rpms/selinux-policy/F-8 policy-20070703.patch, 1.146, 1.147 selinux-policy.spec, 1.586, 1.587
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Dec 3 01:29:48 UTC 2007
- Previous message (by thread): rpms/beagle/devel beagle.spec,1.103,1.104
- Next message (by thread): rpms/paps/F-8 paps-0.6.8-shared.patch, NONE, 1.1 paps-0.6.8-wordwrap.patch, NONE, 1.1 paps-cpilpi.patch, NONE, 1.1 .cvsignore, 1.3, 1.4 paps-cups.patch, 1.11, 1.12 paps.spec, 1.25, 1.26 sources, 1.2, 1.3 paps-0.6.6-cpilpi.patch, 1.2, NONE paps-0.6.6-encoding.patch, 1.2, NONE paps-0.6.6-font-option.patch, 1.2, NONE paps-0.6.6-lcctype.patch, 1.1, NONE paps-0.6.6-segfault.patch, 1.1, NONE paps-0.6.6-wordwrap.patch, 1.3, NONE paps-formfeed.patch, 1.1, NONE paps-makefile.patch, 1.1, NONE paps-typo-font-scale.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18738
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Wed Nov 28 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-63
- Change labeling on hpijs
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.146
retrieving revision 1.147
diff -u -r1.146 -r1.147
--- policy-20070703.patch 27 Nov 2007 02:49:56 -0000 1.146
+++ policy-20070703.patch 3 Dec 2007 01:29:11 -0000 1.147
@@ -2080,7 +2080,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-11-14 12:11:53.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-11-28 10:57:25.000000000 -0500
@@ -139,6 +139,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
@@ -2112,7 +2112,15 @@
')
optional_policy(`
-@@ -321,6 +329,7 @@
+@@ -195,6 +203,7 @@
+ unconfined_domain(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
++ unconfined_dbus_chat(rpm_script_t)
+ ')
+
+ ifdef(`TODO',`
+@@ -321,6 +330,7 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -2344,7 +2352,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.8/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-11-30 13:59:38.000000000 -0500
@@ -92,6 +92,7 @@
dev_read_urand(chfn_t)
@@ -2365,7 +2373,15 @@
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
-@@ -520,6 +523,10 @@
+@@ -315,6 +318,7 @@
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(passwd_t)
++init_use_fds(passwd_t)
+
+ libs_use_ld_so(passwd_t)
+ libs_use_shared_libs(passwd_t)
+@@ -520,6 +524,10 @@
mta_manage_spool(useradd_t)
optional_policy(`
@@ -2376,7 +2392,7 @@
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
-@@ -529,6 +536,12 @@
+@@ -529,6 +537,12 @@
')
optional_policy(`
@@ -2672,7 +2688,7 @@
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.8/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/gnome.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/gnome.if 2007-11-30 09:20:22.000000000 -0500
@@ -33,6 +33,51 @@
## </param>
#
@@ -3077,8 +3093,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.0.8/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/loadkeys.te 2007-11-07 17:15:22.000000000 -0500
-@@ -41,6 +41,8 @@
++++ serefpolicy-3.0.8/policy/modules/apps/loadkeys.te 2007-12-01 08:16:23.000000000 -0500
+@@ -41,6 +41,10 @@
miscfiles_read_localization(loadkeys_t)
@@ -3087,6 +3103,8 @@
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
++
++userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-10-22 13:21:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-10-29 23:59:29.000000000 -0400
@@ -4372,7 +4390,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-16 09:41:59.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-28 11:00:38.000000000 -0500
@@ -6,6 +6,22 @@
# Declarations
#
@@ -4410,10 +4428,11 @@
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -134,3 +154,31 @@
+@@ -134,3 +154,32 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
++allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
@@ -5085,7 +5104,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-12-01 07:21:24.000000000 -0500
