rpms/selinux-policy/devel .cvsignore, 1.89, 1.90 policy-20060915.patch, 1.21, 1.22 selinux-policy.spec, 1.301, 1.302 sources, 1.93, 1.94
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Sep 29 19:19:20 UTC 2006
- Previous message (by thread): rpms/mesa/devel post-6.5.1-i965-fixes.patch, NONE, 1.1 mesa.spec, 1.113, 1.114
- Next message (by thread): rpms/dhcdbd/devel .cvsignore, 1.20, 1.21 dhcdbd.spec, 1.36, 1.37 sources, 1.30, 1.31
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv23361
Modified Files:
.cvsignore policy-20060915.patch selinux-policy.spec sources
Log Message:
* Fri Sep 28 2006 Dan Walsh <dwalsh at redhat.com> 2.3.17-1
- Update to upstream
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- .cvsignore 26 Sep 2006 14:59:58 -0000 1.89
+++ .cvsignore 29 Sep 2006 19:19:18 -0000 1.90
@@ -91,3 +91,4 @@
serefpolicy-2.3.14.tgz
serefpolicy-2.3.15.tgz
serefpolicy-2.3.16.tgz
+serefpolicy-2.3.17.tgz
policy-20060915.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 3
config/appconfig-strict-mls/initrc_context | 2
config/appconfig-strict-mls/seusers | 3
config/appconfig-strict/seusers | 1
config/appconfig-targeted-mcs/seusers | 3
config/appconfig-targeted-mls/initrc_context | 2
config/appconfig-targeted-mls/seusers | 3
config/appconfig-targeted/seusers | 1
policy/global_tunables | 15 +
policy/mcs | 6
policy/mls | 36 +-
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.te | 2
policy/modules/admin/bootloader.fc | 1
policy/modules/admin/bootloader.te | 7
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/rpm.fc | 2
policy/modules/admin/rpm.if | 21 +
policy/modules/admin/rpm.te | 5
policy/modules/admin/su.if | 2
policy/modules/admin/usermanage.te | 5
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/mono.te | 3
policy/modules/kernel/corecommands.fc | 1
policy/modules/kernel/corecommands.if | 15 -
policy/modules/kernel/corenetwork.te.in | 17 -
policy/modules/kernel/devices.fc | 8
policy/modules/kernel/files.fc | 27 -
policy/modules/kernel/filesystem.if | 22 +
policy/modules/kernel/filesystem.te | 1
policy/modules/kernel/kernel.te | 25 -
policy/modules/kernel/mcs.te | 18 -
policy/modules/kernel/mls.te | 10
policy/modules/kernel/selinux.te | 2
policy/modules/kernel/storage.fc | 49 +--
policy/modules/kernel/storage.if | 1
policy/modules/kernel/terminal.fc | 2
policy/modules/kernel/terminal.if | 20 +
policy/modules/services/apache.fc | 9
policy/modules/services/automount.te | 4
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.if | 65 ++++
policy/modules/services/ccs.te | 87 ++++++
policy/modules/services/cups.te | 3
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 1
policy/modules/services/dovecot.te | 2
policy/modules/services/hal.te | 1
policy/modules/services/lpd.fc | 18 -
policy/modules/services/mta.te | 1
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 3
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 1
policy/modules/services/rhgb.te | 24 +
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 388 +++++++++++++++++++++++++++
policy/modules/services/rsync.te | 1
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/spamassassin.te | 4
policy/modules/services/ssh.te | 2
policy/modules/services/xserver.if | 2
policy/modules/services/xserver.te | 2
policy/modules/system/authlogin.if | 2
policy/modules/system/fstools.te | 3
policy/modules/system/hostname.te | 6
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 4
policy/modules/system/iscsi.fc | 7
policy/modules/system/iscsi.if | 24 +
policy/modules/system/iscsi.te | 74 +++++
policy/modules/system/libraries.fc | 1
policy/modules/system/logging.fc | 8
policy/modules/system/logging.te | 4
policy/modules/system/mount.fc | 1
