34.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/mysql.te 2006-06-08 16:10:33.000000000 -0400
@@ -101,7 +101,7 @@
miscfiles_read_localization(mysqld_t)
@@ -159,7 +256,7 @@
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.44/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-06-06 22:21:55.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/ntp.te 2006-06-08 09:48:01.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/ntp.te 2006-06-08 16:10:33.000000000 -0400
@@ -112,6 +112,8 @@
sysnet_read_config(ntpd_t)
@@ -171,7 +268,7 @@
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.44/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2005-10-25 13:40:18.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/pegasus.if 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pegasus.if 2006-06-08 16:10:33.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -207,7 +304,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.44/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/pegasus.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pegasus.te 2006-06-08 16:10:33.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -226,7 +323,7 @@
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.44/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-06-06 22:21:55.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/procmail.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/procmail.te 2006-06-08 16:10:33.000000000 -0400
@@ -109,3 +109,8 @@
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
@@ -238,7 +335,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.44/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/pyzor.te 2006-06-08 09:46:23.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pyzor.te 2006-06-08 16:10:33.000000000 -0400
@@ -126,3 +126,7 @@
optional_policy(`
nscd_socket_use(pyzord_t)
@@ -249,7 +346,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.44/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/xfs.te 2006-06-08 09:47:04.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/xfs.te 2006-06-08 16:10:33.000000000 -0400
@@ -69,6 +69,8 @@
miscfiles_read_localization(xfs_t)
miscfiles_read_fonts(xfs_t)
@@ -259,9 +356,20 @@
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.2.44/policy/modules/system/authlogin.if
+--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-05-12 09:22:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/authlogin.if 2006-06-08 16:10:33.000000000 -0400
+@@ -1287,6 +1287,7 @@
+ allow $1 var_auth_t:dir r_dir_perms;
+ allow $1 var_auth_t:file create_file_perms;
+ files_list_var_lib($1)
++ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
+ sysnet_dns_name_resolve($1)
+ sysnet_use_ldap($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.44/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.44/policy/modules/system/hostname.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/hostname.te 2006-06-08 16:10:33.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -276,7 +384,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.44/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-06-06 22:21:56.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/init.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/init.te 2006-06-08 16:10:33.000000000 -0400
@@ -345,6 +345,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
@@ -285,38 +393,46 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.44/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/libraries.fc 2006-06-08 09:43:08.000000000 -0400
-@@ -48,6 +48,9 @@
- /lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
- ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.2.44/policy/modules/system/logging.fc
+--- nsaserefpolicy/policy/modules/system/logging.fc 2006-02-02 16:12:27.000000000 -0500
++++ serefpolicy-2.2.44/policy/modules/system/logging.fc 2006-06-08 16:10:33.000000000 -0400
+@@ -1,9 +1,6 @@
-+/lib/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/lib64/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+
+-/etc/auditd.conf -- gen_context(system_u:object_r:auditd_etc_t,s0)
+-/etc/audit.rules -- gen_context(system_u:object_r:auditd_etc_t,s0)
+-
+ /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+@@ -39,3 +36,6 @@
+ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+
+ /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
++
+
- #
- # /opt
- #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.44/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/logging.te 2006-06-08 09:43:08.000000000 -0400
-@@ -14,10 +14,14 @@
- role system_r types auditctl_t;
-
- type auditd_etc_t;
-+ifdef(`enable_mls',`', `