@@ -21,6 +21,7 @@
# Use xattrs for the following filesystem types.
@@ -5118,7 +5137,7 @@
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
type romfs_t;
-@@ -133,6 +137,11 @@
+@@ -133,6 +137,16 @@
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -5127,12 +5146,17 @@
+genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+files_mountpoint(squash_t)
+
++type vmblock_t;
++fs_noxattr_type(vmblock_t)
++files_mountpoint(vmblock_t)
++genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
++
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-11-26 11:48:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-11-29 19:53:41.000000000 -0500
@@ -352,6 +352,24 @@
########################################
@@ -5191,6 +5215,15 @@
')
########################################
+@@ -1336,7 +1373,7 @@
+
+ read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
++ list_dirs_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
+ ')
+
+ ########################################
@@ -1707,6 +1744,7 @@
')
@@ -5229,7 +5262,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2007-12-01 07:55:27.000000000 -0500
@@ -138,6 +138,7 @@
type security_t;
')
@@ -6809,8 +6842,18 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.8/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-11-14 10:32:54.000000000 -0500
-@@ -13,8 +13,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-12-01 07:48:56.000000000 -0500
+@@ -5,16 +5,18 @@
+ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+
+ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
++/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+ /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
++/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
@@ -6818,11 +6861,12 @@
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
++/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-11-08 09:58:52.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-12-01 07:46:17.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(clamav,1.4.1)
@@ -6838,7 +6882,16 @@
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
-@@ -127,6 +128,10 @@
+@@ -120,6 +121,8 @@
+ cron_use_system_job_fds(clamd_t)
+ cron_rw_pipes(clamd_t)
+
++mta_read_config(clamd_t)
++
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
+@@ -127,6 +130,10 @@
amavis_create_pid_files(clamd_t)
')
@@ -6849,7 +6902,7 @@
########################################
#
# Freshclam local policy
-@@ -233,3 +238,7 @@
+@@ -233,3 +240,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
@@ -6919,7 +6972,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-11-19 15:22:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-11-26 22:41:45.000000000 -0500
@@ -10,7 +10,6 @@
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -6963,7 +7016,7 @@
optional_policy(`
dbus_system_bus_client_template(consolekit, consolekit_t)
dbus_send_system_bus(consolekit_t)
-@@ -62,9 +71,16 @@
+@@ -62,9 +71,17 @@
optional_policy(`
unconfined_dbus_chat(consolekit_t)
')
@@ -6973,6 +7026,7 @@
optional_policy(`
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
++ xserver_stream_connect_xdm(consolekit_t)
')
+
+optional_policy(`
@@ -7418,8 +7472,8 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-11-14 10:50:26.000000000 -0500
-@@ -8,17 +8,14 @@
++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-11-28 07:16:49.000000000 -0500
+@@ -8,17 +8,15 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -7432,13 +7486,14 @@
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -26,6 +23,11 @@
+@@ -26,6 +24,11 @@
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
@@ -7450,7 +7505,7 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -33,7 +35,7 @@
