rpms/selinux-policy/F-7 policy-20070501.patch, 1.37, 1.38 selinux-policy.spec, 1.479, 1.480
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jul 23 20:07:22 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6602
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Mon Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-29
-
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- policy-20070501.patch 14 Jul 2007 12:01:58 -0000 1.37
+++ policy-20070501.patch 23 Jul 2007 20:07:20 -0000 1.38
@@ -1459,7 +1459,7 @@
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.6.4/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.if 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.if 2007-07-17 08:14:36.000000000 -0400
@@ -988,3 +988,23 @@
mmap_files_pattern($1,bin_t,exec_type)
@@ -2161,8 +2161,20 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-07-13 13:11:46.000000000 -0400
-@@ -54,17 +54,29 @@
++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-07-23 10:45:02.000000000 -0400
+@@ -43,6 +43,11 @@
+ #
+ # Non-persistent/pseudo filesystems
+ #
++type anon_inodefs_t;
++fs_type(anon_inodefs_t)
++files_mountpoint(anon_inodefs_t)
++genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
++
+ type bdev_t;
+ fs_type(bdev_t)
+ genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
+@@ -54,17 +59,29 @@
type capifs_t;
fs_type(capifs_t)
@@ -2192,7 +2204,7 @@
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -83,6 +95,11 @@
+@@ -83,6 +100,11 @@
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
@@ -2204,7 +2216,7 @@
type nfsd_fs_t;
fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-@@ -105,6 +122,16 @@
+@@ -105,6 +127,16 @@
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
files_mountpoint(rpc_pipefs_t)
@@ -2518,7 +2530,16 @@
manage_files_pattern(aide_t,aide_db_t,aide_db_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-2.6.4/policy/modules/services/amavis.if
--- nsaserefpolicy/policy/modules/services/amavis.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/amavis.if 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/amavis.if 2007-07-18 09:59:37.000000000 -0400
+@@ -37,7 +37,7 @@
+ ')
+
+ files_search_spool($1)
+- allow $1 amavis_spool_t:file { getattr read };
++ read_files_pattern($1,amavis_spool_t, amavis_spool_t)
+ ')
+
+ ########################################
@@ -167,3 +167,22 @@
allow $1 amavis_var_run_t:file setattr;
files_search_pids($1)
@@ -2539,7 +2560,7 @@
+ type amavis_var_run_t;
+ ')
+
-+ allow $1 amavis_var_run_t:file create_file_perms;
++ manage_files_pattern($1,amavis_var_run_t,amavis_var_run_t)
+ files_search_pids($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.6.4/policy/modules/services/amavis.te
@@ -2829,8 +2850,22 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-07-13 13:11:46.000000000 -0400
-@@ -47,6 +47,13 @@
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-07-23 10:49:04.000000000 -0400
+@@ -30,6 +30,13 @@
+
+ ## <desc>
+ ## <p>
++## Allow Apache to communicate with avahi via dbus
++## </p>
++## </desc>
++gen_tunable(allow_httpd_dbus_avahi,false)
++
++## <desc>
++## <p>
+ ## Allow Apache to use mod_auth_pam
+ ## </p>
+ ## </desc>
+@@ -47,6 +54,13 @@
## Allow http daemon to tcp connect
## </p>
## </desc>
@@ -2844,7 +2879,7 @@
gen_tunable(httpd_can_network_connect,false)
## <desc>
-@@ -106,6 +113,27 @@
+@@ -106,6 +120,27 @@
## </desc>
gen_tunable(httpd_unified,false)
@@ -2872,7 +2907,7 @@
attribute httpdcontent;
# domains that can exec all users scripts
-@@ -215,7 +243,7 @@
+@@ -215,7 +250,7 @@
# Apache server local policy
#
@@ -2881,7 +2916,7 @@
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -257,6 +285,7 @@
+@@ -257,6 +292,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -2889,7 +2924,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -297,6 +326,7 @@
+@@ -297,6 +333,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -2897,7 +2932,7 @@
corenet_non_ipsec_sendrecv(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
-@@ -342,6 +372,9 @@
+@@ -342,6 +379,9 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -2907,7 +2942,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -362,6 +395,10 @@
+@@ -362,6 +402,10 @@
mta_send_mail(httpd_t)
@@ -2918,7 +2953,7 @@
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(httpd_t)
term_dontaudit_use_generic_ptys(httpd_t)
-@@ -382,6 +419,7 @@