policy/modules/system/mount.te | 1
policy/modules/system/raid.te | 3
policy/modules/system/selinuxutil.fc | 6
policy/modules/system/selinuxutil.te | 2
policy/modules/system/setrans.fc | 2
policy/modules/system/setrans.te | 1
policy/modules/system/unconfined.if | 1
policy/modules/system/unconfined.te | 10
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.if | 86 +++++
policy/modules/system/userdomain.te | 6
policy/modules/system/xen.te | 1
policy/users | 14
94 files changed, 1367 insertions(+), 161 deletions(-)
Index: policy-20060915.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060915.patch,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- policy-20060915.patch 29 Sep 2006 18:12:18 -0000 1.21
+++ policy-20060915.patch 29 Sep 2006 19:19:18 -0000 1.22
@@ -251,29 +251,6 @@
role system_r types traceroute_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-2.3.16/policy/modules/admin/prelink.if
---- nsaserefpolicy/policy/modules/admin/prelink.if 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/admin/prelink.if 2006-09-26 09:53:18.000000000 -0400
-@@ -76,7 +76,7 @@
- gen_require(`
- type prelink_cache_t;
- ')
--
-+ files_rw_etc_dir($1)
- allow $1 prelink_cache_t:file unlink;
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.3.16/policy/modules/admin/readahead.te
---- nsaserefpolicy/policy/modules/admin/readahead.te 2006-09-25 15:11:11.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/admin/readahead.te 2006-09-26 09:54:33.000000000 -0400
-@@ -36,6 +36,7 @@
- dev_getattr_all_blk_files(readahead_t)
- dev_dontaudit_read_all_blk_files(readahead_t)
- dev_dontaudit_getattr_memory_dev(readahead_t)
-+storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
-
- domain_use_interactive_fds(readahead_t)
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.16/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-09-22 14:07:08.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/rpm.fc 2006-09-26 09:53:18.000000000 -0400
@@ -419,17 +396,6 @@
+ rpm_dbus_chat(mono_t)
+ ')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.3.16/policy/modules/apps/slocate.te
---- nsaserefpolicy/policy/modules/apps/slocate.te 2006-07-14 17:04:31.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/apps/slocate.te 2006-09-26 09:53:18.000000000 -0400
-@@ -45,6 +45,7 @@
- files_dontaudit_getattr_all_dirs(locate_t)
-
- fs_getattr_xattr_fs(locate_t)
-+fs_getattr_rpc_pipefs(locate_t)
-
- libs_use_shared_libs(locate_t)
- libs_use_ld_so(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.3.16/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-09-22 14:07:03.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/corecommands.fc 2006-09-28 19:35:55.000000000 -0400
@@ -474,8 +440,8 @@
allow $1 { bin_t sbin_t }:dir rw_dir_perms;
allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.16/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-09-25 15:11:10.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/kernel/corenetwork.te.in 2006-09-26 09:53:18.000000000 -0400
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-09-29 14:28:01.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/corenetwork.te.in 2006-09-29 14:26:26.000000000 -0400
@@ -67,6 +67,7 @@
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
@@ -519,12 +485,19 @@
-sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
+sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c1023)
- ifdef(`enable_mls',`
+-build_option(`enable_mls',`
-network_interface(lo, lo,s0 - s15:c0.c255)
++ifdef(`enable_mls',`
+network_interface(lo, lo,s0 - s15:c0.c1023)
')
########################################
+@@ -205,4 +208,4 @@
+
+ # Bind to any network address.
+ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
+-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
++allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.3.16/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-09-22 14:07:03.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/devices.fc 2006-09-26 09:53:18.000000000 -0400
@@ -555,33 +528,6 @@
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.3.16/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if 2006-09-22 09:35:44.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/kernel/devices.if 2006-09-26 09:53:18.000000000 -0400
-@@ -3211,3 +3211,23 @@
-
- typeattribute $1 devices_unconfined_type;
- ')
-+
-+########################################
-+## <summary>
-+## dontaudit getattr generic files in /dev.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_getattr_generic_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ allow $1 device_t:dir search;
-+ dontaudit $1 device_t:file getattr;
-+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.16/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-09-25 15:11:10.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/files.fc 2006-09-26 09:53:18.000000000 -0400
@@ -679,44 +625,6 @@
+/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.3.16/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2006-09-22 14:07:03.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/kernel/files.if 2006-09-29 13:48:53.000000000 -0400
-@@ -896,8 +896,8 @@
- allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
-- allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
-- allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
-+ allow $1 { file_type $2 }:blk_file { getattr relabelfrom relabelto };
-+ allow $1 { file_type $2 }:chr_file { getattr relabelfrom relabelto };
-
- # satisfy the assertions:
- seutil_relabelto_bin_policy($1)
-@@ -4541,3 +4541,23 @@
-
- typealias etc_runtime_t alias $1;
- ')
-+
-+########################################
-+## <summary>
-+## Read and write files in /etc.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_rw_etc_dir',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+
-+ allow $1 etc_t:dir rw_dir_perms;
-+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.16/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-25 15:11:10.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/filesystem.if 2006-09-26 10:02:05.000000000 -0400
@@ -1004,14 +912,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.3.16/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-09-22 14:07:03.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/terminal.if 2006-09-29 10:05:27.000000000 -0400
-@@ -447,7 +447,6 @@
- ## </summary>
- ## </param>
- #
--# dwalsh: added for rhgb
- interface(`term_dontaudit_setattr_generic_ptys',`
- gen_require(`
- type devpts_t;
@@ -458,6 +457,26 @@
########################################
@@ -1255,42 +1155,6 @@
+
+allow ccs_t cluster_conf_t:dir r_dir_perms;
+allow ccs_t cluster_conf_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.16/policy/modules/services/cron.te
---- nsaserefpolicy/policy/modules/services/cron.te 2006-09-25 15:11:11.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/services/cron.te 2006-09-26 09:53:18.000000000 -0400
-@@ -17,6 +17,14 @@
- type cron_spool_t;
- files_type(cron_spool_t)
-
-+# var/lib files
-+type cron_var_lib_t;
-+files_type(cron_var_lib_t)
-+
-+# var/log files
-+type cron_log_t;
-+logging_log_file(cron_log_t)
-+
- type crond_t;
- # real declaration moved to mls until
- # range_transition works in loadable modules
-@@ -184,6 +192,17 @@
- files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
- ')
-
-+# This is to handle /var/lib/misc directory. Used currently by prelink
-+# var/lib files for cron
-+allow system_crond_t cron_var_lib_t:file create_file_perms;
-+files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
-+
-+# This is to handle creation of files in /var/log directory. Used currently by rpm script
-+# log files
-+allow system_crond_t cron_log_t:file create_file_perms;
-+logging_log_filetrans(system_crond_t,cron_log_t,{ file })
-+
-+
- tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file create_file_perms;
- ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.3.16/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-09-22 14:07:06.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/cups.te 2006-09-27 15:05:01.000000000 -0400
@@ -1350,22 +1214,31 @@
files_read_usr_files(hald_t)
# hal is now execing pm-suspend
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-2.3.16/policy/modules/services/lpd.fc
---- nsaserefpolicy/policy/modules/services/lpd.fc 2006-09-22 14:07:06.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/lpd.fc 2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/lpd.fc 2006-09-26 09:53:18.000000000 -0400
-@@ -8,14 +8,23 @@
+@@ -6,21 +6,25 @@
#
+ # /usr
+ #
+-/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+-/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+-/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+-/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+-/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+-
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
-+/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
-+/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+ /usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
+ /usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+-
+/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
- /usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
- /usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
- /usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
- /usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
@@ -1427,211 +1300,6 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.16/policy/modules/services/oddjob.fc
---- nsaserefpolicy/policy/modules/services/oddjob.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.16/policy/modules/services/oddjob.fc 2006-09-26 09:53:18.000000000 -0400
-@@ -0,0 +1,8 @@
-+# oddjob executable will have:
-+# label: system_u:object_r:oddjob_exec_t
-+# MLS sensitivity: s0
-+# MCS categories: <none>
-+
-+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-+/var/run/oddjobd.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
-+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.16/policy/modules/services/oddjob.if
---- nsaserefpolicy/policy/modules/services/oddjob.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.16/policy/modules/services/oddjob.if 2006-09-26 09:53:18.000000000 -0400
-@@ -0,0 +1,99 @@
-+## <summary>policy for oddjob</summary>
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run oddjob.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`oddjob_domtrans',`
-+ gen_require(`
-+ type oddjob_t, oddjob_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,oddjob_exec_t,oddjob_t)
-+
-+ allow $1 oddjob_t:fd use;
-+ allow oddjob_t $1:fd use;
-+ allow oddjob_t $1:fifo_file rw_file_perms;
-+ allow oddjob_t $1:process sigchld;
-+')
-+
-+########################################
-+## <summary>
-+## Make the specified program domain accessable
-+## from the oddjob.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process to transition to.