+@@ -33,7 +36,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -7459,7 +7514,7 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -51,4 +53,5 @@
+@@ -51,4 +54,5 @@
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -7476,7 +7531,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-11-26 13:00:40.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-12-02 19:06:03.000000000 -0500
@@ -48,9 +48,8 @@
type hplip_t;
type hplip_exec_t;
@@ -7712,8 +7767,12 @@
########################################
#
# HPLIP local policy
-@@ -525,11 +551,9 @@
- allow hplip_t cupsd_etc_t:dir search;
+@@ -522,14 +548,12 @@
+ allow hplip_t self:udp_socket create_socket_perms;
+ allow hplip_t self:rawip_socket create_socket_perms;
+
+-allow hplip_t cupsd_etc_t:dir search;
++allow hplip_t cupsd_etc_t:dir search_dir_perms;
cups_stream_connect(hplip_t)
-
@@ -7727,26 +7786,24 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -560,7 +584,9 @@
+@@ -560,7 +584,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
-dev_read_usbfs(hplip_t)
+dev_rw_usbfs(hplip_t)
-+
-+lpd_read_spool(hplip_t)
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +613,6 @@
+@@ -587,7 +611,7 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
-lpd_read_config(cupsd_t)
--
++lpd_manage_spool(hplip_t)
+
optional_policy(`
seutil_sigchld_newrole(hplip_t)
- ')
@@ -668,3 +692,15 @@
optional_policy(`
udev_read_db(ptal_t)
@@ -9525,7 +9582,7 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-11-08 09:56:54.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-12-01 07:39:05.000000000 -0500
@@ -87,6 +87,8 @@
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
@@ -9688,7 +9745,7 @@
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-11-20 17:00:29.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-12-01 07:56:00.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -9706,7 +9763,7 @@
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -40,27 +43,38 @@
+@@ -40,27 +43,40 @@
allow system_mail_t self:capability { dac_override };
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
@@ -9721,6 +9778,8 @@
+fs_rw_anon_inodefs_files(system_mail_t)
+
++selinux_getattr_fs(system_mail_t)
++
init_use_script_ptys(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
@@ -9745,7 +9804,7 @@
')
optional_policy(`
-@@ -73,6 +87,7 @@
+@@ -73,6 +89,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -9753,7 +9812,7 @@
cron_dontaudit_write_pipes(system_mail_t)
')
-@@ -81,6 +96,11 @@
+@@ -81,6 +98,11 @@
')
optional_policy(`
@@ -9765,6 +9824,21 @@
logrotate_read_tmp_files(system_mail_t)
')
+@@ -136,6 +158,14 @@
+ ')
+
+ optional_policy(`
++ clamav_stream_connect(sendmail_t)
++')
++
++optional_policy(`
++ spamd_stream_connect(system_mail_t)
++')
++
++optional_policy(`
+ smartmon_read_tmp_files(system_mail_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/munin.if 2007-10-29 23:59:29.000000000 -0400
@@ -11882,9 +11956,17 @@
- unconfined_domain(rshd_t)
- unconfined_shell_domtrans(rshd_t)
-')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.0.8/policy/modules/services/rsync.fc
+--- nsaserefpolicy/policy/modules/services/rsync.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rsync.fc 2007-12-01 08:07:49.000000000 -0500
+@@ -1,2 +1,4 @@
+
+ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
++
++/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-11-19 14:03:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-12-01 08:07:35.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -11907,7 +11989,17 @@
role system_r types rsync_t;
type rsync_data_t;
-@@ -33,7 +41,7 @@
+@@ -25,6 +33,9 @@
+ type rsync_tmp_t;
+ files_tmp_file(rsync_tmp_t)
+
++type rsync_log_t;
++logging_log_file(rsync_log_t)
++
+ type rsync_var_run_t;
+ files_pid_file(rsync_var_run_t)
