rpms/selinux-policy/devel policy-20070703.patch, 1.6, 1.7 selinux-policy.spec, 1.472, 1.473
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Jul 12 21:38:03 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30356
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Thu Jul 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.2-7
- Begin adding policy to separate setsebool from semanage
- Fix xserver.if definition to not break sepolgen.if
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20070703.patch 12 Jul 2007 14:44:32 -0000 1.6
+++ policy-20070703.patch 12 Jul 2007 21:37:30 -0000 1.7
@@ -6685,18 +6685,21 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.2/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/services/xserver.if 2007-07-12 09:36:57.000000000 -0400
-@@ -353,9 +353,6 @@
++++ serefpolicy-3.0.2/policy/modules/services/xserver.if 2007-07-12 17:01:56.000000000 -0400
+@@ -353,12 +353,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
- allow $2 $1_xauth_home_t:file manage_file_perms;
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
+- allow xdm_t $1_xauth_home_t:file manage_file_perms;
+- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
+-
+ domain_use_interactive_fds($1_xauth_t)
-@@ -387,6 +384,14 @@
+ files_read_etc_files($1_xauth_t)
+@@ -387,6 +381,14 @@
')
optional_policy(`
@@ -6711,7 +6714,7 @@
nis_use_ypbind($1_xauth_t)
')
-@@ -537,16 +542,14 @@
+@@ -537,16 +539,14 @@
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -6730,7 +6733,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,6 +558,8 @@
+@@ -555,25 +555,40 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -6739,8 +6742,14 @@
# Allow connections to X server.
files_search_tmp($2)
-@@ -565,15 +570,26 @@
- userdom_dontaudit_write_user_home_content_files($1,$2)
+ miscfiles_read_fonts($2)
+
+ userdom_search_user_home_dirs($1,$2)
+- # for .xsession-errors
+- userdom_dontaudit_write_user_home_content_files($1,$2)
++ userdom_manage_user_home_content_dirs($1, xdm_t)
++ userdom_manage_user_home_content_files($1, xdm_t)
++ userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
xserver_ro_session_template(xdm,$2,$3)
- xserver_rw_session_template($1,$2,$3)
@@ -6754,6 +6763,7 @@
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ xserver_xdm_stream_connect($2)
+
++
+ # Read .Xauthority file
+ optional_policy(`
+ xserver_read_user_xauth($1, $2)
@@ -6772,7 +6782,7 @@
')
')
-@@ -626,6 +642,24 @@
+@@ -626,6 +641,24 @@
########################################
## <summary>
@@ -6797,7 +6807,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +693,73 @@
+@@ -659,6 +692,73 @@
########################################
## <summary>
@@ -6871,7 +6881,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -1136,7 +1237,7 @@
+@@ -1136,7 +1236,7 @@
type xdm_xserver_tmp_t;
')
@@ -6880,7 +6890,7 @@
')
########################################
-@@ -1325,3 +1426,24 @@
+@@ -1325,3 +1425,23 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -6904,7 +6914,6 @@
+ allow $1 xdm_var_run_t:sock_file write;
+ allow $1 xdm_t:unix_stream_socket connectto;
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.2/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-07-03 07:06:27.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/services/xserver.te 2007-07-11 10:06:28.000000000 -0400
@@ -7563,8 +7572,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.2/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.2/policy/modules/system/brctl.te 2007-07-11 10:06:28.000000000 -0400
-@@ -0,0 +1,38 @@
++++ serefpolicy-3.0.2/policy/modules/system/brctl.te 2007-07-12 15:49:33.000000000 -0400
+@@ -0,0 +1,41 @@
+policy_module(brctl,1.0.0)
+
+########################################
@@ -7582,10 +7591,14 @@
+# brctl local policy
+#
+
++allow brctl_t self:tcp_socket create_socket_perms;
++allow brctl_t self:unix_dgram_socket create_socket_perms;
++
+# Init script handling
+domain_use_interactive_fds(brctl_t)
+
+kernel_load_module(brctl_t)
++kernel_read_network_state(brctl_t)
+
+## internal communication is often done using fifo and unix sockets.