-+## </summary>
-+## </param>
-+## <param name="entrypoint">
-+## <summary>
-+## The type of the file used as an entrypoint to this domain.
-+## </summary>
-+## </param>
-+#
-+interface(`oddjob_system_entry',`
-+ gen_require(`
-+ type oddjob_t;
-+ ')
-+
-+ domain_auto_trans(oddjob_t, $2, $1)
-+
-+ allow oddjob_t $1:fd use;
-+ allow $1 oddjob_t:fd use;
-+ allow $1 oddjob_t:fifo_file rw_file_perms;
-+ allow $1 oddjob_t:process sigchld;
-+
-+')
-+
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## oddjob over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`oddjob_dbus_chat',`
-+ gen_require(`
-+ type oddjob_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 oddjob_t:dbus send_msg;
-+ allow oddjob_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run oddjob_mkhomedir.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`oddjob_mkhomedir_domtrans',`
-+ gen_require(`
-+ type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
-+
-+ allow $1 oddjob_mkhomedir_t:fd use;
-+ allow oddjob_mkhomedir_t $1:fd use;
-+ allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
-+ allow oddjob_mkhomedir_t $1:process sigchld;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.16/policy/modules/services/oddjob.te
---- nsaserefpolicy/policy/modules/services/oddjob.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.16/policy/modules/services/oddjob.te 2006-09-27 10:06:18.000000000 -0400
-@@ -0,0 +1,86 @@
-+policy_module(oddjob,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type oddjob_t;
-+type oddjob_exec_t;
-+domain_type(oddjob_t)
-+init_daemon_domain(oddjob_t, oddjob_exec_t)
-+
-+# pid files
-+type oddjob_var_run_t;
-+files_pid_file(oddjob_var_run_t)
-+
-+type oddjob_mkhomedir_t;
-+type oddjob_mkhomedir_exec_t;
-+domain_type(oddjob_mkhomedir_t)
-+init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-+
-+########################################
-+#
-+# oddjob local policy
-+#
-+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
-+
-+# Some common macros (you might be able to remove some)
-+files_read_etc_files(oddjob_t)
-+libs_use_ld_so(oddjob_t)
-+libs_use_shared_libs(oddjob_t)
-+miscfiles_read_localization(oddjob_t)
-+## internal communication is often done using fifo and unix sockets.
-+allow oddjob_t self:fifo_file { read write };
-+allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
-+
-+# pid file
-+allow oddjob_t oddjob_var_run_t:file manage_file_perms;
-+allow oddjob_t oddjob_var_run_t:sock_file manage_file_perms;
-+allow oddjob_t oddjob_var_run_t:dir rw_dir_perms;
-+files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
-+
-+init_dontaudit_use_fds(oddjob_t)
-+allow oddjob_t self:capability { audit_write setgid } ;
-+allow oddjob_t self:process setexec;
-+
-+locallogin_dontaudit_use_fds(oddjob_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client_template(oddjob,oddjob_t)
-+ dbus_send_system_bus(oddjob_t)
-+ dbus_connect_system_bus(oddjob_t)
-+')
-+
-+corecmd_search_sbin(oddjob_t)
-+corecmd_exec_shell(oddjob_t)
-+
-+selinux_compute_create_context(oddjob_t)
-+
-+kernel_read_system_state(oddjob_t)
-+
-+unconfined_domtrans(oddjob_t)
-+
-+ifdef(`targeted_policy', `
-+ term_dontaudit_use_console(oddjob_t)
-+ term_dontaudit_use_generic_ptys(oddjob_t)
-+ term_dontaudit_use_unallocated_ttys(oddjob_t)
-+')
-+
-+########################################
-+#
-+# oddjob_mkhomedir local policy
-+#
-+
-+# Some common macros (you might be able to remove some)
-+files_read_etc_files(oddjob_mkhomedir_t)
-+libs_use_ld_so(oddjob_mkhomedir_t)
-+libs_use_shared_libs(oddjob_mkhomedir_t)
-+miscfiles_read_localization(oddjob_mkhomedir_t)
-+## internal communication is often done using fifo and unix sockets.
