rpms/selinux-policy/F-8 policy-20070703.patch, 1.133, 1.134 selinux-policy.spec, 1.576, 1.577
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Nov 14 17:16:08 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3348
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Nov 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-54
- Allow cyrus to authenticate via sasl
- Allow sshd to work in tunnel mode
- Allow sshd to use -R
- Allow ssh to read user homedirs
- Add /var/lib/tftp to tftp.fc
- Add labels for /dev/dmmdi and /dev/admmdi
- Allow postmap to be run by unconfined_t
- Allow dictd to write pid file
- Allow bluetooth to connectto unix_stream_sockets
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.133
retrieving revision 1.134
diff -u -r1.133 -r1.134
--- policy-20070703.patch 12 Nov 2007 22:46:23 -0000 1.133
+++ policy-20070703.patch 14 Nov 2007 17:16:05 -0000 1.134
@@ -1160,7 +1160,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.0.8/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/brctl.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/brctl.te 2007-11-12 18:12:41.000000000 -0500
@@ -25,6 +25,7 @@
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
@@ -1169,6 +1169,12 @@
dev_rw_sysfs(brctl_t)
# Init script handling
+@@ -44,4 +45,5 @@
+
+ optional_policy(`
+ xen_append_log(brctl_t)
++ xen_dontaudit_rw_unix_stream_sockets(brctl_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-22 13:21:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-11-02 13:11:15.000000000 -0400
@@ -2016,7 +2022,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-11-08 11:42:23.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-11-14 12:11:53.000000000 -0500
@@ -139,6 +139,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
@@ -3737,7 +3743,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-11-14 10:48:41.000000000 -0500
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -3763,15 +3769,19 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -164,6 +169,7 @@
+@@ -163,7 +168,10 @@
+ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -180,6 +186,7 @@
+@@ -180,6 +188,7 @@
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3779,7 +3789,7 @@
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +266,18 @@
+@@ -259,3 +268,18 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -3800,7 +3810,7 @@
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-11-13 15:03:55.000000000 -0500
@@ -903,9 +903,11 @@
interface(`corenet_udp_bind_generic_port',`
gen_require(`
@@ -3952,8 +3962,16 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-10 07:47:13.000000000 -0500
-@@ -20,6 +20,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-14 09:49:45.000000000 -0500
+@@ -4,6 +4,7 @@
+
+ /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
+ /dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -20,6 +21,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
@@ -3961,7 +3979,7 @@
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
-@@ -30,6 +31,7 @@
+@@ -30,6 +32,7 @@
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -3969,7 +3987,7 @@
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-@@ -49,6 +51,7 @@
+@@ -49,6 +52,7 @@
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -3977,7 +3995,7 @@
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -98,6 +101,7 @@
+@@ -98,6 +102,7 @@
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -3987,7 +4005,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-12 16:36:39.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-12 23:22:11.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -4295,7 +4313,7 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-11-09 14:39:30.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-11-13 21:17:02.000000000 -0500
@@ -343,8 +343,7 @@
########################################
@@ -4970,7 +4988,7 @@
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-11-12 23:22:11.000000000 -0500
@@ -352,6 +352,24 @@
########################################
@@ -6652,7 +6670,16 @@
+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.8/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2007-11-14 11:40:47.000000000 -0500
+@@ -44,7 +44,7 @@
+ allow bluetooth_t self:shm create_shm_perms;
+ allow bluetooth_t self:socket create_stream_socket_perms;
+ allow bluetooth_t self:unix_dgram_socket create_socket_perms;
+-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
++allow bluetooth_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow bluetooth_t self:tcp_socket create_stream_socket_perms;
+ allow bluetooth_t self:udp_socket create_socket_perms;
+
@@ -128,6 +128,8 @@
dbus_system_bus_client_template(bluetooth,bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