+@@ -382,6 +426,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -2926,7 +2961,7 @@
')
')
-@@ -389,6 +427,14 @@
+@@ -389,6 +434,14 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -2941,7 +2976,7 @@
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -416,6 +462,10 @@
+@@ -416,6 +469,10 @@
allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
')
@@ -2952,7 +2987,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -433,11 +483,21 @@
+@@ -433,11 +490,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -2974,7 +3009,19 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -668,6 +728,12 @@
+@@ -445,6 +512,11 @@
+ allow httpd_sys_script_t httpd_t:process sigchld;
+ ')
+
++tunable_policy(`allow_httpd_dbus_avahi',`
++ avahi_dbus_chat(httpd_t)
++ dbus_system_bus_client_template(httpd,httpd_t)
++')
++
+ # When the admin starts the server, the server wants to access
+ # the TTY or PTY associated with the session. The httpd appears
+ # to run correctly without this permission, so the permission
+@@ -668,6 +740,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -2987,7 +3034,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -706,7 +772,8 @@
+@@ -706,7 +784,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -2997,7 +3044,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,6 +787,8 @@
+@@ -720,6 +799,8 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -3006,7 +3053,7 @@
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
-@@ -730,11 +799,21 @@
+@@ -730,11 +811,21 @@
')
')
@@ -3028,7 +3075,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -788,3 +867,19 @@
+@@ -788,3 +879,19 @@
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
')
@@ -3336,7 +3383,7 @@
fs_getattr_xattr_fs(ndc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.6.4/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/clamav.te 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/clamav.te 2007-07-18 09:57:41.000000000 -0400
@@ -126,6 +126,7 @@
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
@@ -3355,8 +3402,14 @@
kernel_read_kernel_sysctls(clamscan_t)
files_read_etc_files(clamscan_t)
-@@ -230,3 +234,7 @@
+@@ -228,5 +232,13 @@
+ clamav_stream_connect(clamscan_t)
+
optional_policy(`
++ amavis_read_spool_files(clamscan_t)
++')
++
++optional_policy(`
apache_read_sys_content(clamscan_t)
')
+
@@ -3805,7 +3858,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-07-19 10:33:19.000000000 -0400
@@ -93,8 +93,6 @@
# generic socket here until appletalk socket is available in kernels
allow cupsd_t self:socket create_socket_perms;
@@ -3865,7 +3918,18 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
-@@ -284,6 +288,10 @@
+@@ -233,6 +237,10 @@
+ lpd_relabel_spool(cupsd_t)
+ ')
+
++optional_policy(`
++ avahi_dbus_chat(cupsd_t)
++')
++
+ ifdef(`targeted_policy',`
+ files_dontaudit_read_root_files(cupsd_t)
+
+@@ -284,6 +292,10 @@
')
optional_policy(`
@@ -3876,7 +3940,7 @@
nscd_socket_use(cupsd_t)
')
-@@ -294,6 +302,10 @@
+@@ -294,6 +306,10 @@
')
optional_policy(`
@@ -3887,7 +3951,7 @@
seutil_sigchld_newrole(cupsd_t)
')
-@@ -587,7 +599,7 @@
+@@ -587,7 +603,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -4121,8 +4185,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-2.6.4/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.fc 2007-07-13 13:11:46.000000000 -0400
-@@ -17,10 +17,12 @@
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.fc 2007-07-23 09:12:37.000000000 -0400
+@@ -17,16 +17,19 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
@@ -4135,6 +4199,13 @@
')
#
+ # /var
+ #
+ /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-2.6.4/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/dovecot.if 2007-07-13 13:11:46.000000000 -0400
@@ -5283,16 +5354,34 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.6.4/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ntp.te 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ntp.te 2007-07-19 10:44:29.000000000 -0400
@@ -36,6 +36,7 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
-+allow ntpd_t self:shm rw_shm_perms;
++allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
-@@ -137,6 +138,10 @@
+@@ -81,6 +82,8 @@
+
+ fs_getattr_all_fs(ntpd_t)
+ fs_search_auto_mountpoints(ntpd_t)
++# Necessary to communicate with gpsd devices
++fs_rw_tmpfs_files(ntpd_t)
+
+ auth_use_nsswitch(ntpd_t)
+
+@@ -106,6 +109,8 @@
+
+ sysnet_read_config(ntpd_t)
+
++term_use_ptmx(ntpd_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
