rpms/selinux-policy/F-8 policy-20070703.patch, 1.141, 1.142 selinux-policy.spec, 1.582, 1.583
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Nov 20 22:25:58 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29931
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Tue Nov 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-59
- Allow logwatch to search all directories
- Allow sendmail to use sasl
- Allow system_mail_t to write to exim_log_t
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.141
retrieving revision 1.142
diff -u -r1.141 -r1.142
--- policy-20070703.patch 19 Nov 2007 22:05:03 -0000 1.141
+++ policy-20070703.patch 20 Nov 2007 22:25:54 -0000 1.142
@@ -1691,7 +1691,7 @@
files_manage_generic_spool_dirs(logrotate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.8/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/logwatch.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/logwatch.te 2007-11-20 06:41:53.000000000 -0500
@@ -48,7 +48,7 @@
corecmd_exec_shell(logwatch_t)
@@ -1701,7 +1701,29 @@
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
-@@ -132,4 +132,5 @@
+@@ -59,10 +59,8 @@
+ files_read_usr_files(logwatch_t)
+ files_search_spool(logwatch_t)
+ files_search_mnt(logwatch_t)
+-files_dontaudit_search_home(logwatch_t)
+-files_dontaudit_search_boot(logwatch_t)
+ # Execs df and if file system mounted with a context avc raised
+-files_dontaudit_search_all_dirs(logwatch_t)
++files_search_all(logwatch_t)
+
+ fs_getattr_all_fs(logwatch_t)
+ fs_dontaudit_list_auto_mountpoints(logwatch_t)
+@@ -88,9 +86,6 @@
+
+ sysnet_dns_name_resolve(logwatch_t)
+
+-userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
+-userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
+-
+ mta_send_mail(logwatch_t)
+
+ optional_policy(`
+@@ -132,4 +127,5 @@
optional_policy(`
samba_read_log(logwatch_t)
@@ -1839,8 +1861,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.0.8/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/rpm.fc 2007-10-29 23:59:29.000000000 -0400
-@@ -21,6 +21,9 @@
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.fc 2007-11-20 13:03:25.000000000 -0500
+@@ -11,6 +11,7 @@
+
+ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+@@ -21,6 +22,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -2284,7 +2314,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.0.8/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.if 2007-11-20 09:18:26.000000000 -0500
@@ -265,6 +265,24 @@
########################################
@@ -3186,7 +3216,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-11-20 15:16:53.000000000 -0500
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
@@ -3995,7 +4025,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-19 14:58:40.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-20 08:26:02.000000000 -0500
@@ -4,6 +4,7 @@
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4093,7 +4123,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-16 13:36:12.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-20 15:50:48.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -4876,7 +4906,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-11-02 11:06:28.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-11-20 07:03:01.000000000 -0500
@@ -271,45 +271,6 @@
########################################
@@ -8323,8 +8353,8 @@
+/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-11-08 09:52:12.000000000 -0500
-@@ -0,0 +1,156 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-11-20 17:00:52.000000000 -0500
+@@ -0,0 +1,177 @@
+## <summary>Exim mail transfer agent</summary>
+
+########################################
@@ -8481,6 +8511,27 @@
+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+')
++