+allow brctl_t self:fifo_file rw_file_perms;
@@ -7602,7 +7615,6 @@
+ term_dontaudit_use_unallocated_ttys(brctl_t)
+ term_dontaudit_use_generic_ptys(brctl_t)
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.2/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-06-11 16:05:30.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/system/fstools.fc 2007-07-11 10:06:28.000000000 -0400
@@ -8931,7 +8943,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.2/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.if 2007-07-11 10:06:29.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.if 2007-07-12 10:58:12.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -8940,6 +8952,82 @@
')
########################################
+@@ -968,6 +969,26 @@
+
+ ########################################
+ ## <summary>
++## Execute a domain transition to run setsebool.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`seutil_domtrans_setsebool',`
++ gen_require(`
++ type semanage_t, setsebool_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ domtrans_pattern($1,setsebool_exec_t,semanage_t)
++')
++
++########################################
++## <summary>
+ ## Execute semanage in the semanage domain, and
+ ## allow the specified role the semanage domain,
+ ## and use the caller's terminal.
+@@ -979,7 +1000,7 @@
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## The role to be allowed the checkpolicy domain.
++## The role to be allowed the semanage domain.
+ ## </summary>
+ ## </param>
+ ## <param name="terminal">
+@@ -1001,6 +1022,39 @@
+
+ ########################################
+ ## <summary>
++## Execute setsebool in the semanage domain, and
++## allow the specified role the semanage domain,
++## and use the caller's terminal.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the semanage domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the semanage domain to use.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`seutil_run_setsebool',`
++ gen_require(`
++ type semanage_t;
++ ')
++
++ seutil_domtrans_setsebool($1)
++ role $2 types semanage_t;
++ allow semanage_t $3:chr_file rw_term_perms;
++')
++
++########################################
++## <summary>
+ ## Full management of the semanage
+ ## module store.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.2/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-30 11:47:29.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.te 2007-07-12 09:43:18.000000000 -0400
@@ -9488,7 +9576,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.2/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/system/unconfined.te 2007-07-11 10:06:29.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/unconfined.te 2007-07-12 10:58:38.000000000 -0400
@@ -5,30 +5,36 @@
#
# Declarations
@@ -9542,13 +9630,14 @@
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -44,23 +51,21 @@
+@@ -44,23 +51,22 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+# Unconfined running as system_r
+mount_domtrans_unconfined(unconfined_t)
++seutil_run_setsebool(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
seutil_run_setfiles(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -9570,7 +9659,7 @@
')
optional_policy(`
-@@ -68,16 +73,6 @@
+@@ -68,16 +74,6 @@
')
optional_policy(`
@@ -9587,7 +9676,7 @@
init_dbus_chat_script(unconfined_t)
dbus_stub(unconfined_t)
-@@ -120,11 +115,7 @@
+@@ -120,11 +116,7 @@
')
optional_policy(`
@@ -9600,7 +9689,7 @@
')
optional_policy(`
-@@ -136,11 +127,7 @@
+@@ -136,11 +128,7 @@
')
optional_policy(`
@@ -9613,7 +9702,7 @@
')
optional_policy(`
-@@ -157,18 +144,6 @@
+@@ -157,18 +145,6 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -9632,7 +9721,7 @@
')
optional_policy(`
-@@ -182,10 +157,6 @@
+@@ -182,10 +158,6 @@
')
optional_policy(`
@@ -9643,7 +9732,7 @@
sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
sysnet_dbus_chat_dhcpc(unconfined_t)
')
-@@ -207,7 +178,7 @@
+@@ -207,7 +179,7 @@
')
optional_policy(`
@@ -9652,7 +9741,7 @@
')
optional_policy(`
-@@ -229,6 +200,12 @@
+@@ -229,6 +201,12 @@
unconfined_dbus_chat(unconfined_execmem_t)
optional_policy(`
@@ -9667,7 +9756,7 @@
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.2/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/system/userdomain.if 2007-07-11 10:06:29.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/userdomain.if 2007-07-12 17:08:16.000000000 -0400
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -9996,7 +10085,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -962,21 +876,122 @@
+@@ -962,21 +876,158 @@
## </summary>
## </param>
#
@@ -10017,6 +10106,24 @@
+ filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+')
+
++#######################################
++## <summary>
++## The template for creating a login user.
++## </summary>
++## <desc>
++## <p>
++## This template creates a user domain, types, and
++## rules for the user's tty, pty, home directories,
++## tmp, and tmpfs files.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++#
+template(`userdom_login_user_template', `
+ userdom_base_user_template($1)
+
@@ -10112,6 +10219,24 @@
+ ')
+')
+
++#######################################
++## <summary>
++## The template for creating a unprivileged login user.