- files_security_file(auditd_etc_t)
-+')
++++ serefpolicy-2.2.44/policy/modules/system/logging.te 2006-06-08 18:04:43.000000000 -0400
+@@ -70,6 +70,7 @@
- type auditd_log_t;
-+ifdef(`enable_mls',`', `
- files_security_file(auditd_log_t)
-+')
+ allow auditctl_t etc_t:file { getattr read };
+
++allow auditctl_t auditd_etc_t:dir r_dir_perms;
+ allow auditctl_t auditd_etc_t:file r_file_perms;
+
+ # Needed for adding watches
+@@ -111,6 +112,7 @@
+ allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+ allow auditd_t self:fifo_file rw_file_perms;
+
++allow auditd_t auditd_etc_t:dir r_dir_perms;
+ allow auditd_t auditd_etc_t:file r_file_perms;
- type auditd_t;
- # real declaration moved to mls until
-@@ -123,9 +127,8 @@
+ allow auditd_t auditd_log_t:dir rw_dir_perms;
+@@ -123,9 +125,8 @@
files_pid_filetrans(auditd_t,auditd_var_run_t,file)
kernel_read_kernel_sysctls(auditd_t)
@@ -328,7 +444,7 @@
dev_read_sysfs(auditd_t)
-@@ -134,11 +137,12 @@
+@@ -134,11 +135,12 @@
term_dontaudit_use_console(auditd_t)
@@ -344,21 +460,23 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.44/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/unconfined.fc 2006-06-08 09:43:08.000000000 -0400
-@@ -4,7 +4,6 @@
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.fc 2006-06-08 20:27:36.000000000 -0400
+@@ -4,7 +4,9 @@
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-ifdef(`targeted_policy',`
-/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--')
+/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++ifdef(`targeted_policy', `
+/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.44/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-05-19 13:46:37.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/unconfined.if 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.if 2006-06-08 16:10:33.000000000 -0400
@@ -449,3 +449,31 @@
allow $1 unconfined_t:dbus acquire_svc;
@@ -393,7 +511,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.44/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/unconfined.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.te 2006-06-08 16:10:33.000000000 -0400
@@ -33,8 +33,6 @@
allow unconfined_t self:system syslog_read;
dontaudit unconfined_t self:capability sys_module;
@@ -432,9 +550,47 @@
#
ifdef(`targeted_policy',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.44/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-06-06 22:21:56.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/userdomain.if 2006-06-08 16:10:33.000000000 -0400
+@@ -474,34 +474,6 @@
+ xserver_create_xdm_tmp_sockets($1_t)
+ ')
+
+- ifdef(`TODO',`
+- #
+- # Cups daemon running as user tries to write /etc/printcap
+- #
+- dontaudit $1_t usr_t:file setattr;
+-
+- # /initrd is left mounted, various programs try to look at it
+- dontaudit $1_t ramfs_t:dir getattr;
+-
+- #
+- # Running ifconfig as a user generates the following
+- #
+- dontaudit $1_t sysctl_net_t:dir search;
+-
+- r_dir_file($1_t, usercanread)
+-
+- # old browser_domain():
+- dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
+- dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
+- dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
+-
+- allow $1_t usbtty_device_t:chr_file read;
+-
+- ifdef(`xdm.te', `
+- allow $1_t xdm_var_lib_t:file r_file_perms;
+- ')
+- ') dnl endif TODO
+-
+ ')
+
+ #######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.44/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/userdomain.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/userdomain.te 2006-06-08 16:10:33.000000000 -0400
@@ -1,11 +1,12 @@
-policy_module(userdomain,1.3.27)
@@ -554,7 +710,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.44/policy/rolemap
--- nsaserefpolicy/policy/rolemap 2006-01-26 15:38:41.000000000 -0500
-+++ serefpolicy-2.2.44/policy/rolemap 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/rolemap 2006-06-08 16:10:33.000000000 -0400
@@ -15,5 +15,6 @@
ifdef(`enable_mls',`
@@ -564,7 +720,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.2.44/policy/support/misc_macros.spt
--- nsaserefpolicy/policy/support/misc_macros.spt 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.44/policy/support/misc_macros.spt 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/support/misc_macros.spt 2006-06-08 16:10:33.000000000 -0400
@@ -37,7 +37,7 @@
#
# gen_context(context,mls_sensitivity,[mcs_categories])
@@ -576,7 +732,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.44/policy/users
--- nsaserefpolicy/policy/users 2006-02-15 17:02:30.000000000 -0500
-+++ serefpolicy-2.2.44/policy/users 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/users 2006-06-08 16:10:33.000000000 -0400