@@ -6662,6 +6689,19 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.8/policy/modules/services/clamav.fc
+--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-11-14 10:32:54.000000000 -0500
+@@ -13,8 +13,7 @@
+
+ /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+
+-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
+-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0)
+ /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+
+ /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-11-08 09:58:52.000000000 -0500
@@ -7252,7 +7292,7 @@
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-11-14 10:50:26.000000000 -0500
@@ -8,17 +8,14 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -7293,12 +7333,13 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -51,4 +53,4 @@
+@@ -51,4 +53,5 @@
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.0.8/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cups.if 2007-10-29 23:59:29.000000000 -0400
@@ -7623,7 +7664,14 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.0.8/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cyrus.te 2007-11-08 13:33:33.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/cyrus.te 2007-11-13 14:08:08.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(cyrus,1.4.0)
++policy_module(cyrus,1.4.1)
+
+ ########################################
+ #
@@ -41,7 +41,6 @@
allow cyrus_t self:unix_stream_socket connectto;
allow cyrus_t self:tcp_socket create_stream_socket_perms;
@@ -7641,28 +7689,19 @@
libs_use_ld_so(cyrus_t)
libs_use_shared_libs(cyrus_t)
libs_exec_lib_files(cyrus_t)
-@@ -104,8 +105,6 @@
- miscfiles_read_localization(cyrus_t)
- miscfiles_read_certs(cyrus_t)
-
--sysnet_read_config(cyrus_t)
--
- userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
- userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
- userdom_use_unpriv_users_fds(cyrus_t)
-@@ -126,14 +125,6 @@
+@@ -122,14 +123,6 @@
')
optional_policy(`
-- nis_use_ypbind(cyrus_t)
+- ldap_stream_connect(cyrus_t)
-')
-
-optional_policy(`
-- sasl_connect(cyrus_t)
+- nis_use_ypbind(cyrus_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(cyrus_t)
+ sasl_connect(cyrus_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.0.8/policy/modules/services/dbskk.te
@@ -7916,6 +7955,37 @@
+ unconfined_use_terminals(system_dbusd_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.0.8/policy/modules/services/dictd.fc
+--- nsaserefpolicy/policy/modules/services/dictd.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dictd.fc 2007-11-14 11:37:22.000000000 -0500
+@@ -4,3 +4,4 @@
+ /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
+
+ /var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
++/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.0.8/policy/modules/services/dictd.te
+--- nsaserefpolicy/policy/modules/services/dictd.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dictd.te 2007-11-14 11:32:53.000000000 -0500
+@@ -16,6 +16,9 @@
+ type dictd_var_lib_t alias var_lib_dictd_t;
+ files_type(dictd_var_lib_t)
+
++type dictd_var_run_t;
++files_pid_file(dictd_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -34,6 +37,9 @@
+ allow dictd_t dictd_var_lib_t:dir list_dir_perms;
+ allow dictd_t dictd_var_lib_t:file read_file_perms;
+
++manage_files_pattern(dictd_t,dictd_var_run_t,dictd_var_run_t)
++files_pid_filetrans(dictd_t,dictd_var_run_t,file)
++
+ kernel_read_system_state(dictd_t)
+ kernel_read_kernel_sysctls(dictd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-10-29 23:59:29.000000000 -0400
@@ -8004,7 +8074,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-11-06 10:58:42.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-11-13 16:44:59.000000000 -0500
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -8151,7 +8221,7 @@
')
+
+optional_policy(`
-+ postfix_create_pivate_sockets(dovecot_auth_t)
++ postfix_manage_pivate_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
+')
+
@@ -10330,6 +10400,17 @@
+ unconfined_use_terminals(openvpn_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.0.8/policy/modules/services/pcscd.te
+--- nsaserefpolicy/policy/modules/services/pcscd.te 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/pcscd.te 2007-11-13 17:01:41.000000000 -0500
+@@ -45,6 +45,7 @@
+ files_read_etc_files(pcscd_t)
+ files_read_etc_runtime_files(pcscd_t)
+
++term_use_unallocated_ttys(pcscd_t)
+ term_dontaudit_getattr_pty_dirs(pcscd_t)
+
+ libs_use_ld_so(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-3.0.8/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/pegasus.if 2007-10-29 23:59:29.000000000 -0400
@@ -10446,7 +10527,7 @@
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.8/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2007-11-13 16:45:23.000000000 -0500
@@ -41,6 +41,8 @@
allow postfix_$1_t self:unix_stream_socket connectto;
