rpms/selinux-policy/FC-6 policy-20061106.patch, 1.52, 1.53 selinux-policy.spec, 1.372, 1.373
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jul 17 20:21:07 UTC 2007
- Previous message (by thread): rpms/kernel/FC-6 linux-2.6-nohz-highres-disable.patch, NONE, 1.1 kernel-2.6.spec, 1.2990, 1.2991
- Next message (by thread): rpms/firefox/FC-6 mozilla-178993.patch, NONE, 1.1 mozilla-358594.patch, NONE, 1.1 mozilla-379245.patch, NONE, 1.1 mozilla-381300.patch, NONE, 1.1 mozilla-382532.patch, NONE, 1.1 mozilla-384925.patch, NONE, 1.1 .cvsignore, 1.30, 1.31 firefox.spec, 1.170, 1.171 sources, 1.37, 1.38
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv20380
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Tue Jul 17 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-80
- Allow ntp to create shm
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/default_contexts | 6
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 21
policy/flask/security_classes | 8
policy/global_tunables | 94 +++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 11
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 57 ++
policy/modules/admin/amtu.te | 56 ++
policy/modules/admin/backup.te | 5
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 14
policy/modules/admin/consoletype.te | 21
policy/modules/admin/ddcprobe.te | 10
policy/modules/admin/dmesg.te | 7
policy/modules/admin/dmidecode.te | 5
policy/modules/admin/firstboot.if | 24 -
policy/modules/admin/kudzu.te | 14
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 22
policy/modules/admin/netutils.te | 19
policy/modules/admin/portage.te | 5
policy/modules/admin/prelink.te | 23
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 24 -
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 104 ++++
policy/modules/admin/rpm.te | 49 --
policy/modules/admin/su.if | 38 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 13
policy/modules/admin/tripwire.te | 11
policy/modules/admin/usbmodules.te | 5
policy/modules/admin/usermanage.if | 2
policy/modules/admin/usermanage.te | 58 ++
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.te | 5
policy/modules/apps/evolution.if | 107 ++++
policy/modules/apps/evolution.te | 1
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 ++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 70 +++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 39 -
policy/modules/apps/mozilla.if | 208 +++++++--
policy/modules/apps/mplayer.if | 84 +++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 7
policy/modules/apps/thunderbird.if | 81 +++
policy/modules/apps/userhelper.if | 20
policy/modules/apps/webalizer.te | 6
policy/modules/apps/wine.fc | 1
policy/modules/apps/yam.te | 5
policy/modules/kernel/corecommands.fc | 30 +
policy/modules/kernel/corecommands.if | 77 +++
policy/modules/kernel/corenetwork.if.in | 140 ++++++
policy/modules/kernel/corenetwork.te.in | 16
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 56 ++
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 80 +++
policy/modules/kernel/domain.te | 26 +
policy/modules/kernel/files.fc | 2
policy/modules/kernel/files.if | 224 +++++++++
policy/modules/kernel/filesystem.if | 62 ++
policy/modules/kernel/filesystem.te | 30 +
policy/modules/kernel/kernel.if | 84 +++
policy/modules/kernel/kernel.te | 22
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/storage.fc | 4
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 2
policy/modules/kernel/terminal.if | 21
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.te | 11
policy/modules/services/amavis.if | 19
policy/modules/services/amavis.te | 4
policy/modules/services/apache.fc | 17
policy/modules/services/apache.if | 157 ++++++
policy/modules/services/apache.te | 47 +-
policy/modules/services/apm.te | 3
policy/modules/services/arpwatch.te | 5
policy/modules/services/audioentropy.te | 4
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 10
policy/modules/services/avahi.if | 40 +
policy/modules/services/avahi.te | 10
policy/modules/services/bind.fc | 1
policy/modules/services/bind.te | 6
policy/modules/services/bluetooth.te | 10
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 25 -
policy/modules/services/clamav.te | 3
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 105 ++--
policy/modules/services/cron.te | 58 ++
policy/modules/services/cups.fc | 5
policy/modules/services/cups.te | 19
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 5
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 66 ++
policy/modules/services/dbus.te | 4
policy/modules/services/dcc.te | 9
policy/modules/services/dhcp.te | 3
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.if | 44 +
policy/modules/services/dovecot.te | 64 ++