@@ -29,7 +29,7 @@
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
policy-20060608.patch:
config/appconfig-strict-mls/default_type | 1
policy/modules/admin/consoletype.te | 7 ++++-
policy/modules/admin/prelink.fc | 2 -
policy/modules/admin/rpm.te | 8 ++++-
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/files.if | 35 +++++++++++++++++++++++++
policy/modules/kernel/filesystem.te | 3 +-
policy/modules/kernel/kernel.te | 1
policy/modules/services/automount.te | 8 +++++
policy/modules/services/cron.te | 1
policy/modules/services/cups.te | 4 ++
policy/modules/services/ftp.te | 1
policy/modules/services/hal.te | 2 +
policy/modules/services/mysql.te | 2 -
policy/modules/services/ntp.te | 2 +
policy/modules/services/pegasus.if | 31 ++++++++++++++++++++++
policy/modules/services/pegasus.te | 5 +--
policy/modules/services/procmail.te | 5 +++
policy/modules/services/pyzor.te | 4 ++
policy/modules/services/xfs.te | 2 +
policy/modules/system/authlogin.if | 1
policy/modules/system/hostname.te | 5 ++-
policy/modules/system/init.te | 1
policy/modules/system/logging.fc | 6 ++--
policy/modules/system/logging.te | 10 ++++---
policy/modules/system/mount.te | 1
policy/modules/system/unconfined.fc | 8 +++--
policy/modules/system/unconfined.if | 28 ++++++++++++++++++++
policy/modules/system/unconfined.te | 13 +++++++--
policy/modules/system/userdomain.if | 28 --------------------
policy/modules/system/userdomain.te | 43 +++++++++++++++++++++++++++----
policy/rolemap | 1
policy/support/misc_macros.spt | 2 -
policy/users | 6 ++--
34 files changed, 217 insertions(+), 61 deletions(-)
Index: policy-20060608.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060608.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20060608.patch 8 Jun 2006 14:03:38 -0000 1.1
+++ policy-20060608.patch 9 Jun 2006 02:55:43 -0000 1.2
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.44/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.44/config/appconfig-strict-mls/default_type 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/config/appconfig-strict-mls/default_type 2006-06-08 16:10:33.000000000 -0400
@@ -2,3 +2,4 @@
secadm_r:secadm_t
staff_r:staff_t
@@ -8,7 +8,7 @@
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.44/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/admin/consoletype.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/admin/consoletype.te 2006-06-08 16:10:33.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -23,9 +23,20 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-2.2.44/policy/modules/admin/prelink.fc
+--- nsaserefpolicy/policy/modules/admin/prelink.fc 2006-01-25 12:52:21.000000000 -0500
++++ serefpolicy-2.2.44/policy/modules/admin/prelink.fc 2006-06-08 16:10:33.000000000 -0400
+@@ -3,6 +3,6 @@
+
+ /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
+-/var/lib/misc/prelink\.* -- gen_context(system_u:object_r:prelink_cache_t,s0)
++/var/lib/misc/prelink\..* -- gen_context(system_u:object_r:prelink_cache_t,s0)
+
+ /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.44/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-06-08 08:45:57.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/admin/rpm.te 2006-06-08 09:49:46.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/admin/rpm.te 2006-06-08 16:10:33.000000000 -0400
@@ -341,12 +341,16 @@
optional_policy(`
mono_domtrans(rpm_script_t)
@@ -47,7 +58,7 @@
mta_send_mail(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.44/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2006-06-08 08:45:57.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/apps/webalizer.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/apps/webalizer.te 2006-06-08 16:10:33.000000000 -0400
@@ -44,6 +44,7 @@
allow webalizer_t self:unix_dgram_socket sendto;
allow webalizer_t self:unix_stream_socket connectto;
@@ -58,7 +69,7 @@
allow webalizer_t webalizer_etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.44/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-06-06 22:21:53.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/kernel/files.if 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/files.if 2006-06-08 20:41:26.000000000 -0400
@@ -1913,6 +1913,21 @@
')
@@ -81,9 +92,33 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
+@@ -4360,3 +4375,23 @@
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## Mount a filesystem on all files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_mounton_all_files',`
++ gen_require(`
++ attribute file_type, security_file_type;
++ ')
++
++ allow $1 { file_type -security_file_type }:dir mounton;