@@ -10554,7 +10635,7 @@
## Execute postfix user mail programs
## in their respective domains.
## </summary>
-@@ -450,3 +505,22 @@
+@@ -450,3 +505,41 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -10577,9 +10658,28 @@
+ allow $1 postfix_private_t:dir list_dir_perms;
+ create_sock_files_pattern($1,postfix_private_t,postfix_private_t)
+')
++
++########################################
++## <summary>
++## Manage named socket in a postfix private directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_manage_pivate_sockets',`
++ gen_require(`
++ type postfix_private_t;
++ ')
++
++ allow $1 postfix_private_t:dir list_dir_perms;
++ manage_sock_files_pattern($1,postfix_private_t,postfix_private_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-11-13 14:37:30.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -10606,7 +10706,15 @@
type postfix_local_tmp_t;
files_tmp_file(postfix_local_tmp_t)
-@@ -83,6 +95,12 @@
+@@ -34,6 +46,7 @@
+ type postfix_map_t;
+ type postfix_map_exec_t;
+ application_domain(postfix_map_t,postfix_map_exec_t)
++role system_r types postfix_map_t;
+
+ type postfix_map_tmp_t;
+ files_tmp_file(postfix_map_tmp_t)
+@@ -83,6 +96,12 @@
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -10619,7 +10727,7 @@
########################################
#
# Postfix master process local policy
-@@ -93,6 +111,7 @@
+@@ -93,6 +112,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
@@ -10627,7 +10735,7 @@
allow postfix_master_t postfix_etc_t:file rw_file_perms;
-@@ -164,10 +183,11 @@
+@@ -164,10 +184,11 @@
# postfix does a "find" on startup for some reason - keep it quiet
seutil_dontaudit_search_config(postfix_master_t)
@@ -10641,7 +10749,7 @@
optional_policy(`
cyrus_stream_connect(postfix_master_t)
-@@ -179,7 +199,11 @@
+@@ -179,7 +200,11 @@
')
optional_policy(`
@@ -10654,7 +10762,7 @@
')
###########################################################
-@@ -263,6 +287,8 @@
+@@ -263,6 +288,8 @@
files_read_etc_files(postfix_local_t)
@@ -10663,7 +10771,7 @@
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -275,6 +301,7 @@
+@@ -275,6 +302,7 @@
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
@@ -10671,16 +10779,38 @@
')
optional_policy(`
-@@ -336,8 +363,6 @@
+@@ -327,6 +355,8 @@
+ files_read_etc_runtime_files(postfix_map_t)
+ files_dontaudit_search_var(postfix_map_t)
+
++auth_use_nsswitch(postfix_map_t)
++
+ libs_use_ld_so(postfix_map_t)
+ libs_use_shared_libs(postfix_map_t)
- seutil_read_config(postfix_map_t)
+@@ -334,10 +364,6 @@
+ miscfiles_read_localization(postfix_map_t)
+
+-seutil_read_config(postfix_map_t)
+-
-sysnet_read_config(postfix_map_t)
-
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -377,7 +402,7 @@
+@@ -350,10 +376,6 @@
+ locallogin_dontaudit_use_fds(postfix_map_t)
+ ')
+
+-optional_policy(`
+- nscd_socket_use(postfix_map_t)
+-')
+-
+ ########################################
+ #
+ # Postfix pickup local policy
+@@ -377,7 +399,7 @@
# Postfix pipe local policy
#
@@ -10689,7 +10819,7 @@
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -386,6 +411,10 @@
+@@ -386,6 +408,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -10700,7 +10830,7 @@
procmail_domtrans(postfix_pipe_t)
')
-@@ -394,6 +423,10 @@
+@@ -394,6 +420,10 @@
')
optional_policy(`
@@ -10711,7 +10841,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -418,14 +451,17 @@
+@@ -418,14 +448,17 @@
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
@@ -10731,7 +10861,7 @@
optional_policy(`
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
-@@ -454,8 +490,6 @@
+@@ -454,8 +487,6 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -10740,7 +10870,7 @@
########################################
#
# Postfix qmgr local policy
-@@ -498,15 +532,11 @@
+@@ -498,15 +529,11 @@
term_use_all_user_ptys(postfix_showq_t)
term_use_all_user_ttys(postfix_showq_t)
@@ -10756,7 +10886,7 @@
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -514,6 +544,8 @@
+@@ -514,6 +541,8 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -10765,7 +10895,7 @@
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
-@@ -538,9 +570,45 @@
+@@ -538,9 +567,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -12164,7 +12294,14 @@