policy/modules/services/fail2ban.fc | 3
policy/modules/services/fail2ban.if | 80 +++
policy/modules/services/fail2ban.te | 74 +++
policy/modules/services/ftp.te | 21
policy/modules/services/hal.fc | 14
policy/modules/services/hal.if | 160 ++++++
policy/modules/services/hal.te | 176 ++++++-
policy/modules/services/inetd.te | 34 +
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 25 +
policy/modules/services/kerberos.te | 21
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 75 ++-
policy/modules/services/lpd.te | 5
policy/modules/services/mailman.if | 20
policy/modules/services/mailman.te | 1
policy/modules/services/mta.fc | 1
policy/modules/services/mta.if | 20
policy/modules/services/mta.te | 3
policy/modules/services/munin.te | 5
policy/modules/services/nagios.fc | 3
policy/modules/services/nagios.te | 8
policy/modules/services/networkmanager.fc | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 7
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 39 +
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 31 -
policy/modules/services/ntp.te | 3
policy/modules/services/oav.te | 5
policy/modules/services/oddjob.te | 5
policy/modules/services/openca.if | 4
policy/modules/services/openca.te | 2
policy/modules/services/openct.te | 2
policy/modules/services/openvpn.te | 20
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 ++
policy/modules/services/pcscd.te | 79 +++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 11
policy/modules/services/portmap.te | 5
policy/modules/services/portslave.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 45 +
policy/modules/services/postfix.te | 94 ++++
policy/modules/services/ppp.te | 2
policy/modules/services/procmail.te | 32 +
policy/modules/services/pyzor.if | 18
policy/modules/services/pyzor.te | 13
policy/modules/services/radius.te | 2
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 +++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 26 +
policy/modules/services/rlogin.te | 11
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.if | 3
policy/modules/services/rpc.te | 27 -
policy/modules/services/rshd.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.fc | 6
policy/modules/services/samba.if | 101 ++++
policy/modules/services/samba.te | 96 +++-
policy/modules/services/sasl.te | 14
policy/modules/services/sendmail.if | 22
policy/modules/services/sendmail.te | 8
policy/modules/services/setroubleshoot.if | 20
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 17
policy/modules/services/spamassassin.fc | 5
policy/modules/services/spamassassin.if | 42 +
policy/modules/services/spamassassin.te | 26 -
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 21
policy/modules/services/squid.te | 16
policy/modules/services/ssh.if | 83 +++
policy/modules/services/ssh.te | 14
policy/modules/services/telnet.te | 3
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++
policy/modules/services/uucp.te | 44 +
policy/modules/services/uwimap.te | 1
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 211 +++++++++
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 180 +++++++
policy/modules/system/authlogin.te | 43 +
policy/modules/system/clock.te | 18
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.if | 19
policy/modules/system/fstools.te | 11
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 19
policy/modules/system/init.if | 66 ++
policy/modules/system/init.te | 51 ++
policy/modules/system/ipsec.fc | 5
policy/modules/system/ipsec.if | 99 ++++
policy/modules/system/ipsec.te | 121 +++++
policy/modules/system/iptables.te | 27 -
policy/modules/system/libraries.fc | 43 +
policy/modules/system/libraries.te | 11
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 11
policy/modules/system/logging.fc | 5
policy/modules/system/logging.if | 61 ++
policy/modules/system/logging.te | 33 +
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 44 +
policy/modules/system/lvm.te | 95 +++-
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 79 +++
policy/modules/system/modutils.te | 26 -
policy/modules/system/mount.te | 31 -
policy/modules/system/netlabel.te | 10
policy/modules/system/pcmcia.te | 5
policy/modules/system/raid.te | 16
policy/modules/system/selinuxutil.fc | 10
policy/modules/system/selinuxutil.if | 124 +++++
policy/modules/system/selinuxutil.te | 138 ++---
policy/modules/system/sysnetwork.if | 2
policy/modules/system/sysnetwork.te | 13
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23
policy/modules/system/tzdata.te | 51 ++
policy/modules/system/udev.te | 22
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 22
policy/modules/system/unconfined.te | 23
policy/modules/system/userdomain.if | 622 +++++++++++++++++++++++----
