rpms/selinux-policy/devel policy-20070703.patch, 1.22, 1.23 selinux-policy.spec, 1.484, 1.485
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jul 31 17:53:31 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3790
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Jul 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.4-4
- Eliminate mount_ntfs_t policy, merge into mount_t
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- policy-20070703.patch 30 Jul 2007 14:37:54 -0000 1.22
+++ policy-20070703.patch 31 Jul 2007 17:53:29 -0000 1.23
@@ -2233,7 +2233,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/kernel/corecommands.fc 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/kernel/corecommands.fc 2007-07-31 13:41:19.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -2246,7 +2246,27 @@
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
-@@ -217,6 +222,7 @@
+@@ -127,7 +132,10 @@
+ /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+@@ -160,6 +168,7 @@
+ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+@@ -217,6 +226,7 @@
/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -2317,8 +2337,16 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.4/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-06-15 14:54:30.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/kernel/devices.fc 2007-07-25 13:27:51.000000000 -0400
-@@ -53,7 +53,7 @@
++++ serefpolicy-3.0.4/policy/modules/kernel/devices.fc 2007-07-31 13:38:24.000000000 -0400
+@@ -19,6 +19,7 @@
+ /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
+ /dev/full -c gen_context(system_u:object_r:null_device_t,s0)
++/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
+@@ -53,7 +54,7 @@
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -2327,7 +2355,7 @@
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -65,6 +65,7 @@
+@@ -65,6 +66,7 @@
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -2335,7 +2363,7 @@
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -127,3 +128,7 @@
+@@ -127,3 +129,7 @@
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -2656,6 +2684,17 @@
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.0.4/policy/modules/kernel/files.te
+--- nsaserefpolicy/policy/modules/kernel/files.te 2007-07-25 10:37:36.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/kernel/files.te 2007-07-31 13:52:33.000000000 -0400
+@@ -55,6 +55,7 @@
+ # compatibility aliases for removed types:
+ typealias etc_t alias automount_etc_t;
+ typealias etc_t alias snmpd_etc_t;
++typealias etc_t alias gconf_etc_t;
+
+ #
+ # etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:15.000000000 -0400
@@ -3708,8 +3747,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.4/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.fc 2007-07-25 13:27:51.000000000 -0400
-@@ -1,9 +1,10 @@
++++ serefpolicy-3.0.4/policy/modules/services/apcupsd.fc 2007-07-30 11:44:31.000000000 -0400
+@@ -1,9 +1,11 @@
-ifdef(`distro_debian',`
-/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-')
@@ -3717,6 +3756,7 @@
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
++/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
@@ -3755,7 +3795,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.4/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-30 11:42:36.000000000 -0400
@@ -16,6 +16,9 @@
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
@@ -3798,19 +3838,23 @@
dev_rw_generic_usb_dev(apcupsd_t)
-@@ -56,9 +67,53 @@
+@@ -55,6 +66,15 @@
+
files_read_etc_files(apcupsd_t)
files_search_locks(apcupsd_t)
-
++# Creates /etc/nologin
++files_manage_etc_runtime_files(apcupsd_t)
++files_etc_filetrans_etc_runtime(apcuspd_t,file)
++
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+kernel_read_system_state(apcupsd_t)
-+
+
libs_use_ld_so(apcupsd_t)
libs_use_shared_libs(apcupsd_t)
-
+@@ -62,3 +82,41 @@
logging_send_syslog_msg(apcupsd_t)
miscfiles_read_localization(apcupsd_t)
@@ -4503,7 +4547,7 @@
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.4/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/cups.fc 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/cups.fc 2007-07-31 13:36:05.000000000 -0400
@@ -8,6 +8,7 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -4512,14 +4556,23 @@
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -52,3 +53,4 @@
+@@ -17,8 +18,6 @@
+
+ /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+
+ /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+@@ -52,3 +51,4 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
-+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
++/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-25 14:08:39.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-31 12:58:26.000000000 -0400
@@ -81,12 +81,11 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@@ -4534,6 +4587,15 @@
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
+@@ -105,7 +104,7 @@
+
+ # allow cups to execute its backend scripts
+ can_exec(cupsd_t, cupsd_exec_t)
+-allow cupsd_t cupsd_exec_t:dir search;
++allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+ allow cupsd_t cupsd_exec_t:lnk_file read;
+
+ manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
@@ -150,14 +149,17 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
@@ -7605,7 +7667,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.4/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/xserver.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/xserver.te 2007-07-31 10:08:15.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@@ -7702,16 +7764,19 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +453,15 @@
+@@ -434,47 +453,19 @@
')
optional_policy(`
- unconfined_domain_noaudit(xdm_xserver_t)
- unconfined_domtrans(xdm_xserver_t)
--
++ rpm_dontaudit_rw_shm(xdm_xserver_t)
++')
+
- ifndef(`distro_redhat',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
++optional_policy(`
+ unconfined_rw_shm(xdm_xserver_t)