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.8/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sasl.te 2007-11-10 07:53:45.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/sasl.te 2007-11-13 14:08:33.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(sasl,1.6.0)
++policy_module(sasl,1.6.1)
+
+ ########################################
+ #
@@ -64,6 +64,7 @@
selinux_compute_access_vector(saslauthd_t)
@@ -12173,7 +12310,7 @@
auth_use_nsswitch(saslauthd_t)
domain_use_interactive_fds(saslauthd_t)
-@@ -98,6 +99,10 @@
+@@ -107,6 +108,10 @@
')
optional_policy(`
@@ -12181,7 +12318,7 @@
+')
+
+optional_policy(`
- kerberos_read_keytab(saslauthd_t)
+ seutil_sigchld_newrole(saslauthd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.0.8/policy/modules/services/sendmail.if
@@ -12725,7 +12862,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.8/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-11-14 09:59:47.000000000 -0500
@@ -202,6 +202,7 @@
#
template(`ssh_per_role_template',`
@@ -12734,7 +12871,15 @@
type ssh_agent_exec_t, ssh_keysign_exec_t;
')
-@@ -450,6 +451,7 @@
+@@ -443,13 +444,14 @@
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
++ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:process { signal setsched setrlimit setexec };
+ allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -12742,7 +12887,35 @@
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -512,6 +514,7 @@
+@@ -478,7 +480,11 @@
+ corenet_udp_bind_all_nodes($1_t)
+ corenet_tcp_bind_ssh_port($1_t)
+ corenet_tcp_connect_all_ports($1_t)
++ corenet_tcp_bind_all_unreserved_ports($1_t)
++ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
++ # tunnel feature and -w (net_admin capability also)
++ corenet_rw_tun_tap_dev($1_t)
+
+ fs_dontaudit_getattr_all_fs($1_t)
+
+@@ -494,6 +500,8 @@
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
++ # Required for FreeNX
++ files_read_var_lib_symlinks($1_t)
+
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+@@ -506,12 +514,14 @@
+
+ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
+ userdom_search_all_users_home_dirs($1_t)
++ userdom_read_all_users_home_content_files($1_t)
+
+ # Allow checking users mail at login
+ mta_getattr_spool($1_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
@@ -12750,7 +12923,7 @@
')
tunable_policy(`use_samba_home_dirs',`
-@@ -520,6 +523,7 @@
+@@ -520,6 +530,7 @@
optional_policy(`
kerberos_use($1_t)
@@ -12758,7 +12931,7 @@
')
optional_policy(`
-@@ -708,3 +712,42 @@
+@@ -708,3 +719,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -13013,6 +13186,14 @@
-# Allow krb5 telnetd to use fork and open /dev/tty for use
-allow telnetd_t userpty_type:chr_file setattr;
-')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.0.8/policy/modules/services/tftp.fc
+--- nsaserefpolicy/policy/modules/services/tftp.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/tftp.fc 2007-11-14 10:08:35.000000000 -0500
+@@ -4,3 +4,4 @@
+
+ /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+ /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
++/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2007-10-29 23:59:29.000000000 -0400
@@ -13682,7 +13863,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-12 11:58:08.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-14 11:22:16.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -13726,7 +13907,15 @@
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -132,15 +145,20 @@
+@@ -110,6 +123,7 @@
+ allow xdm_t self:key { search link write };
+
+ allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++read_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+
+ # Allow gdm to run gdm-binary
+ can_exec(xdm_t, xdm_exec_t)
+@@ -132,15 +146,20 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -13748,7 +13937,7 @@
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -185,6 +203,7 @@
+@@ -185,6 +204,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -13756,7 +13945,7 @@
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -197,6 +216,7 @@
+@@ -197,6 +217,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -13764,7 +13953,18 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -246,6 +266,7 @@
+@@ -209,8 +230,8 @@
+ dev_setattr_video_dev(xdm_t)
+ dev_getattr_scanner_dev(xdm_t)
+ dev_setattr_scanner_dev(xdm_t)
+-dev_getattr_sound_dev(xdm_t)
+-dev_setattr_sound_dev(xdm_t)