policy/modules/system/userdomain.te | 117 ++---
policy/modules/system/xen.fc | 1
policy/modules/system/xen.if | 44 +
policy/modules/system/xen.te | 61 ++
policy/support/*Warnings* | 189 ++++++++
policy/support/file_patterns.spt | 534 +++++++++++++++++++++++
policy/support/misc_macros.spt | 8
policy/support/obj_perm_sets.spt | 144 ++++++
266 files changed, 8132 insertions(+), 810 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- policy-20061106.patch 6 Jul 2007 15:35:02 -0000 1.52
+++ policy-20061106.patch 17 Jul 2007 20:21:05 -0000 1.53
@@ -3440,7 +3440,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.4.6/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/devices.fc 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/devices.fc 2007-07-11 16:42:35.000000000 -0400
@@ -20,15 +20,19 @@
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
@@ -3461,13 +3461,14 @@
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -47,14 +51,16 @@
+@@ -47,17 +51,20 @@
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
-/dev/raw1394. -c gen_context(system_u:object_r:v4l_device_t,s0)
+-/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
++/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -3479,9 +3480,13 @@
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ ifdef(`distro_suse', `
+ /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.4.6/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/devices.if 2007-07-03 12:59:04.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/devices.if 2007-07-11 14:08:49.000000000 -0400
@@ -2717,6 +2717,24 @@
########################################
@@ -3507,7 +3512,33 @@
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3248,3 +3266,21 @@
+@@ -2981,6 +2999,25 @@
+ allow $1 v4l_device_t:chr_file r_file_perms;
+ ')
+
++
++########################################
++## <summary>
++## Write the video4linux devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_write_video_dev',`
++ gen_require(`
++ type device_t, v4l_device_t;
++ ')
++
++ write_chr_files_pattern($1,device_t,v4l_device_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write VMWare devices.
+@@ -3248,3 +3285,22 @@
typeattribute $1 devices_unconfined_type;
')
@@ -3529,6 +3560,7 @@
+
+ allow $1 device_t:dir { getattr rmdir };
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.4.6/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2006-11-29 12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/kernel/devices.te 2007-05-22 12:40:26.000000000 -0400
@@ -4511,8 +4543,12 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.4.6/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/terminal.fc 2007-05-22 12:40:26.000000000 -0400
-@@ -11,6 +11,7 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/terminal.fc 2007-07-11 16:42:58.000000000 -0400
+@@ -8,9 +8,11 @@
+ /dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -5470,7 +5506,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:crond_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.6/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.if 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/cron.if 2007-07-11 15:53:32.000000000 -0400
@@ -35,6 +35,7 @@
#
template(`cron_per_role_template',`
@@ -5621,36 +5657,85 @@
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -472,29 +499,6 @@
+@@ -435,7 +462,7 @@
+
+ ########################################
+ ## <summary>
+-## Read, and write cron daemon TCP sockets.
++## Read temporary files from cron.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -443,54 +470,50 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_rw_tcp_sockets',`
++interface(`cron_read_tmp_files',`
+ gen_require(`
+- type crond_t;
++ type crond_tmp_t;
+ ')
+
+- allow $1 crond_t:tcp_socket { read write };
++ files_search_tmp($1)
++ allow $1 crond_tmp_t:file read_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the directory containing user cron tables.
++## Read, and write cron daemon TCP sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## The type of the process to performing this action.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_search_spool',`
++interface(`cron_rw_tcp_sockets',`
+ gen_require(`
+- type cron_spool_t;
++ type crond_t;
+ ')
+
+- files_search_spool($1)
+- allow $1 cron_spool_t:dir search;
++ allow $1 crond_t:tcp_socket { read write };
+ ')
########################################
## <summary>
-## Execute APM in the apm domain.
--## </summary>
--## <param name="domain">
--## <summary>
++## Search the directory containing user cron tables.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
--#
++## The type of the process to performing this action.