-+allow oddjob_mkhomedir_t self:fifo_file { read write };
-+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
-+
-+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-+domain_auto_trans(unconfined_t,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.16/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/pegasus.if 2006-09-26 09:53:18.000000000 -0400
@@ -2377,17 +2045,6 @@
role system_r types rsync_t;
type rsync_data_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.3.16/policy/modules/services/sendmail.te
---- nsaserefpolicy/policy/modules/services/sendmail.te 2006-09-22 14:07:06.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/services/sendmail.te 2006-09-26 09:53:18.000000000 -0400
-@@ -32,6 +32,7 @@
- allow sendmail_t self:unix_dgram_socket create_socket_perms;
- allow sendmail_t self:tcp_socket create_stream_socket_perms;
- allow sendmail_t self:udp_socket create_socket_perms;
-+allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
-
- allow sendmail_t sendmail_log_t:file create_file_perms;
- allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.16/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2006-09-22 14:07:05.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/setroubleshoot.te 2006-09-26 09:53:18.000000000 -0400
@@ -2400,21 +2057,6 @@
allow setroubleshootd_t self:fifo_file rw_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-2.3.16/policy/modules/services/smartmon.te
---- nsaserefpolicy/policy/modules/services/smartmon.te 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/services/smartmon.te 2006-09-26 09:53:18.000000000 -0400
-@@ -60,8 +60,11 @@
- fs_getattr_all_fs(fsdaemon_t)
- fs_search_auto_mountpoints(fsdaemon_t)
-
-+mls_file_read_up(fsdaemon_t)
-+
- storage_raw_read_fixed_disk(fsdaemon_t)
- storage_raw_write_fixed_disk(fsdaemon_t)
-+storage_raw_read_removable_device(fsdaemon_t)
-
- term_dontaudit_use_console(fsdaemon_t)
- term_dontaudit_search_ptys(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.3.16/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/spamassassin.te 2006-09-27 16:26:15.000000000 -0400
@@ -2464,11 +2106,6 @@
')
########################################
-@@ -1152,3 +1154,4 @@
- allow $1 xdm_xserver_tmp_t:sock_file write;
- allow $1 xdm_xserver_t:unix_stream_socket connectto;
- ')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.3.16/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2006-09-06 13:04:51.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/xserver.te 2006-09-27 10:14:32.000000000 -0400
@@ -2541,7 +2178,7 @@
+/var/run/pcscd\.pub -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/pcscd\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.16/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2006-09-25 15:11:11.000000000 -0400
+--- nsaserefpolicy/policy/modules/system/init.te 2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/init.te 2006-09-27 15:58:36.000000000 -0400
@@ -151,6 +151,7 @@
mcs_process_set_categories(init_t)
@@ -2561,15 +2198,6 @@
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
-@@ -579,6 +581,8 @@
- dev_getattr_printer_dev(initrc_t)
-
- cups_read_log(initrc_t)
-+#cups init script clears error log
-+ cups_write_log(initrc_t)
- cups_read_rw_config(initrc_t)
- ')
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-2.3.16/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.16/policy/modules/system/iscsi.fc 2006-09-26 10:04:37.000000000 -0400
@@ -2726,17 +2354,9 @@
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.3.16/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te 2006-09-25 15:11:11.000000000 -0400
+--- nsaserefpolicy/policy/modules/system/logging.te 2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/logging.te 2006-09-29 11:18:36.000000000 -0400
-@@ -18,6 +18,7 @@
-
- type auditd_log_t;
- files_security_file(auditd_log_t)
-+files_mountpoint(auditd_log_t)
-
- type auditd_t;
- # real declaration moved to mls until
-@@ -74,6 +75,7 @@
+@@ -75,6 +75,7 @@
allow auditctl_t auditd_etc_t:file r_file_perms;
# Needed for adding watches
@@ -2744,7 +2364,7 @@