++dev_read_sound(xdm_t)
++dev_write_sound(xdm_t)
+ dev_getattr_power_mgmt_dev(xdm_t)
+ dev_setattr_power_mgmt_dev(xdm_t)
+
+@@ -246,6 +267,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -13772,7 +13972,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -257,6 +278,7 @@
+@@ -257,6 +279,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -13780,7 +13980,7 @@
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-@@ -268,9 +290,14 @@
+@@ -268,9 +291,14 @@
userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_unpriv_users_home_content_files(xdm_t)
@@ -13795,7 +13995,7 @@
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +333,11 @@
+@@ -306,6 +334,11 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@@ -13807,7 +14007,7 @@
')
optional_policy(`
-@@ -348,12 +380,8 @@
+@@ -348,12 +381,8 @@
')
optional_policy(`
@@ -13821,7 +14021,7 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
-@@ -385,7 +413,7 @@
+@@ -385,7 +414,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -13830,7 +14030,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -397,6 +425,15 @@
+@@ -397,6 +426,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -13846,7 +14046,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -425,6 +462,14 @@
+@@ -425,6 +463,14 @@
')
optional_policy(`
@@ -13861,7 +14061,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +479,26 @@
+@@ -434,47 +480,26 @@
')
optional_policy(`
@@ -14378,7 +14578,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-11-13 17:09:13.000000000 -0500
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -14429,7 +14629,15 @@
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
-@@ -149,6 +167,8 @@
+@@ -111,6 +129,7 @@
+ logging_send_syslog_msg(pam_t)
+
+ userdom_use_unpriv_users_fds(pam_t)
++userdom_write_unpriv_users_tmp_files(pam_t)
+
+ optional_policy(`
+ locallogin_use_fds(pam_t)
+@@ -149,6 +168,8 @@
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
@@ -14438,7 +14646,7 @@
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
-@@ -159,6 +179,8 @@
+@@ -159,6 +180,8 @@
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
@@ -14447,7 +14655,7 @@
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
-@@ -200,6 +222,7 @@
+@@ -200,6 +223,7 @@
fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t)
@@ -14455,7 +14663,7 @@
init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)
-@@ -236,7 +259,7 @@
+@@ -236,7 +260,7 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
@@ -14464,7 +14672,7 @@
')
########################################
-@@ -302,3 +325,28 @@
+@@ -302,3 +326,28 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -15301,7 +15509,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-08 16:05:08.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-14 10:14:51.000000000 -0500
@@ -65,11 +65,13 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15317,15 +15525,29 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -112,6 +114,7 @@
+@@ -95,8 +97,8 @@
+ #
+ # /usr
+ #
+-/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(.*/)?HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(.*/)?RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+@@ -111,7 +113,10 @@
+
/usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/virtualbox/components/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/VBox[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -135,6 +138,8 @@
+@@ -135,6 +140,8 @@
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15334,7 +15556,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -236,6 +241,8 @@
+@@ -236,6 +243,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15343,7 +15565,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +291,9 @@
+@@ -284,3 +293,10 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -15353,6 +15575,7 @@
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
+/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-10-29 23:59:29.000000000 -0400
@@ -17425,7 +17648,7 @@
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-12 17:22:08.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-14 09:50:10.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -17498,7 +17721,7 @@
########################################
## <summary>
## Connect to the unconfined domain using
-@@ -437,6 +441,26 @@