++## </summary>
++## <desc>
++## <p>
++## This template creates a user domain, types, and
++## rules for the user's tty, pty, home directories,
++## tmp, and tmpfs files.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++#
+template(`userdom_unpriv_login_user', `
+ gen_require(`
+ attribute unpriv_userdomain;
@@ -10125,7 +10250,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -985,15 +1000,45 @@
+@@ -985,15 +1036,45 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -10175,7 +10300,7 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1033,14 +1078,6 @@
+@@ -1033,14 +1114,6 @@
')
optional_policy(`
@@ -10190,7 +10315,7 @@
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
-@@ -1054,12 +1091,8 @@
+@@ -1054,12 +1127,8 @@
setroubleshoot_stream_connect($1_t)
')
@@ -10204,7 +10329,7 @@
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
-@@ -1102,6 +1135,8 @@
+@@ -1102,6 +1171,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -10213,7 +10338,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1162,7 @@
+@@ -1127,7 +1198,7 @@
# $1_t local policy
#
@@ -10222,7 +10347,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,8 +1174,6 @@
+@@ -1139,8 +1210,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -10231,7 +10356,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -3078,7 +3111,7 @@
+@@ -3078,7 +3147,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -10240,7 +10365,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5356,7 @@
+@@ -5323,7 +5392,7 @@
attribute user_tmpfile;
')
@@ -10249,7 +10374,7 @@
')
########################################
-@@ -5548,6 +5581,26 @@
+@@ -5548,6 +5617,26 @@
########################################
## <summary>
@@ -10276,7 +10401,7 @@
## Unconfined access to user domains. (Deprecated)
## </summary>
## <param name="domain">
-@@ -5559,3 +5612,124 @@
+@@ -5559,3 +5648,173 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -10401,9 +10526,58 @@
+ allow $1 user_home_type:file unlink;
+')
+
++#######################################
++## <summary>
++## The template for creating a unprivileged login user.
++## </summary>
++## <desc>
++## <p>
++## This template creates a user domain, types, and
++## rules for the user's tty, pty, home directories,
++## tmp, and tmpfs files.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++#
++template(`userdom_unpriv_xwindows_login_user', `
++
++userdom_unpriv_login_user($1)
++userdom_xwindows_client_template($1)
++
++auth_exec_pam($1_t)
++logging_send_syslog_msg($1_t)
++
++optional_policy(`
++ alsa_read_rw_config($1_t)
++')
++authlogin_per_role_template($1, $1_t, $1_r)
++
++optional_policy(`
++ dbus_per_role_template($1, $1_t, $1_r)
++ dbus_system_bus_client_template($1, $1_t)
++ allow $1_t self:dbus send_msg;
++')
++
++optional_policy(`
++ ssh_per_role_template($1, $1_t, $1_r)
++')
++
++optional_policy(`
++ setroubleshoot_dontaudit_stream_connect($1_t)
++')
++
++#dev_read_rand($1_t)
++
++')
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.2/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/system/userdomain.te 2007-07-11 10:06:29.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/userdomain.te 2007-07-12 10:51:56.000000000 -0400
@@ -74,6 +74,9 @@
# users home directory contents
attribute home_type;
@@ -10477,7 +10651,13 @@
netutils_run(sysadm_t,sysadm_r,admin_terminal)
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
-@@ -456,6 +457,9 @@
+@@ -451,11 +452,15 @@
+ ')
+
+ optional_policy(`
++ seutil_run_setsebool(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
ifdef(`enable_mls',`
userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
@@ -10487,7 +10667,7 @@
', `
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
')
-@@ -498,3 +502,7 @@
+@@ -498,3 +503,7 @@
optional_policy(`
yam_run(sysadm_t,sysadm_r,admin_terminal)
')
@@ -10541,135 +10721,13 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.2/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.2/policy/modules/users/guest.te 2007-07-11 10:06:29.000000000 -0400
-@@ -0,0 +1,127 @@
++++ serefpolicy-3.0.2/policy/modules/users/guest.te 2007-07-12 17:31:09.000000000 -0400
+@@ -0,0 +1,5 @@
+policy_module(guest,1.0.0)
-+
-+define(`userdom_login_user', `
-+ userdom_base_user_template($1)
-+
-+ userdom_manage_home_template($1)
-+ userdom_exec_home_template($1)
-+ userdom_manage_tmp_template($1)
-+ userdom_exec_tmp_template($1)
-+ userdom_manage_tmpfs_template($1)
-+
-+ userdom_change_password_template($1)
-+
-+ role $1_r types $1_t;
-+ allow system_r $1_r;
-+
-+ application_exec_all($1_t)
-+
-+ allow $1_t self:capability { setgid chown fowner };
-+ dontaudit $1_t self:capability { sys_nice fsetid };
-+ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
-+
-+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-+
-+ ##############################
-+ #
-+ # User domain Local policy
-+ #
-+
-+ kernel_read_system_state($1_t)
-+
-+ dev_read_sysfs($1_t)
-+ dev_read_urand($1_t)
-+
-+ domain_use_interactive_fds($1_t)
-+ # Command completion can fire hundreds of denials
-+ domain_dontaudit_exec_all_entry_files($1_t)
-+
-+ # Stat lost+found.