++ allow $1 { file_type -security_file_type }:file mounton;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.44/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-06-08 08:45:57.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/kernel/filesystem.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/filesystem.te 2006-06-08 16:10:33.000000000 -0400
@@ -23,7 +23,7 @@
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -103,7 +138,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.44/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-06-06 22:21:53.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/kernel/kernel.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/kernel.te 2006-06-08 16:10:33.000000000 -0400
@@ -28,6 +28,7 @@
ifdef(`enable_mls',`
@@ -112,9 +147,67 @@
')
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.44/policy/modules/services/automount.te
+--- nsaserefpolicy/policy/modules/services/automount.te 2006-06-06 22:21:53.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/automount.te 2006-06-08 16:10:33.000000000 -0400
+@@ -30,7 +30,7 @@
+
+ allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
+ dontaudit automount_t self:capability sys_tty_config;
+-allow automount_t self:process { signal_perms getpgid setpgid setsched };
++allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+ allow automount_t self:fifo_file rw_file_perms;
+ allow automount_t self:unix_stream_socket create_socket_perms;
+ allow automount_t self:unix_dgram_socket create_socket_perms;
+@@ -58,9 +58,11 @@
+ files_pid_filetrans(automount_t,automount_var_run_t,file)
+
+ kernel_read_kernel_sysctls(automount_t)
++kernel_read_irq_sysctls(automount_t)
+ kernel_read_fs_sysctls(automount_t)
+ kernel_read_proc_symlinks(automount_t)
+ kernel_read_system_state(automount_t)
++kernel_read_network_state(automount_t)
+ kernel_list_proc(automount_t)
+
+ files_search_boot(automount_t)
+@@ -92,6 +94,7 @@
+ dev_read_urand(automount_t)
+
+ domain_use_interactive_fds(automount_t)
++domain_dontaudit_read_all_domains_state(automount_t)
+
+ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
+@@ -104,11 +107,14 @@
+ files_getattr_default_dirs(automount_t)
+ # because config files can be shell scripts
+ files_exec_etc_files(automount_t)
++files_mounton_mnt(automount_t)
+
+ fs_getattr_all_fs(automount_t)
+ fs_getattr_all_dirs(automount_t)
+ fs_search_auto_mountpoints(automount_t)
+ fs_manage_auto_mountpoints(automount_t)
++fs_unmount_autofs(automount_t)
++fs_mount_autofs(automount_t)
+
+ term_dontaudit_use_console(automount_t)
+ term_dontaudit_getattr_pty_dirs(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.44/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2006-06-06 22:21:53.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/cron.te 2006-06-08 16:10:33.000000000 -0400
+@@ -353,6 +353,7 @@
+
+ tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_crond_t)
++ seutil_domtrans_restorecon(system_crond_t)
+ ',`
+ selinux_get_fs_mount(system_crond_t)
+ selinux_validate_context(system_crond_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.44/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/cups.te 2006-06-08 09:50:22.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/cups.te 2006-06-08 16:10:33.000000000 -0400
@@ -655,6 +655,10 @@
')
@@ -126,9 +219,20 @@
udev_read_db(hplip_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.44/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/ftp.te 2006-06-08 16:10:33.000000000 -0400
+@@ -59,6 +59,7 @@
+
+ allow ftpd_t ftpd_var_run_t:file create_file_perms;
+ allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
++allow ftpd_t ftpd_var_run_t:sock_file create_file_perms;
+ files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
+
+ # Create and modify /var/log/xferlog.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.44/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-06-06 22:21:54.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/hal.te 2006-06-08 09:47:42.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/hal.te 2006-06-08 16:10:33.000000000 -0400
@@ -140,6 +140,8 @@
sysnet_read_config(hald_t)
@@ -140,7 +244,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.44/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/mysql.te 2006-06-08 09:48:34.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/mysql.te 2006-06-08 16:10:33.000000000 -0400
@@ -101,7 +101,7 @@
miscfiles_read_localization(mysqld_t)
@@ -152,7 +256,7 @@
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.44/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-06-06 22:21:55.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/ntp.te 2006-06-08 09:48:01.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/ntp.te 2006-06-08 16:10:33.000000000 -0400
