rpms/selinux-policy/devel policy-20071130.patch, 1.22, 1.23 selinux-policy.spec, 1.578, 1.579
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Dec 31 21:06:11 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31792
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Dec 31 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-7
- Fix munin log,
- Eliminate duplicate mozilla file context
- fix wpa_supplicant spec
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- policy-20071130.patch 30 Dec 2007 15:12:11 -0000 1.22
+++ policy-20071130.patch 31 Dec 2007 21:06:02 -0000 1.23
@@ -3463,8 +3463,25 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2007-12-19 05:38:08.000000000 -0500
-@@ -127,6 +127,8 @@
++++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2007-12-31 11:50:26.000000000 -0500
+@@ -7,6 +7,7 @@
+ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -58,6 +59,8 @@
+
+ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -127,6 +130,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3473,7 +3490,7 @@
#
# /usr
#
-@@ -147,7 +149,7 @@
+@@ -147,7 +152,7 @@
/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3482,7 +3499,7 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -186,6 +188,8 @@
+@@ -186,6 +191,8 @@
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3504,16 +3521,17 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2007-12-19 05:38:08.000000000 -0500
-@@ -122,6 +122,7 @@
++++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2007-12-31 07:12:10.000000000 -0500
+@@ -122,6 +122,8 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
++network_port(mythtv, tcp,6543,s0, udp,6543,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -133,6 +134,7 @@
+@@ -133,6 +135,7 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
@@ -3523,7 +3541,7 @@
network_port(postgresql, tcp,5432,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2007-12-31 08:18:04.000000000 -0500
@@ -22,6 +22,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -3532,7 +3550,13 @@
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
-@@ -33,6 +34,7 @@
+@@ -29,10 +30,13 @@
+ /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
++/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
++/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+ /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -3702,8 +3726,20 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.5/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/devices.te 2007-12-19 05:38:08.000000000 -0500
-@@ -72,6 +72,13 @@
++++ serefpolicy-3.2.5/policy/modules/kernel/devices.te 2007-12-31 08:18:37.000000000 -0500
+@@ -66,12 +66,25 @@
+ dev_node(framebuf_device_t)
+
+ #
++# Type for /dev/ipmi/0
++#
++type ipmi_device_t;
++dev_node(ipmi_device_t)
++
++#
+ # Type for /dev/kmsg
+ #
+ type kmsg_device_t;
dev_node(kmsg_device_t)
#
@@ -4137,7 +4173,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.5/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/apache.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/apache.if 2007-12-31 07:06:22.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -4166,7 +4202,15 @@
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -120,10 +115,6 @@
+@@ -96,6 +91,7 @@
+ dev_read_urand(httpd_$1_script_t)
+
+ corecmd_exec_all_executables(httpd_$1_script_t)
++ application_exec_all(httpd_$1_script_t)
+
+ files_exec_etc_files(httpd_$1_script_t)
+ files_read_etc_files(httpd_$1_script_t)
+@@ -120,10 +116,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
@@ -4177,7 +4221,7 @@
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
-@@ -177,48 +168,6 @@
+@@ -177,48 +169,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
@@ -4226,7 +4270,7 @@
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -267,7 +216,7 @@
+@@ -267,7 +217,7 @@
attribute httpdcontent, httpd_script_domains;
attribute httpd_exec_scripts, httpd_user_content_type;
attribute httpd_user_script_exec_type;
@@ -4235,7 +4279,7 @@
')
apache_content_template($1)
-@@ -331,6 +280,7 @@
+@@ -331,6 +281,7 @@
userdom_search_user_home_dirs($1,httpd_t)
userdom_search_user_home_dirs($1,httpd_suexec_t)
userdom_search_user_home_dirs($1,httpd_$1_script_t)
@@ -4243,7 +4287,7 @@
')
')
-@@ -352,12 +302,11 @@
+@@ -352,12 +303,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
@@ -4260,7 +4304,7 @@
')
########################################
-@@ -378,12 +327,12 @@
+@@ -378,12 +328,12 @@
#
template(`apache_read_user_content',`
gen_require(`
@@ -4277,7 +4321,7 @@
')
########################################
-@@ -761,6 +710,7 @@
+@@ -761,6 +711,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -4285,7 +4329,7 @@
')
########################################
-@@ -845,6 +795,10 @@
+@@ -845,6 +796,10 @@
type httpd_sys_script_t;
')
@@ -4296,7 +4340,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
-@@ -932,7 +886,7 @@
+@@ -932,7 +887,7 @@
type httpd_squirrelmail_t;
')
@@ -4305,7 +4349,7 @@
')
########################################
-@@ -1088,3 +1042,138 @@