++########################################
++## <summary>
++## Allow the specified domain to read exim's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`exim_manage_log',`
++ gen_require(`
++ type exim_log_t;
++ ')
++
++ manage_files_pattern($1, exim_log_t, exim_log_t)
++ logging_search_logs($1)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-11-08 09:52:12.000000000 -0500
@@ -9597,7 +9648,7 @@
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-11-02 09:53:17.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-11-20 17:00:29.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -9662,11 +9713,12 @@
cron_dontaudit_write_pipes(system_mail_t)
')
-@@ -81,6 +96,10 @@
+@@ -81,6 +96,11 @@
')
optional_policy(`
+ exim_domtrans(system_mail_t)
++ exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
@@ -11411,7 +11463,7 @@
# Only permit unprivileged user domains to be entered via rlogin,
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.8/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rhgb.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rhgb.te 2007-11-20 07:03:32.000000000 -0500
@@ -59,6 +59,7 @@
corenet_sendrecv_all_client_packets(rhgb_t)
@@ -11428,7 +11480,15 @@
files_dontaudit_read_default_files(rhgb_t)
files_dontaudit_search_pids(rhgb_t)
# for nscd
-@@ -100,6 +102,7 @@
+@@ -76,6 +78,7 @@
+ fs_search_auto_mountpoints(rhgb_t)
+ fs_mount_ramfs(rhgb_t)
+ fs_unmount_ramfs(rhgb_t)
++fs_getattr_xattr_fs(rhgb_t)
+ fs_getattr_tmpfs(rhgb_t)
+ # for ramfs file systems
+ fs_manage_ramfs_dirs(rhgb_t)
+@@ -100,6 +103,7 @@
miscfiles_read_localization(rhgb_t)
miscfiles_read_fonts(rhgb_t)
@@ -11436,7 +11496,7 @@
seutil_search_default_contexts(rhgb_t)
seutil_read_config(rhgb_t)
-@@ -109,6 +112,7 @@
+@@ -109,6 +113,7 @@
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
@@ -11444,7 +11504,7 @@
xserver_read_xdm_xserver_tmp_files(rhgb_t)
xserver_kill_xdm_xserver(rhgb_t)
-@@ -117,6 +121,7 @@
+@@ -117,6 +122,7 @@
xserver_domtrans_xdm_xserver(rhgb_t)
xserver_signal_xdm_xserver(rhgb_t)
xserver_read_xdm_tmp_files(rhgb_t)
@@ -12565,7 +12625,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-11-10 07:37:22.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-11-20 10:14:34.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -12600,7 +12660,7 @@
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -94,30 +99,32 @@
+@@ -94,30 +99,33 @@
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
@@ -12609,6 +12669,7 @@
-
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
++userdom_read_all_users_home_content_files(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
@@ -12639,7 +12700,7 @@
')
optional_policy(`
-@@ -131,6 +138,10 @@
+@@ -131,28 +139,29 @@
')
optional_policy(`
@@ -12650,22 +12711,41 @@
seutil_sigchld_newrole(sendmail_t)
')
-@@ -156,3 +167,15 @@
-
- dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
- ') dnl end TODO
+ optional_policy(`
++ sasl_connect(sendmail_t)
++')
+
++optional_policy(`
+ udev_read_db(sendmail_t)
+ ')
+
+-ifdef(`TODO',`
+-allow sendmail_t etc_mail_t:dir rw_dir_perms;
+-allow sendmail_t etc_mail_t:file manage_file_perms;
+-# for the start script to run make -C /etc/mail
+-allow initrc_t etc_mail_t:dir rw_dir_perms;
+-allow initrc_t etc_mail_t:file manage_file_perms;
+-allow system_mail_t initrc_t:fd use;
+-allow system_mail_t initrc_t:fifo_file write;
+-
+-# When sendmail runs as user_mail_domain, it needs some extra permissions
+-# to update /etc/mail/statistics.
+-allow user_mail_domain etc_mail_t:file rw_file_perms;
+########################################
+#
+# Unconfined sendmail local policy
+# Allow unconfined domain to run newalias and have transitions work
+#
-+
+
+-# Silently deny attempts to access /root.