+ ## </summary>
+ ## </param>
+ #
-interface(`cron_anacron_domtrans_system_job',`
-- gen_require(`
++interface(`cron_search_spool',`
+ gen_require(`
- type system_crond_t, anacron_exec_t;
-- ')
--
++ type cron_spool_t;
+ ')
+
- domain_auto_trans($1,anacron_exec_t,system_crond_t)
-
- allow $1 system_crond_t:fd use;
- allow system_crond_t $1:fd use;
- allow system_crond_t $1:fifo_file rw_file_perms;
- allow system_crond_t $1:process sigchld;
--')
--
--########################################
--## <summary>
- ## Inherit and use a file descriptor
- ## from system cron jobs.
- ## </summary>
++ files_search_spool($1)
++ allow $1 cron_spool_t:dir search;
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.6/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/cron.te 2007-05-30 13:14:32.000000000 -0400
@@ -7589,7 +7674,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.6/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/mta.te 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/mta.te 2007-07-11 15:53:52.000000000 -0400
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -7606,6 +7691,14 @@
ifdef(`targeted_policy',`
typealias system_mail_t alias sysadm_mail_t;
+@@ -113,6 +115,7 @@
+
+ optional_policy(`
+ cron_read_system_job_tmp_files(system_mail_t)
++ cron_read_tmp_files(system_mail_t)
+ cron_dontaudit_write_pipes(system_mail_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-2.4.6/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/munin.te 2007-05-22 12:40:26.000000000 -0400
@@ -7943,8 +8036,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.4.6/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ntp.te 2007-06-11 08:11:46.000000000 -0400
-@@ -36,6 +36,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/ntp.te 2007-07-17 16:18:58.000000000 -0400
+@@ -36,10 +36,12 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
@@ -7952,7 +8045,12 @@
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
-@@ -137,6 +138,7 @@
+ allow ntpd_t self:udp_socket create_socket_perms;
++allow ntpd_t self:shm create_shm_perms;
+
+ allow ntpd_t ntp_drift_t:dir rw_dir_perms;
+ allow ntpd_t ntp_drift_t:file create_file_perms;
+@@ -137,6 +139,7 @@
optional_policy(`
firstboot_dontaudit_use_fds(ntpd_t)
@@ -8032,13 +8130,27 @@
files_pid_filetrans(openct_t,openct_var_run_t,file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-2.4.6/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/openvpn.te 2007-06-11 14:45:50.000000000 -0400
-@@ -28,11 +28,11 @@
++++ serefpolicy-2.4.6/policy/modules/services/openvpn.te 2007-07-13 07:03:12.000000000 -0400
+@@ -6,6 +6,13 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow openvpn to read home directories
++## </p>
++## </desc>
++gen_tunable(openvpn_enable_homedirs,false)
++
+ # main openvpn domain
+ type openvpn_t;
+ type openvpn_exec_t;
+@@ -28,11 +35,11 @@
# openvpn local policy
#
-allow openvpn_t self:capability { net_admin setgid setuid sys_tty_config };
-+allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
++allow openvpn_t self:capability { dac_read_search net_bind_service net_admin setgid setuid sys_tty_config };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
@@ -8047,7 +8159,7 @@
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
allow openvpn_t openvpn_etc_t:dir r_dir_perms;
-@@ -42,8 +42,8 @@
+@@ -42,8 +49,8 @@
allow openvpn_t openvpn_var_log_t:file create_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
@@ -8058,7 +8170,7 @@
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
-@@ -67,6 +67,7 @@
+@@ -67,6 +74,7 @@
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
@@ -8066,6 +8178,17 @@
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
+@@ -92,6 +100,10 @@
+ term_use_generic_ptys(openvpn_t)
+ ')
+
++tunable_policy(`openvpn_enable_homedirs',`
++ userdom_read_unpriv_users_home_content_files(openvpn_t)
++')
++
+ optional_policy(`
+ daemontools_service_domain(openvpn_t,openvpn_exec_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-2.4.6/policy/modules/services/pcscd.fc