+@@ -1088,3 +1043,138 @@
allow httpd_t $1:process signal;
')
@@ -4446,7 +4490,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-26 19:16:19.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-31 07:20:25.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -4559,7 +4603,18 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -335,6 +370,10 @@
+@@ -315,9 +350,7 @@
+
+ auth_use_nsswitch(httpd_t)
+
+-# execute perl
+-corecmd_exec_bin(httpd_t)
+-corecmd_exec_shell(httpd_t)
++application_exec_all(httpd_t)
+
+ domain_use_interactive_fds(httpd_t)
+
+@@ -335,6 +368,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -4570,7 +4625,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,8 +390,6 @@
+@@ -351,8 +388,6 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -4579,7 +4634,7 @@
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-@@ -361,6 +398,13 @@
+@@ -361,6 +396,13 @@
#
# We need optionals to be able to be within booleans to make this work
#
@@ -4593,7 +4648,7 @@
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
')
-@@ -370,6 +414,16 @@
+@@ -370,6 +412,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -4610,7 +4665,7 @@
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +436,10 @@
+@@ -382,6 +434,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -4621,7 +4676,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -399,11 +457,21 @@
+@@ -399,11 +455,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -4643,18 +4698,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -425,6 +493,10 @@
- ')
-
- optional_policy(`
-+ application_exec(httpd_t)
-+')
-+
-+optional_policy(`
- calamaris_read_www_files(httpd_t)
- ')
-
-@@ -437,8 +509,14 @@
+@@ -437,8 +503,14 @@
')
optional_policy(`
@@ -4670,7 +4714,7 @@
')
optional_policy(`
-@@ -450,19 +528,13 @@
+@@ -450,19 +522,13 @@
')
optional_policy(`
@@ -4691,7 +4735,7 @@
')
optional_policy(`
-@@ -472,13 +544,14 @@
+@@ -472,13 +538,14 @@
openca_kill(httpd_t)
')
@@ -4710,7 +4754,7 @@
')
optional_policy(`
-@@ -486,6 +559,7 @@
+@@ -486,6 +553,7 @@
')
optional_policy(`
@@ -4718,7 +4762,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +595,13 @@
+@@ -521,6 +589,13 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -4732,7 +4776,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +631,24 @@
+@@ -550,18 +625,24 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -4760,7 +4804,7 @@
')
########################################
-@@ -585,6 +672,8 @@
+@@ -585,6 +666,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4769,7 +4813,18 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -638,6 +727,12 @@
+@@ -593,9 +676,7 @@
+
+ fs_search_auto_mountpoints(httpd_suexec_t)
+
+-# for shell scripts
+-corecmd_exec_bin(httpd_suexec_t)
+-corecmd_exec_shell(httpd_suexec_t)
++application_exec_all(httpd_suexec_t)
+
+ files_read_etc_files(httpd_suexec_t)
+ files_read_usr_files(httpd_suexec_t)
+@@ -638,6 +719,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -4782,7 +4837,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +750,6 @@
+@@ -655,10 +742,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4793,7 +4848,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +759,8 @@
+@@ -668,7 +751,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -4803,7 +4858,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +774,44 @@
+@@ -682,15 +766,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -4815,15 +4870,15 @@
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -4849,7 +4904,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +821,15 @@
+@@ -700,9 +813,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
@@ -4865,7 +4920,7 @@
')
########################################
-@@ -724,3 +851,46 @@
+@@ -724,3 +843,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -5091,7 +5146,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.5/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/clamav.fc 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/clamav.fc 2007-12-31 09:05:46.000000000 -0500
@@ -5,16 +5,18 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
@@ -5108,9 +5163,9 @@
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
-+/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
-+/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.5/policy/modules/services/clamav.te
@@ -5208,7 +5263,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/cron.if 2007-12-20 14:02:12.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cron.if 2007-12-31 15:17:06.000000000 -0500
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -7254,9 +7309,24 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if
+--- nsaserefpolicy/policy/modules/services/lpd.if 2007-11-16 13:45:14.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/lpd.if 2007-12-31 06:40:50.000000000 -0500
+@@ -336,10 +336,8 @@
+ ')
+
+ files_search_spool($1)
++ manage_dirs_pattern($1,print_spool_t,print_spool_t)
+ manage_files_pattern($1,print_spool_t,print_spool_t)
+-
+- # cjp: cups wants setattr