files_getattr_all_dirs(auditctl_t)
files_read_etc_files(auditctl_t)
-@@ -94,6 +96,8 @@
+@@ -95,6 +96,8 @@
logging_send_syslog_msg(auditctl_t)
@@ -2753,7 +2373,7 @@
ifdef(`targeted_policy',`
term_use_generic_ptys(auditctl_t)
term_use_unallocated_ttys(auditctl_t)
-@@ -163,6 +167,7 @@
+@@ -164,6 +167,7 @@
mls_file_read_up(auditd_t)
mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
mls_rangetrans_target(auditd_t)
@@ -2770,17 +2390,6 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-2.3.16/policy/modules/system/mount.if
---- nsaserefpolicy/policy/modules/system/mount.if 2006-09-15 13:14:26.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/system/mount.if 2006-09-27 16:28:49.000000000 -0400
-@@ -74,7 +74,6 @@
- allow $1 mount_exec_t:dir r_dir_perms;
- allow $1 mount_exec_t:lnk_file r_file_perms;
- can_exec($1,mount_exec_t)
--
- ')
-
- ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.3.16/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-09-15 13:14:27.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/mount.te 2006-09-27 16:29:01.000000000 -0400
@@ -2793,9 +2402,9 @@
type mount_loopback_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.3.16/policy/modules/system/raid.te
---- nsaserefpolicy/policy/modules/system/raid.te 2006-07-14 17:04:44.000000000 -0400
+--- nsaserefpolicy/policy/modules/system/raid.te 2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/raid.te 2006-09-28 12:22:13.000000000 -0400
-@@ -23,17 +23,22 @@
+@@ -23,6 +23,7 @@
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
@@ -2803,16 +2412,10 @@
allow mdadm_t mdadm_var_run_t:file create_file_perms;
files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
- kernel_read_system_state(mdadm_t)
- kernel_read_kernel_sysctls(mdadm_t)
- kernel_rw_software_raid_state(mdadm_t)
-+kernel_getattr_core_if(mdadm_t)
-
- dev_read_sysfs(mdadm_t)
- # Ignore attempts to read every device file
+@@ -36,6 +37,8 @@
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
-+dev_dontaudit_getattr_generic_files(mdadm_t)
+ dev_dontaudit_getattr_generic_files(mdadm_t)
+dev_dontaudit_getattr_generic_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_blk_files(mdadm_t)
@@ -2887,7 +2490,7 @@
kernel_unconfined($1)
corenet_unconfined($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.3.16/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te 2006-08-29 09:00:29.000000000 -0400
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/unconfined.te 2006-09-29 12:11:13.000000000 -0400
@@ -64,10 +64,6 @@
')
@@ -2900,7 +2503,7 @@
bootloader_domtrans(unconfined_t)
')
-@@ -185,6 +181,8 @@
+@@ -189,6 +181,8 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
@@ -2909,7 +2512,7 @@
')
########################################
-@@ -193,6 +191,10 @@
+@@ -197,6 +191,10 @@
#
ifdef(`targeted_policy',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.301
retrieving revision 1.302
diff -u -r1.301 -r1.302
--- selinux-policy.spec 29 Sep 2006 18:12:18 -0000 1.301
+++ selinux-policy.spec 29 Sep 2006 19:19:18 -0000 1.302
@@ -16,8 +16,8 @@
%define CHECKPOLICYVER 1.30.11-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.3.16
-Release: 9
+Version: 2.3.17
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -349,6 +349,9 @@
%endif
%changelog
+* Fri Sep 28 2006 Dan Walsh <dwalsh at redhat.com> 2.3.17-1
+- Update to upstream
+
* Fri Sep 28 2006 Dan Walsh <dwalsh at redhat.com> 2.3.16-9
- Remove bluetooth-helper transition
- Add selinux_validate for semanage
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.93
retrieving revision 1.94
diff -u -r1.93 -r1.94
--- sources 26 Sep 2006 14:59:58 -0000 1.93
+++ sources 29 Sep 2006 19:19:18 -0000 1.94
@@ -1 +1 @@
-549a42b9073f1aae693dd3481a11c9ff serefpolicy-2.3.16.tgz
+94105148f17665d8eeaf45ad6f9fa631 serefpolicy-2.3.17.tgz
- Previous message (by thread): rpms/mesa/devel post-6.5.1-i965-fixes.patch, NONE, 1.1 mesa.spec, 1.113, 1.114
- Next message (by thread): rpms/dhcdbd/devel .cvsignore, 1.20, 1.21 dhcdbd.spec, 1.36, 1.37 sources, 1.30, 1.31
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list