-+ files_getattr_lost_found_dirs($1_t)
-+
-+ fs_get_all_fs_quotas($1_t)
-+ fs_getattr_all_fs($1_t)
-+ fs_getattr_all_dirs($1_t)
-+ fs_search_auto_mountpoints($1_t)
-+ fs_list_inotifyfs($1_t)
-+
-+ # Stop warnings about access to /dev/console
-+ init_dontaudit_rw_utmp($1_t)
-+ init_dontaudit_use_fds($1_t)
-+ init_dontaudit_use_script_fds($1_t)
-+
-+ libs_exec_lib_files($1_t)
-+
-+ logging_dontaudit_getattr_all_logs($1_t)
-+
-+ miscfiles_read_man_pages($1_t)
-+ # for running TeX programs
-+ miscfiles_read_tetex_data($1_t)
-+ miscfiles_exec_tetex_data($1_t)
-+
-+ seutil_read_config($1_t)
-+
-+ files_dontaudit_list_default($1_t)
-+ files_dontaudit_read_default_files($1_t)
-+
-+ tunable_policy(`user_ttyfile_stat',`
-+ term_getattr_all_user_ttys($1_t)
-+ ')
-+
-+ # for running depmod as part of the kernel packaging process
-+ optional_policy(`
-+ modutils_read_module_config($1_t)
-+ ')
-+
-+ optional_policy(`
-+ mta_rw_spool($1_t)
-+ ')
-+
-+ optional_policy(`
-+ nis_use_ypbind($1_t)
-+ ')
-+
-+ optional_policy(`
-+ nscd_socket_use($1_t)
-+ ')
-+
-+ optional_policy(`
-+ quota_dontaudit_getattr_db($1_t)
-+ ')
-+
-+ optional_policy(`
-+ rpm_read_db($1_t)
-+ rpm_dontaudit_manage_db($1_t)
-+ ')
-+')
-+
-+define(`userdom_unpriv_login_user', `
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
-+ ')
-+ userdom_login_user($1)
-+ userdom_privhome_user_template($1)
-+
-+ typeattribute $1_t unpriv_userdomain;
-+
-+ typeattribute $1_t unpriv_userdomain;
-+ domain_interactive_fd($1_t)
-+
-+ typeattribute $1_devpts_t user_ptynode;
-+ typeattribute $1_home_dir_t user_home_dir_type;
-+ typeattribute $1_home_t user_home_type;
-+ typeattribute $1_tmp_t user_tmpfile;
-+ typeattribute $1_tty_device_t user_ttynode;
-+
-+')
+userdom_unpriv_login_user(guest)
+userdom_unpriv_login_user(gadmin)
-+#userdom_basic_networking_template(guest)
-+#kernel_read_network_state($1_t)
-+#kernel_read_net_sysctls($1_t)
-+#corenet_udp_bind_all_nodes($1_t)
-+#corenet_udp_bind_generic_port($1_t)
-+
-+
-+
++userdom_unpriv_xwindows_login_user(xguest)
++mozilla_per_role_template(xguest, xguest_t, xguest_r)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.2/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.2/policy/modules/users/logadm.fc 2007-07-11 10:06:29.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.472
retrieving revision 1.473
diff -u -r1.472 -r1.473
--- selinux-policy.spec 12 Jul 2007 14:44:32 -0000 1.472
+++ selinux-policy.spec 12 Jul 2007 21:37:30 -0000 1.473
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.2
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -356,7 +356,8 @@
%endif
%changelog
-* Thu Jul 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.2-6
+* Thu Jul 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.2-7
+- Begin adding policy to separate setsebool from semanage
- Fix xserver.if definition to not break sepolgen.if
* Wed Jul 11 2007 Dan Walsh <dwalsh at redhat.com> 3.0.2-5
More information about the fedora-extras-commits
mailing list