+ userdom_list_sysadm_home_dirs(ntpd_t)
+ userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
+@@ -137,6 +142,10 @@
')
optional_policy(`
@@ -5728,15 +5817,15 @@
/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.6.4/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-07-13 13:11:46.000000000 -0400
-@@ -124,6 +124,7 @@
- allow postfix_$1_t self:udp_socket create_socket_perms;
++++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-07-16 09:36:11.000000000 -0400
+@@ -41,6 +41,7 @@
+ allow postfix_$1_t self:unix_stream_socket connectto;
- domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+ allow postfix_master_t postfix_$1_t:process signal;
+ allow postfix_$1_t postfix_master_t:file read;
- corenet_non_ipsec_sendrecv(postfix_$1_t)
- corenet_tcp_sendrecv_all_if(postfix_$1_t)
+ allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
+ read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t)
@@ -137,10 +138,8 @@
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
@@ -5843,7 +5932,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-07-18 10:00:24.000000000 -0400
@@ -84,6 +84,12 @@
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -5943,7 +6032,15 @@
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
-@@ -552,9 +580,45 @@
+@@ -536,6 +564,7 @@
+ #
+ # Postfix smtpd local policy
+ #
++allow postfix_smtpd_t self:capability sys_chroot;
+ allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+
+ # connect to master process
+@@ -552,9 +581,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -6085,7 +6182,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-2.6.4/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/radius.te 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/radius.te 2007-07-23 10:49:13.000000000 -0400
@@ -81,6 +81,7 @@
auth_read_shadow(radiusd_t)
@@ -6094,7 +6191,15 @@
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
-@@ -130,3 +131,7 @@
+@@ -98,6 +99,7 @@
+ logging_send_syslog_msg(radiusd_t)
+
+ miscfiles_read_localization(radiusd_t)
++miscfiles_read_certs(radiusd_t)
+
+ sysnet_read_config(radiusd_t)
+
+@@ -130,3 +132,7 @@
optional_policy(`
udev_read_db(radiusd_t)
')
@@ -6381,8 +6486,17 @@
fs_search_auto_mountpoints($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-07-13 13:11:46.000000000 -0400
-@@ -79,6 +79,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-07-16 16:14:39.000000000 -0400
+@@ -59,6 +59,8 @@
+ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
+ files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
+
++corecmd_exec_bin(rpcd_t)
++
+ kernel_read_system_state(rpcd_t)
+ kernel_search_network_state(rpcd_t)
+ # for rpc.rquotad
+@@ -79,6 +81,7 @@
optional_policy(`
nis_read_ypserv_config(rpcd_t)
@@ -6390,7 +6504,7 @@
')
########################################
-@@ -91,6 +92,9 @@
+@@ -91,6 +94,9 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -6400,7 +6514,7 @@
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
-@@ -123,6 +127,7 @@
+@@ -123,6 +129,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -8074,8 +8188,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-2.6.4/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-13 13:11:47.000000000 -0400
-@@ -0,0 +1,44 @@
++++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-19 09:02:47.000000000 -0400
+@@ -0,0 +1,50 @@
+policy_module(brctl,1.0.0)
+
+########################################
@@ -8098,6 +8212,8 @@
+allow brctl_t self:tcp_socket create_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+
++dev_search_sysfs(brctl_t)
++
+# Init script handling
+domain_use_interactive_fds(brctl_t)
+
@@ -8120,6 +8236,10 @@
+ term_dontaudit_use_unallocated_ttys(brctl_t)
+ term_dontaudit_use_generic_ptys(brctl_t)
+')
++
++optional_policy(`
++ xen_append_log(brctl_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.6.4/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/clock.te 2007-07-13 13:11:47.000000000 -0400
@@ -8185,7 +8305,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-07-14 08:55:01.000000000 -0400
@@ -9,6 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -8194,6 +8314,15 @@
role system_r types fsadm_t;
type fsadm_log_t;
+@@ -184,3 +185,8 @@
+ fs_dontaudit_write_ramfs_pipes(fsadm_t)
+ rhgb_stub(fsadm_t)
+ ')
++
++optional_policy(`
++ xen_append_log(fsadm_t)
++ xen_rw_image_files(udev_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-2.6.4/policy/modules/system/fusermount.fc