@@ -112,6 +112,8 @@
sysnet_read_config(ntpd_t)
@@ -164,7 +268,7 @@
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.44/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2005-10-25 13:40:18.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/pegasus.if 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pegasus.if 2006-06-08 16:10:33.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -200,7 +304,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.44/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/pegasus.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pegasus.te 2006-06-08 16:10:33.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -219,7 +323,7 @@
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.44/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-06-06 22:21:55.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/procmail.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/procmail.te 2006-06-08 16:10:33.000000000 -0400
@@ -109,3 +109,8 @@
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
@@ -231,7 +335,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.44/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/pyzor.te 2006-06-08 09:46:23.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pyzor.te 2006-06-08 16:10:33.000000000 -0400
@@ -126,3 +126,7 @@
optional_policy(`
nscd_socket_use(pyzord_t)
@@ -242,7 +346,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.44/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/services/xfs.te 2006-06-08 09:47:04.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/xfs.te 2006-06-08 16:10:33.000000000 -0400
@@ -69,6 +69,8 @@
miscfiles_read_localization(xfs_t)
miscfiles_read_fonts(xfs_t)
@@ -252,9 +356,20 @@
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.2.44/policy/modules/system/authlogin.if
+--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-05-12 09:22:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/authlogin.if 2006-06-08 16:10:33.000000000 -0400
+@@ -1287,6 +1287,7 @@
+ allow $1 var_auth_t:dir r_dir_perms;
+ allow $1 var_auth_t:file create_file_perms;
+ files_list_var_lib($1)
++ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
+ sysnet_dns_name_resolve($1)
+ sysnet_use_ldap($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.44/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.44/policy/modules/system/hostname.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/hostname.te 2006-06-08 16:10:33.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -269,7 +384,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.44/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-06-06 22:21:56.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/init.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/init.te 2006-06-08 16:10:33.000000000 -0400
@@ -345,6 +345,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
@@ -278,22 +393,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.44/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/libraries.fc 2006-06-08 09:43:08.000000000 -0400
-@@ -48,6 +48,9 @@
- /lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
- ')
-
-+/lib/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/lib64/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
- #
- # /opt
- #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.2.44/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2006-02-02 16:12:27.000000000 -0500
-+++ serefpolicy-2.2.44/policy/modules/system/logging.fc 2006-06-08 09:56:16.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/logging.fc 2006-06-08 16:10:33.000000000 -0400
@@ -1,9 +1,6 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -313,17 +415,24 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.44/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/logging.te 2006-06-08 09:58:43.000000000 -0400
-@@ -17,7 +17,7 @@
- files_security_file(auditd_etc_t)
-
- type auditd_log_t;
--files_security_file(auditd_log_t)
-+fies_security_file(auditd_log_t)
-
- type auditd_t;
- # real declaration moved to mls until
-@@ -123,9 +123,8 @@
++++ serefpolicy-2.2.44/policy/modules/system/logging.te 2006-06-08 18:04:43.000000000 -0400
+@@ -70,6 +70,7 @@
+
+ allow auditctl_t etc_t:file { getattr read };
+
++allow auditctl_t auditd_etc_t:dir r_dir_perms;
+ allow auditctl_t auditd_etc_t:file r_file_perms;
+
+ # Needed for adding watches
+@@ -111,6 +112,7 @@
+ allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+ allow auditd_t self:fifo_file rw_file_perms;
+