+ unconfined_execmem_rw_shm(xdm_xserver_t)
+')
@@ -8238,7 +8303,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.4/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-27 13:35:00.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-30 11:23:32.000000000 -0400
@@ -0,0 +1,50 @@
+policy_module(brctl,1.0.0)
+
@@ -8262,7 +8327,7 @@
+allow brctl_t self:tcp_socket create_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+
-+dev_read_sysfs(brctl_t)
++dev_rw_sysfs(brctl_t)
+
+# Init script handling
+domain_use_interactive_fds(brctl_t)
@@ -9438,13 +9503,12 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.4/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/mount.fc 2007-07-25 13:27:51.000000000 -0400
-@@ -1,4 +1,3 @@
++++ serefpolicy-3.0.4/policy/modules/system/mount.fc 2007-07-30 11:34:24.000000000 -0400
+@@ -1,4 +1,2 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/sbin/mount.ntfs-3g -- gen_context(system_u:object_r:mount_ntfs_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.0.4/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2007-06-11 16:05:30.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/mount.if 2007-07-25 13:27:51.000000000 -0400
@@ -9491,7 +9555,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-26 13:15:01.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-30 11:32:20.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -9506,16 +9570,15 @@
## Allow mount to mount any file
## </p>
## </desc>
-@@ -16,19 +23,22 @@
+@@ -16,19 +23,21 @@
type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
+application_executable_file(mount_exec_t)
role system_r types mount_t;
-+type mount_ntfs_t;
-+type mount_ntfs_exec_t;
-+init_system_domain(mount_ntfs_t, mount_ntfs_exec_t)
++typealias mount_t alias mount_ntfs_t;
++typealias mount_exec_t alias mount_ntfs_exec_t;
+
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
@@ -9532,7 +9595,7 @@
########################################
#
-@@ -36,7 +46,7 @@
+@@ -36,7 +45,7 @@
#
# setuid/setgid needed to mount cifs
@@ -9541,7 +9604,7 @@
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -51,6 +61,7 @@
+@@ -51,6 +60,7 @@
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
@@ -9549,7 +9612,7 @@
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
-@@ -101,6 +112,8 @@
+@@ -101,6 +111,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -9558,7 +9621,7 @@
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)
-@@ -127,10 +140,15 @@
+@@ -127,10 +139,15 @@
')
')
@@ -9575,7 +9638,7 @@
')
optional_policy(`
-@@ -201,4 +219,54 @@
+@@ -201,4 +218,29 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -9586,48 +9649,23 @@
+
+########################################
+#
-+# mount_ntfs local policy
++# ntfs local policy
+#
-+allow mount_ntfs_t self:capability { setuid sys_admin };
-+allow mount_ntfs_t self:fifo_file { read write };
-+allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms;
-+allow mount_ntfs_t self:unix_dgram_socket { connect create };
-+
-+corecmd_read_bin_symlinks(mount_ntfs_t)
-+corecmd_exec_shell(mount_ntfs_t)
-+
-+files_read_etc_files(mount_ntfs_t)
-+files_search_all(mount_ntfs_t)
-+
-+libs_use_ld_so(mount_ntfs_t)
-+libs_use_shared_libs(mount_ntfs_t)
-+
-+fusermount_domtrans(mount_ntfs_t)
-+fusermount_use_fds(mount_ntfs_t)
-+
-+init_dontaudit_use_fds(mount_ntfs_t)
-+
-+kernel_read_system_state(mount_ntfs_t)
++allow mount_t self:fifo_file { read write };
++allow mount_t self:unix_stream_socket create_stream_socket_perms;
++allow mount_t self:unix_dgram_socket { connect create };
+
-+logging_send_syslog_msg(mount_ntfs_t)
++corecmd_exec_shell(mount_t)
+
-+miscfiles_read_localization(mount_ntfs_t)
++fusermount_domtrans(mount_t)
++fusermount_use_fds(mount_t)
+
-+modutils_domtrans_insmod(mount_ntfs_t)
-+
-+mount_ntfs_domtrans(mount_t)
-+
-+storage_raw_read_fixed_disk(mount_ntfs_t)
-+storage_raw_write_fixed_disk(mount_ntfs_t)
-+
-+optional_policy(`
-+ nscd_socket_use(mount_ntfs_t)
-+')
++# modutils_domtrans_insmod(mount_t)
+
+optional_policy(`
-+ hal_write_log(mount_ntfs_t)
-+ hal_use_fds(mount_ntfs_t)
-+ hal_rw_pipes(mount_ntfs_t)
++ hal_write_log(mount_t)
++ hal_use_fds(mount_t)
++ hal_rw_pipes(mount_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.0.4/policy/modules/system/netlabel.te
@@ -9644,7 +9682,7 @@
libs_use_ld_so(netlabel_mgmt_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.4/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/raid.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/raid.te 2007-07-31 09:56:48.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@@ -9654,6 +9692,14 @@
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
+@@ -70,6 +70,7 @@
+
+ userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
+ userdom_dontaudit_use_sysadm_ttys(mdadm_t)
++userdom_dontaudit_search_all_users_home_content(mdadm_t)
+
+ mta_send_mail(mdadm_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.4/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-30 11:47:29.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/selinuxutil.fc 2007-07-25 13:27:51.000000000 -0400
@@ -10591,7 +10637,7 @@
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-28 11:09:17.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-31 09:56:28.000000000 -0400
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.484
retrieving revision 1.485
diff -u -r1.484 -r1.485
--- selinux-policy.spec 30 Jul 2007 14:37:54 -0000 1.484
+++ selinux-policy.spec 31 Jul 2007 17:53:29 -0000 1.485
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.4
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -359,6 +359,9 @@
%endif
%changelog
+* Mon Jul 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.4-4
+- Eliminate mount_ntfs_t policy, merge into mount_t
+
* Mon Jul 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.4-3
- Allow xserver to write to ramfs mounted by rhgb
More information about the fedora-extras-commits
mailing list