+- allow $1 print_spool_t:dir setattr;
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-31 14:18:13.000000000 -0500
@@ -211,6 +211,7 @@
type mailman_data_t;
')
@@ -7265,6 +7335,32 @@
manage_files_pattern($1,mailman_data_t,mailman_data_t)
')
+@@ -252,6 +253,25 @@
+
+ #######################################
+ ## <summary>
++## read
++## mailman logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mailman_read_log',`
++ gen_require(`
++ type mailman_log_t;
++ ')
++
++ read_files_pattern($1,mailman_log_t,mailman_log_t)
++')
++
++#######################################
++## <summary>
+ ## Append to mailman logs.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailman.te 2007-12-19 05:38:09.000000000 -0500
@@ -7644,18 +7740,21 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-19 05:38:09.000000000 -0500
-@@ -8,4 +8,5 @@
++++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500
+@@ -6,6 +6,7 @@
+ /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
- /var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
+-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-19 05:38:09.000000000 -0500
-@@ -37,6 +37,9 @@
++++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500
+@@ -37,14 +37,18 @@
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
allow munin_t self:tcp_socket create_stream_socket_perms;
allow munin_t self:udp_socket create_socket_perms;
@@ -7665,7 +7764,18 @@
allow munin_t munin_etc_t:dir list_dir_perms;
read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
-@@ -73,6 +76,7 @@
+ read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t)
+ files_search_etc(munin_t)
+
+-allow munin_t munin_log_t:file manage_file_perms;
+-logging_log_filetrans(munin_t,munin_log_t,file)
++manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
++manage_files_pattern(munin_t, munin_log_t, munin_log_t)
++logging_log_filetrans(munin_t,munin_log_t,{ file dir })
+
+ manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
+ manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
+@@ -73,6 +77,7 @@
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
@@ -7673,7 +7783,7 @@
dev_read_sysfs(munin_t)
dev_read_urand(munin_t)
-@@ -91,6 +95,7 @@
+@@ -91,6 +96,7 @@
logging_send_syslog_msg(munin_t)
@@ -7681,7 +7791,7 @@
miscfiles_read_localization(munin_t)
sysnet_read_config(munin_t)
-@@ -118,3 +123,9 @@
+@@ -118,3 +124,9 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -7785,8 +7895,13 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-19 05:38:09.000000000 -0500
-@@ -25,6 +25,9 @@
++++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-31 06:59:38.000000000 -0500
+@@ -1,4 +1,3 @@
+-
+ policy_module(mysql,1.6.0)
+
+ ########################################
+@@ -25,6 +24,9 @@
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
@@ -7796,6 +7911,16 @@
########################################
#
# Local policy
+@@ -33,7 +35,8 @@
+ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
+ dontaudit mysqld_t self:capability sys_tty_config;
+ allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+-allow mysqld_t self:fifo_file { read write };
++allow mysqld_t self:fifo_file rw_fifo_file_perms;
++allow mysqld_t self:shm create_shm_file_perms;
+ allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+ allow mysqld_t self:tcp_socket create_stream_socket_perms;
+ allow mysqld_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2007-12-19 05:38:09.000000000 -0500
@@ -7948,12 +8073,42 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-19 05:38:09.000000000 -0500
-@@ -5,3 +5,4 @@
++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-31 08:48:44.000000000 -0500
+@@ -1,7 +1,9 @@
+ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+ /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+ /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
++/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if
+--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if 2007-12-31 08:55:52.000000000 -0500
+@@ -97,3 +97,21 @@
+ allow $1 NetworkManager_t:dbus send_msg;
+ allow NetworkManager_t $1:dbus send_msg;
+ ')
++
++########################################
++## <summary>
++## Send a generic signal to NetworkManager
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_signal',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:process signal;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500
@@ -8687,7 +8842,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -8758,15 +8913,16 @@
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -285,6 +306,7 @@
+@@ -285,6 +306,8 @@
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
++ mailman_read_log(postfix_local_t)
')
optional_policy(`
-@@ -295,8 +317,7 @@
+@@ -295,8 +318,7 @@
#
# Postfix map local policy
#
@@ -8776,7 +8932,7 @@
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +367,6 @@
+@@ -346,8 +368,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -8785,7 +8941,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -360,6 +379,11 @@