--- nsaserefpolicy/policy/modules/services/pcscd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/pcscd.fc 2007-05-22 12:40:26.000000000 -0400
@@ -12568,7 +12691,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.6/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2007-06-11 09:18:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2007-07-10 08:42:03.000000000 -0400
@@ -13,6 +13,9 @@
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
@@ -12694,7 +12817,7 @@
allow lvm_t lvm_tmp_t:dir create_dir_perms;
allow lvm_t lvm_tmp_t:file create_file_perms;
-@@ -147,6 +190,10 @@
+@@ -147,10 +190,15 @@
allow lvm_t lvm_lock_t:file create_file_perms;
files_lock_filetrans(lvm_t,lvm_lock_t,file)
@@ -12704,8 +12827,14 @@
+
allow lvm_t lvm_var_run_t:file manage_file_perms;
allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
++allow lvm_t lvm_var_run_t:fifo_file manage_file_perms;
allow lvm_t lvm_var_run_t:dir manage_dir_perms;
-@@ -176,6 +223,7 @@
+-files_pid_filetrans(lvm_t,lvm_var_run_t,{ file sock_file })
++files_pid_filetrans(lvm_t,lvm_var_run_t,{ file sock_file fifo_file })
+
+ allow lvm_t lvm_etc_t:file r_file_perms;
+ allow lvm_t lvm_etc_t:lnk_file r_file_perms;
+@@ -176,6 +224,7 @@
selinux_compute_user_contexts(lvm_t)
dev_create_generic_chr_files(lvm_t)
@@ -12713,7 +12842,7 @@
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
-@@ -195,12 +243,15 @@
+@@ -195,12 +244,15 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -12729,7 +12858,7 @@
storage_relabel_fixed_disk(lvm_t)
storage_dontaudit_read_removable_device(lvm_t)
-@@ -212,15 +263,17 @@
+@@ -212,15 +264,17 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -12751,7 +12880,7 @@
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
-@@ -248,8 +301,8 @@
+@@ -248,8 +302,8 @@
')
ifdef(`targeted_policy', `
@@ -12762,7 +12891,7 @@
files_dontaudit_read_root_files(lvm_t)
')
-@@ -259,9 +312,28 @@
+@@ -259,9 +313,28 @@
')
optional_policy(`
@@ -12903,7 +13032,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.4.6/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2007-07-10 12:27:12.000000000 -0400
@@ -54,6 +54,8 @@
can_exec(insmod_t, insmod_exec_t)
@@ -15853,6 +15982,21 @@
+ allow $1 $2:dir rw_dir_perms;
+ type_transition $1 $2:$4 $3;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.4.6/policy/support/misc_macros.spt
+--- nsaserefpolicy/policy/support/misc_macros.spt 2006-11-29 12:04:51.000000000 -0500
++++ serefpolicy-2.4.6/policy/support/misc_macros.spt 2007-07-11 13:55:12.000000000 -0400
+@@ -76,3 +76,11 @@
+ define(`gen_bool',`
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+ ')
++
++define(`domtrans_pattern',`
++ domain_auto_trans($1,$2,$3)
++
++ allow $3 $1:fd use;
++ allow $3 $1:fifo_file rw_file_perms;
++ allow $3 $1:process sigchld;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-2.4.6/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2006-11-29 12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/support/obj_perm_sets.spt 2007-05-22 12:40:26.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.372
retrieving revision 1.373
diff -u -r1.372 -r1.373
--- selinux-policy.spec 6 Jul 2007 15:38:40 -0000 1.372
+++ selinux-policy.spec 17 Jul 2007 20:21:05 -0000 1.373
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 79%{?dist}
+Release: 80%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -358,6 +358,9 @@
%endif
%changelog
+* Tue Jul 17 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-80
+- Allow ntp to create shm
+
* Fri Jul 7 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-79
- Allow hal to write to pm-suspend
Resolves:#245926
- Previous message (by thread): rpms/kernel/FC-6 linux-2.6-nohz-highres-disable.patch, NONE, 1.1 kernel-2.6.spec, 1.2990, 1.2991
- Next message (by thread): rpms/firefox/FC-6 mozilla-178993.patch, NONE, 1.1 mozilla-358594.patch, NONE, 1.1 mozilla-379245.patch, NONE, 1.1 mozilla-381300.patch, NONE, 1.1 mozilla-382532.patch, NONE, 1.1 mozilla-384925.patch, NONE, 1.1 .cvsignore, 1.30, 1.31 firefox.spec, 1.170, 1.171 sources, 1.37, 1.38
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list