++allow auditd_t auditd_etc_t:dir r_dir_perms;
+ allow auditd_t auditd_etc_t:file r_file_perms;
+
+ allow auditd_t auditd_log_t:dir rw_dir_perms;
+@@ -123,9 +125,8 @@
files_pid_filetrans(auditd_t,auditd_var_run_t,file)
kernel_read_kernel_sysctls(auditd_t)
@@ -335,7 +444,7 @@
dev_read_sysfs(auditd_t)
-@@ -134,11 +133,12 @@
+@@ -134,11 +135,12 @@
term_dontaudit_use_console(auditd_t)
@@ -349,23 +458,36 @@
domain_use_interactive_fds(auditd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.44/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te 2006-06-06 22:21:56.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/mount.te 2006-06-08 20:42:32.000000000 -0400
+@@ -111,6 +111,7 @@
+ tunable_policy(`allow_mount_anyfile',`
+ auth_read_all_dirs_except_shadow(mount_t)
+ auth_read_all_files_except_shadow(mount_t)
++ files_mounton_all_files(mount_t)
+ ')
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.44/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/unconfined.fc 2006-06-08 09:43:08.000000000 -0400
-@@ -4,7 +4,6 @@
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.fc 2006-06-08 20:27:36.000000000 -0400
+@@ -4,7 +4,9 @@
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-ifdef(`targeted_policy',`
-/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--')
+/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++ifdef(`targeted_policy', `
+/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.44/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-05-19 13:46:37.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/unconfined.if 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.if 2006-06-08 16:10:33.000000000 -0400
@@ -449,3 +449,31 @@
allow $1 unconfined_t:dbus acquire_svc;
@@ -400,7 +522,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.44/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/unconfined.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.te 2006-06-08 16:10:33.000000000 -0400
@@ -33,8 +33,6 @@
allow unconfined_t self:system syslog_read;
dontaudit unconfined_t self:capability sys_module;
@@ -441,7 +563,7 @@
ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.44/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-06-06 22:21:56.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/userdomain.if 2006-06-08 10:02:36.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/userdomain.if 2006-06-08 16:10:33.000000000 -0400
@@ -474,34 +474,6 @@
xserver_create_xdm_tmp_sockets($1_t)
')
@@ -479,7 +601,7 @@
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.44/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.44/policy/modules/system/userdomain.te 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/userdomain.te 2006-06-08 16:10:33.000000000 -0400
@@ -1,11 +1,12 @@
-policy_module(userdomain,1.3.27)
@@ -599,7 +721,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.44/policy/rolemap
--- nsaserefpolicy/policy/rolemap 2006-01-26 15:38:41.000000000 -0500
-+++ serefpolicy-2.2.44/policy/rolemap 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/rolemap 2006-06-08 16:10:33.000000000 -0400
@@ -15,5 +15,6 @@
ifdef(`enable_mls',`
@@ -609,7 +731,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.2.44/policy/support/misc_macros.spt
--- nsaserefpolicy/policy/support/misc_macros.spt 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.44/policy/support/misc_macros.spt 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/support/misc_macros.spt 2006-06-08 16:10:33.000000000 -0400
@@ -37,7 +37,7 @@
#
# gen_context(context,mls_sensitivity,[mcs_categories])
@@ -621,7 +743,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.44/policy/users
--- nsaserefpolicy/policy/users 2006-02-15 17:02:30.000000000 -0500
-+++ serefpolicy-2.2.44/policy/users 2006-06-08 09:43:08.000000000 -0400
++++ serefpolicy-2.2.44/policy/users 2006-06-08 16:10:33.000000000 -0400
@@ -29,7 +29,7 @@
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.203
retrieving revision 1.204
diff -u -r1.203 -r1.204
--- selinux-policy.spec 8 Jun 2006 14:03:38 -0000 1.203
+++ selinux-policy.spec 9 Jun 2006 02:55:43 -0000 1.204
@@ -49,10 +49,11 @@
%doc %{_usr}/share/doc/%{name}-%{version}
%dir %{_usr}/share/selinux
%dir %{_sysconfdir}/selinux
-%dir %{_usr}/share/selinux/devel
-%dir %{_usr}/share/selinux/devel/include
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%ghost %{_sysconfdir}/sysconfig/selinux
+
+%dir %{_usr}/share/selinux/devel
+%dir %{_usr}/share/selinux/devel/include
%{_usr}/share/selinux/devel/include/*
%{_usr}/share/selinux/devel/Makefile
%{_usr}/share/selinux/devel/policygentool
More information about the fedora-cvs-commits
mailing list