+@@ -360,6 +380,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -8797,7 +8953,7 @@
########################################
#
# Postfix pickup local policy
-@@ -392,6 +416,10 @@
+@@ -392,6 +417,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -8808,7 +8964,7 @@
procmail_domtrans(postfix_pipe_t)
')
-@@ -400,6 +428,10 @@
+@@ -400,6 +429,10 @@
')
optional_policy(`
@@ -8819,7 +8975,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -532,9 +564,6 @@
+@@ -532,9 +565,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@@ -8829,7 +8985,7 @@
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +586,10 @@
+@@ -557,6 +587,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -8957,8 +9113,17 @@
# Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-19 05:38:09.000000000 -0500
-@@ -194,6 +194,8 @@
++++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-31 08:54:45.000000000 -0500
+@@ -162,6 +162,8 @@
+ init_read_utmp(pppd_t)
+ init_dontaudit_write_utmp(pppd_t)
+
++auth_use_nsswitch(pppd_t)
++
+ libs_use_ld_so(pppd_t)
+ libs_use_shared_libs(pppd_t)
+
+@@ -194,14 +196,12 @@
optional_policy(`
mta_send_mail(pppd_t)
@@ -8967,6 +9132,41 @@
')
optional_policy(`
+- nis_use_ypbind(pppd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(pppd_t)
++ NetworkManager_signal(pppd_t)
+ ')
+
+ optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if
+--- nsaserefpolicy/policy/modules/services/procmail.if 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/procmail.if 2007-12-31 15:18:55.000000000 -0500
+@@ -39,3 +39,22 @@
+ corecmd_search_bin($1)
+ can_exec($1,procmail_exec_t)
+ ')
++
++########################################
++## <summary>
++## Read procmail tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`procmail_read_tmp_files',`
++ gen_require(`
++ type procmail_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 procmail_tmp_t:file read_file_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-26 18:16:54.000000000 -0500
@@ -9025,7 +9225,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-27 11:44:33.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-31 15:19:10.000000000 -0500
@@ -28,6 +28,9 @@
type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)
@@ -9045,6 +9245,20 @@
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
optional_policy(`
+@@ -76,8 +81,13 @@
+ ')
+
+ optional_policy(`
++ procmail_read_tmp_files(pyzor_t)
++')
++
++optional_policy(`
+ spamassassin_signal_spamd(pyzor_t)
+ spamassassin_read_spamd_tmp_files(pyzor_t)
++ userdom_read_user_home_content_files(unconfined,pyzor_t)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500
@@ -9991,8 +10205,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-19 05:38:09.000000000 -0500
-@@ -20,12 +20,16 @@
++++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-31 15:42:11.000000000 -0500
+@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -10006,10 +10220,12 @@
#
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
+-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
- allow sendmail_t self:process signal;
++allow sendmail_t self:process { signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+ allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -47,6 +51,7 @@
kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
@@ -12611,7 +12827,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-27 11:40:35.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-31 05:53:37.000000000 -0500
@@ -183,6 +183,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -12620,17 +12836,16 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -242,7 +243,8 @@
+@@ -242,7 +243,7 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -292,6 +294,8 @@
+@@ -292,6 +293,8 @@
#
# /var
#
@@ -12639,7 +12854,7 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -304,3 +308,4 @@
+@@ -304,3 +307,4 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.578
retrieving revision 1.579
diff -u -r1.578 -r1.579
--- selinux-policy.spec 30 Dec 2007 14:55:39 -0000 1.578
+++ selinux-policy.spec 31 Dec 2007 21:06:02 -0000 1.579
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -295,8 +295,8 @@
if [ $1 = 1 ]; then
semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
-semanage login -m -s "unconfined_u" __default__ 2> /dev/null
-semanage login -m -s "system_u" root 2> /dev/null
+semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
+semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
semanage user -a -P guest -R guest_r guest_u
semanage user -a -P xguest -R xguest_r xguest_u
restorecon -R /root /var/log /var/run 2> /dev/null
@@ -386,6 +386,11 @@
%endif
%changelog
+* Mon Dec 31 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-7
+- Fix munin log,
+- Eliminate duplicate mozilla file context
+- fix wpa_supplicant spec
+
* Mon Dec 24 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-6
- Fix role transition from unconfined_r to system_r when running rpm
- Allow unconfined_domains to communicate with user dbus instances
More information about the fedora-extras-commits
mailing list