+@@ -437,6 +441,25 @@
########################################
## <summary>
@@ -17519,13 +17742,12 @@
+ allow $1 unconfined_t:unix_stream_socket { read write };
+')
+
-+
+########################################
+## <summary>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </summary>
-@@ -558,7 +582,7 @@
+@@ -558,7 +581,7 @@
')
files_search_home($1)
@@ -17534,7 +17756,7 @@
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
')
-@@ -601,3 +625,216 @@
+@@ -601,3 +624,216 @@
allow $1 unconfined_tmp_t:file { getattr write append };
')
@@ -17753,7 +17975,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-12 10:02:10.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-13 14:37:46.000000000 -0500
@@ -5,36 +5,52 @@
#
# Declarations
@@ -17897,23 +18119,24 @@
optional_policy(`
- modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
--')
--
--optional_policy(`
-- mono_domtrans(unconfined_t)
+ mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
-
optional_policy(`
+- mono_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
- mta_per_role_template(unconfined,unconfined_t,unconfined_r)
+ modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -155,32 +168,23 @@
+@@ -154,33 +167,20 @@
+ ')
optional_policy(`
- postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+- postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-')
@@ -17926,9 +18149,9 @@
-optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
rpm_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
@@ -17947,22 +18170,22 @@
')
optional_policy(`
-@@ -205,11 +209,22 @@
+@@ -205,11 +205,22 @@
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++')
++
++optional_policy(`
++ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
++ unconfined_domain(unconfined_mozilla_t)
++ allow unconfined_mozilla_t self:process { execstack execmem };
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
-+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ unconfined_domain(unconfined_mozilla_t)
-+ allow unconfined_mozilla_t self:process { execstack execmem };
-+')
-+
-+optional_policy(`
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+')
+
@@ -17972,7 +18195,7 @@
')
########################################
-@@ -219,14 +234,28 @@
+@@ -219,14 +230,28 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -19718,7 +19941,7 @@
+files_type(virt_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.8/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/xen.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/xen.if 2007-11-12 23:22:11.000000000 -0500
@@ -191,3 +191,24 @@
domtrans_pattern($1,xm_exec_t,xm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.576
retrieving revision 1.577
diff -u -r1.576 -r1.577
--- selinux-policy.spec 12 Nov 2007 21:51:05 -0000 1.576
+++ selinux-policy.spec 14 Nov 2007 17:16:05 -0000 1.577
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 53%{?dist}
+Release: 54%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -70,7 +70,7 @@
%{_usr}/share/selinux/devel/Makefile
%{_usr}/share/selinux/devel/policygentool
%{_usr}/share/selinux/devel/example.*
-%{_usr}/share/selinux/devel/policy.*
+%{_usr}/share/selinux/devel/*.xml
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
%post devel
@@ -216,7 +216,7 @@
install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
install -m 644 $RPM_SOURCE_DIR/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
-install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
+install -m 644 doc/*xml %{buildroot}%{_usr}/share/selinux/devel/
echo "htmlview file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
@@ -380,6 +380,17 @@
%endif
%changelog
+* Mon Nov 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-54
+- Allow cyrus to authenticate via sasl
+- Allow sshd to work in tunnel mode
+- Allow sshd to use -R
+- Allow ssh to read user homedirs
+- Add /var/lib/tftp to tftp.fc
+- Add labels for /dev/dmmdi and /dev/admmdi
+- Allow postmap to be run by unconfined_t
+- Allow dictd to write pid file
+- Allow bluetooth to connectto unix_stream_sockets
+
* Mon Nov 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-53
- Allow bugzilla policy to connect to postgresql and mysql on other machines
More information about the fedora-extras-commits
mailing list