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/system/fusermount.fc 2007-07-13 13:11:47.000000000 -0400
@@ -8570,8 +8699,17 @@
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.6.4/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/iptables.te 2007-07-13 13:11:47.000000000 -0400
-@@ -56,11 +56,13 @@
++++ serefpolicy-2.6.4/policy/modules/system/iptables.te 2007-07-19 09:15:31.000000000 -0400
+@@ -36,6 +36,8 @@
+ allow iptables_t iptables_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+
++auth_use_nsswitch(iptables_t)
++
+ kernel_read_system_state(iptables_t)
+ kernel_read_network_state(iptables_t)
+ kernel_read_kernel_sysctls(iptables_t)
+@@ -56,11 +58,13 @@
domain_use_interactive_fds(iptables_t)
files_read_etc_files(iptables_t)
@@ -8585,7 +8723,23 @@
libs_use_ld_so(iptables_t)
libs_use_shared_libs(iptables_t)
-@@ -112,3 +114,7 @@
+@@ -93,15 +97,6 @@
+ ')
+
+ optional_policy(`
+- # for iptables -L
+- nis_use_ypbind(iptables_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(iptables_t)
+-')
+-
+-optional_policy(`
+ ppp_dontaudit_use_fds(iptables_t)
+ ')
+
+@@ -112,3 +107,7 @@
optional_policy(`
udev_read_db(iptables_t)
')
@@ -8644,7 +8798,7 @@
# vmware
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-07-18 09:35:12.000000000 -0400
@@ -62,7 +62,8 @@
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -8655,17 +8809,18 @@
manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
-@@ -99,8 +100,7 @@
+@@ -99,8 +100,9 @@
ifdef(`targeted_policy',`
allow ldconfig_t lib_t:file read_file_perms;
files_read_generic_tmp_symlinks(ldconfig_t)
- term_dontaudit_use_generic_ptys(ldconfig_t)
-- term_dontaudit_use_unallocated_ttys(ldconfig_t)
+ files_read_generic_tmp_files(ldconfig_t)
+ term_dontaudit_use_unallocated_ttys(ldconfig_t)
++ term_dontaudit_use_generic_ptys(ldconfig_t)
')
optional_policy(`
-@@ -113,4 +113,6 @@
+@@ -113,4 +115,6 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
@@ -9722,7 +9877,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-07-14 08:51:16.000000000 -0400
@@ -18,11 +18,6 @@
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -9937,7 +10092,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-07-16 13:04:12.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -10772,7 +10927,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.6.4/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/xen.if 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/xen.if 2007-07-14 08:55:51.000000000 -0400
@@ -72,12 +72,34 @@
')
@@ -10808,7 +10963,7 @@
## Do not audit attempts to read and write
## Xen unix domain stream sockets. These
## are leaked file descriptors.
-@@ -151,3 +173,25 @@
+@@ -151,3 +173,46 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
@@ -10834,9 +10989,30 @@
+ read_files_pattern($1,xen_image_t,xen_image_t)
+')
+
++########################################
++## <summary>
++## Allow the specified domain to read/write
++## xend image files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`xen_rw_image_files',`
++ gen_require(`
++ type xen_image_t, xend_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ allow $1 xend_var_lib_t:dir search_dir_perms;
++ rw_files_pattern($1,xen_image_t,xen_image_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.6.4/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/xen.te 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/xen.te 2007-07-18 16:21:40.000000000 -0400
@@ -25,6 +25,10 @@
domain_type(xend_t)
init_daemon_domain(xend_t, xend_exec_t)
@@ -10952,7 +11128,15 @@
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
-@@ -352,3 +373,17 @@
+@@ -324,6 +345,7 @@
+ kernel_write_xen_state(xm_t)
+
+ corecmd_exec_bin(xm_t)
++corecmd_exec_shell(xm_t)
+
+ corenet_tcp_sendrecv_generic_if(xm_t)
+ corenet_tcp_sendrecv_all_nodes(xm_t)
+@@ -352,3 +374,17 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.479
retrieving revision 1.480
diff -u -r1.479 -r1.480
--- selinux-policy.spec 14 Jul 2007 11:42:46 -0000 1.479
+++ selinux-policy.spec 23 Jul 2007 20:07:20 -0000 1.480
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@
%endif
%changelog
+* Mon Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-29
+-
+
* Fri Jul 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-28
- Additional rules for openvpn reading homedirs
More information about the fedora-extras-commits
mailing list