+
+@@ -33,7 +44,7 @@
# Local policy
#
@@ -11916,7 +12008,7 @@
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
-@@ -43,7 +51,6 @@
+@@ -43,7 +54,6 @@
# cjp: this should probably only be inetd_child_t rules?
# search home and kerberos also.
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -11924,7 +12016,7 @@
#end for identd
allow rsync_t rsync_data_t:dir list_dir_perms;
-@@ -57,6 +64,8 @@
+@@ -57,6 +67,8 @@
manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
files_pid_filetrans(rsync_t,rsync_var_run_t,file)
@@ -11933,7 +12025,7 @@
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
-@@ -80,6 +89,8 @@
+@@ -80,17 +92,18 @@
files_read_etc_files(rsync_t)
files_search_home(rsync_t)
@@ -11942,7 +12034,11 @@
libs_use_ld_so(rsync_t)
libs_use_shared_libs(rsync_t)
-@@ -89,8 +100,6 @@
+ logging_send_syslog_msg(rsync_t)
+-logging_dontaudit_search_logs(rsync_t)
++manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
++logging_log_filetrans(rsync_t,rsync_log_t,file)
+
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
@@ -11951,7 +12047,7 @@
tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
-@@ -107,10 +116,7 @@
+@@ -107,10 +120,7 @@
inetd_service_domain(rsync_t,rsync_exec_t)
')
@@ -12666,7 +12762,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-11-20 10:14:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-01 07:53:30.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -12701,7 +12797,16 @@
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -94,30 +99,33 @@
+@@ -66,6 +71,8 @@
+ fs_getattr_all_fs(sendmail_t)
+ fs_search_auto_mountpoints(sendmail_t)
+
++selinux_getattr_fs(sendmail_t)
++
+ term_dontaudit_use_console(sendmail_t)
+
+ # for piping mail to a command
+@@ -94,30 +101,34 @@
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
@@ -12728,6 +12833,7 @@
optional_policy(`
clamav_search_lib(sendmail_t)
++ clamav_stream_connect(sendmail_t)
')
optional_policy(`
@@ -12741,7 +12847,7 @@
')
optional_policy(`
-@@ -131,28 +139,29 @@
+@@ -131,28 +142,33 @@
')
optional_policy(`
@@ -12757,6 +12863,10 @@
+')
+
+optional_policy(`
++ spamd_stream_connect(sendmail_t)
++')
++
++optional_policy(`
udev_read_db(sendmail_t)
')
@@ -12789,16 +12899,28 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-11-26 09:31:09.000000000 -0500
-@@ -53,6 +53,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-12-01 06:50:19.000000000 -0500
+@@ -27,8 +27,8 @@
+ # setroubleshootd local policy
+ #
+
+-allow setroubleshootd_t self:capability { dac_override sys_tty_config };
+-allow setroubleshootd_t self:process { signull signal getattr getsched };
++allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
++allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+ allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
+ allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+ allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -53,6 +53,8 @@
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
++kernel_read_net_sysctls(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -67,6 +68,7 @@
+@@ -67,12 +69,13 @@
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
@@ -12806,7 +12928,14 @@
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
-@@ -111,3 +113,11 @@
+ files_read_usr_files(setroubleshootd_t)
+ files_read_etc_files(setroubleshootd_t)
+-files_getattr_all_dirs(setroubleshootd_t)
++files_list_all(setroubleshootd_t)
+ files_getattr_all_files(setroubleshootd_t)
+
+ fs_getattr_all_dirs(setroubleshootd_t)
+@@ -111,3 +114,11 @@
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
@@ -12993,7 +13122,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-11-14 14:47:36.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-12-01 07:44:43.000000000 -0500
@@ -286,6 +286,12 @@
userdom_manage_user_home_content_symlinks($1,spamd_t)
')
@@ -13007,10 +13136,32 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_spamassassin_t)
fs_manage_nfs_files($1_spamassassin_t)
+@@ -531,3 +537,21 @@
+
+ dontaudit $1 spamd_tmp_t:sock_file getattr;
+ ')
++
++########################################
++## <summary>
++## Connect to run spamd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to connect.
++## </summary>
++## </param>
++#
++interface(`spamd_stream_connect',`
++ gen_require(`
++ type spamd_t, spamd_var_run_t;
++ ')
++
++ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-11-14 14:09:01.000000000 -0500
-@@ -81,7 +81,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-01 07:28:12.000000000 -0500
+@@ -81,11 +81,12 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -13019,7 +13170,13 @@
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-@@ -150,10 +150,12 @@
+-files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
++manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
++files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file sock_file })
+
+ kernel_read_all_sysctls(spamd_t)
+ kernel_read_system_state(spamd_t)
+@@ -150,10 +151,12 @@
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -14196,7 +14353,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-15 16:23:05.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-30 09:20:54.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -14341,7 +14498,18 @@
')
optional_policy(`
-@@ -348,12 +382,8 @@
+@@ -313,6 +347,10 @@
+ ')
+
+ optional_policy(`
++ gnome_exec_gconf(xdm_t)
++')
++
++optional_policy(`
+ # Talk to the console mouse server.
+ gpm_stream_connect(xdm_t)
+ gpm_setattr_gpmctl(xdm_t)
+@@ -348,12 +386,8 @@
')
optional_policy(`
@@ -14355,7 +14523,7 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
-@@ -385,7 +415,7 @@
+@@ -385,7 +419,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -14364,7 +14532,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -397,6 +427,15 @@
+@@ -397,6 +431,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -14380,7 +14548,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -425,6 +464,14 @@
+@@ -425,6 +468,14 @@
')
optional_policy(`
@@ -14395,7 +14563,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +481,26 @@
+@@ -434,47 +485,26 @@
')
optional_policy(`
@@ -14492,7 +14660,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-11-15 10:15:01.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-11-29 07:52:28.000000000 -0500
@@ -14,6 +14,7 @@
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -14510,7 +14678,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-26 16:38:01.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-29 19:40:16.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -14922,7 +15090,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-11-13 17:09:13.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-11-29 07:59:30.000000000 -0500
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -15040,8 +15208,8 @@
+auth_use_nsswitch(updpwd_t)
+
+term_dontaudit_use_console(updpwd_t)
-+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
++
+files_manage_etc_files(updpwd_t)
+kernel_read_system_state(updpwd_t)
+logging_send_syslog_msg(updpwd_t)
@@ -15486,7 +15654,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-10-30 21:08:32.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-11-30 14:03:04.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -15696,17 +15864,19 @@
')
optional_policy(`
-@@ -750,6 +797,10 @@
+@@ -749,6 +796,12 @@
+ ')
')
- optional_policy(`
++userdom_dontaudit_search_sysadm_home_dirs(daemon)
++
++optional_policy(`
+ rpm_dontaudit_rw_pipes(daemon)
+')
+
-+optional_policy(`
+ optional_policy(`
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
- ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-11-16 09:54:16.000000000 -0500
@@ -17660,16 +17830,17 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc 2007-10-29 23:59:29.000000000 -0400
-@@ -54,7 +54,7 @@
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc 2007-11-28 11:07:20.000000000 -0500
+@@ -52,8 +52,7 @@
+ /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+ /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+
+-/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+-/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
++/var/run/dhclient[^/]* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
- /var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
- /var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
--
-+/var/run/dhclient-[^/]*\.lease -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
- ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-11-06 15:55:57.000000000 -0500
@@ -17931,7 +18102,7 @@
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-26 21:45:36.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-28 10:59:10.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -18508,7 +18679,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-26 13:59:06.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-30 17:25:54.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -19103,7 +19274,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -954,21 +886,166 @@
+@@ -954,21 +886,164 @@
## </summary>
## </param>
#
@@ -19146,6 +19317,9 @@
+ userdom_base_user_template($1)
+
+ userdom_manage_home_template($1)
++ userdom_poly_home_template($1)
++ userdom_poly_tmp_template($1)
++
+ userdom_manage_tmp_template($1)
+ userdom_manage_tmpfs_template($1)
+
@@ -19189,12 +19363,13 @@
+
+ # Stat lost+found.
+ files_getattr_lost_found_dirs($1_usertype)
++ files_dontaudit_list_default($1_usertype)
++ files_dontaudit_read_default_files($1_usertype)
+
+ fs_get_all_fs_quotas($1_usertype)
+ fs_getattr_all_fs($1_usertype)
+ fs_search_all($1_usertype)
+ fs_list_inotifyfs($1_usertype)
-+
+ fs_rw_anon_inodefs_files($1_usertype)
+
+ # Stop warnings about access to /dev/console
@@ -19213,12 +19388,6 @@
+
+ seutil_read_config($1_usertype)
+
-+ files_dontaudit_list_default($1_usertype)
-+ files_dontaudit_read_default_files($1_usertype)
-+
-+ userdom_poly_home_template($1)
-+ userdom_poly_tmp_template($1)
-+
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -19276,7 +19445,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1054,51 @@
+@@ -977,23 +1052,51 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -19339,7 +19508,7 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,23 +1134,14 @@
+@@ -1029,42 +1132,22 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -19352,24 +19521,27 @@
+ hal_dbus_chat($1_t)
')
-- optional_policy(`
++ # Run pppd in pppd_t by default for user
+ optional_policy(`
- loadkeys_run($1_t,$1_r,$1_tty_device_t)
++ ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++ setroubleshoot_stream_connect($1_t)
+ ')
+
+- # Run pppd in pppd_t by default for user
+- optional_policy(`
+- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+- setroubleshoot_stream_connect($1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
-+ # Run pppd in pppd_t by default for user
- optional_policy(`
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- ')
-@@ -1054,17 +1150,6 @@
- setroubleshoot_stream_connect($1_t)
- ')
-
- ifdef(`TODO',`
- ifdef(`xdm.te', `
- # this should cause the .xsession-errors file to be written to /tmp
@@ -19384,7 +19556,7 @@
')
#######################################
-@@ -1102,6 +1187,8 @@
+@@ -1102,6 +1185,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -19393,7 +19565,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1214,7 @@
+@@ -1127,7 +1212,7 @@
# $1_t local policy
#
@@ -19402,7 +19574,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,7 +1226,11 @@
+@@ -1139,7 +1224,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -19415,7 +19587,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1277,6 +1368,7 @@
+@@ -1277,6 +1366,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -19423,7 +19595,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1642,9 +1734,13 @@
+@@ -1642,9 +1732,13 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -19437,7 +19609,7 @@
files_type($2)
')
-@@ -1894,10 +1990,46 @@
+@@ -1894,10 +1988,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
@@ -19485,7 +19657,7 @@
')
########################################
-@@ -2994,6 +3126,25 @@
+@@ -2994,6 +3124,25 @@
########################################
## <summary>
@@ -19511,7 +19683,7 @@
## Create objects in a user temporary directory
## with an automatic type transition to
## a specified private type.
-@@ -3078,7 +3229,7 @@
+@@ -3078,7 +3227,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -19520,7 +19692,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4410,6 +4561,7 @@
+@@ -4410,6 +4559,7 @@
')
dontaudit $1 sysadm_home_dir_t:dir getattr;
@@ -19528,6 +19700,18 @@
')
########################################
+@@ -4444,9 +4594,11 @@
+ interface(`userdom_dontaudit_search_sysadm_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
++ type admin_home_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
++ dontaudit $1 admindif_home_dir_t:dir search_dir_perms;
+ ')
+
+ ########################################
@@ -4574,6 +4726,7 @@
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.586
retrieving revision 1.587
diff -u -r1.586 -r1.587
--- selinux-policy.spec 26 Nov 2007 21:25:47 -0000 1.586
+++ selinux-policy.spec 3 Dec 2007 01:29:11 -0000 1.587
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 62%{?dist}
+Release: 63%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -303,8 +303,8 @@
exit 0
-%triggerpostun targeted -- selinux-policy-targeted =< 3.0.8-59-1
-semanage user -m -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-63-1
+semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
semanage login -m -r s0-s0:c0.c1023 __default__ 2> /dev/null
exit 0
@@ -381,6 +381,9 @@
%endif
%changelog
+* Wed Nov 28 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-63
+- Change labeling on hpijs
+
* Mon Nov 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-62
- Allow xend to create xend_var_log_t directories
- dontaudit setfiles relabel of /proc /sys caused by named-chroot
- Previous message (by thread): rpms/beagle/devel beagle.spec,1.103,1.104
- Next message (by thread): rpms/paps/F-8 paps-0.6.8-shared.patch, NONE, 1.1 paps-0.6.8-wordwrap.patch, NONE, 1.1 paps-cpilpi.patch, NONE, 1.1 .cvsignore, 1.3, 1.4 paps-cups.patch, 1.11, 1.12 paps.spec, 1.25, 1.26 sources, 1.2, 1.3 paps-0.6.6-cpilpi.patch, 1.2, NONE paps-0.6.6-encoding.patch, 1.2, NONE paps-0.6.6-font-option.patch, 1.2, NONE paps-0.6.6-lcctype.patch, 1.1, NONE paps-0.6.6-segfault.patch, 1.1, NONE paps-0.6.6-wordwrap.patch, 1.3, NONE paps-formfeed.patch, 1.1, NONE paps-makefile.patch, 1.1, NONE paps-typo-font-scale.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list