+-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+optional_policy(`
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
+ unconfined_domain(unconfined_sendmail_t)
+')
-+
+
+-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-10-29 23:59:29.000000000 -0400
@@ -13182,7 +13262,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-11-12 11:17:12.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-11-20 09:24:13.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -13213,11 +13293,12 @@
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -119,7 +126,12 @@
+@@ -119,7 +126,13 @@
')
optional_policy(`
- unconfined_domain(sshd_t)
++ usermanage_domtrans_passwd(sshd_t)
+ usermanage_read_crack_db(sshd_t)
+')
+
@@ -13227,7 +13308,7 @@
')
ifdef(`TODO',`
-@@ -231,9 +243,15 @@
+@@ -231,9 +244,15 @@
')
optional_policy(`
@@ -13619,7 +13700,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-12 16:36:52.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-20 13:22:13.000000000 -0500
@@ -116,8 +116,7 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
@@ -13767,7 +13848,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +550,54 @@
+@@ -555,25 +550,51 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -13799,9 +13880,6 @@
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ xserver_xdm_stream_connect($2)
+
-+ # Handling of pam_keyring
-+ gnome_manage_user_gnome_config($1, xdm_t)
-+
+ read_files_pattern(xdm_xserver_t, $2, $2)
+ optional_policy(`
+ userdom_read_all_users_home_content_files(xdm_t)
@@ -13830,7 +13908,7 @@
')
')
-@@ -626,6 +650,24 @@
+@@ -626,6 +647,24 @@
########################################
## <summary>
@@ -13855,7 +13933,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +701,73 @@
+@@ -659,6 +698,73 @@
########################################
## <summary>
@@ -13929,7 +14007,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1036,7 @@
+@@ -927,6 +1033,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -13937,7 +14015,7 @@
')
########################################
-@@ -987,6 +1097,37 @@
+@@ -987,6 +1094,37 @@
########################################
## <summary>
@@ -13975,7 +14053,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1277,7 @@
+@@ -1136,7 +1274,7 @@
type xdm_xserver_tmp_t;
')
@@ -13984,7 +14062,7 @@
')
########################################
-@@ -1325,3 +1466,82 @@
+@@ -1325,3 +1463,82 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -14383,7 +14461,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-16 10:15:21.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-20 09:22:33.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -15723,8 +15801,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-15 16:02:47.000000000 -0500
-@@ -65,11 +65,13 @@
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-20 10:00:18.000000000 -0500
+@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -15736,10 +15814,12 @@
/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/firefox-[^/]/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -95,8 +97,8 @@
+@@ -95,8 +99,8 @@
#
# /usr
#
@@ -15750,7 +15830,7 @@
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -111,7 +113,10 @@
+@@ -111,7 +115,10 @@
/usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15761,7 +15841,7 @@
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -135,6 +140,8 @@
+@@ -135,6 +142,8 @@
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15770,7 +15850,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -223,6 +230,7 @@
+@@ -223,6 +232,7 @@
/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Flash plugin, Macromedia
@@ -15778,7 +15858,7 @@
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -236,6 +244,8 @@
+@@ -236,6 +246,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15787,7 +15867,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +294,10 @@
+@@ -284,3 +296,10 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -18364,7 +18444,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-19 16:54:02.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-20 17:17:41.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -19472,7 +19552,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5756,402 @@
+@@ -5559,3 +5756,403 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -19662,8 +19742,8 @@
+# Should be optional but policy will not build because of compiler problems
+# Must be before xwindows calls
+#optional_policy(`
-+ gnome_per_role_template($1, $1_usertype, $1_r)
-+ gnome_exec_gconf($1_usertype)
++ gnome_per_role_template(xguest, xguest_t, xguest_r)
++ gnome_exec_gconf(xguest_t)
+#')
+
+userdom_xwindows_client_template($1)
@@ -19685,6 +19765,7 @@
+ alsa_read_rw_config($1_usertype)
+')
+
++
+authlogin_per_role_template($1, $1_t, $1_r)
+
+auth_search_pam_console_data($1_usertype)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.582
retrieving revision 1.583
diff -u -r1.582 -r1.583
--- selinux-policy.spec 19 Nov 2007 21:54:53 -0000 1.582
+++ selinux-policy.spec 20 Nov 2007 22:25:54 -0000 1.583
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 58%{?dist}
+Release: 59%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -380,6 +380,11 @@
%endif
%changelog
+* Tue Nov 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-59
+- Allow logwatch to search all directories
+- Allow sendmail to use sasl
+- Allow system_mail_t to write to exim_log_t
+
* Fri Nov 16 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-58
- Allow nmbd to list inotifyfs_t
- Dontaudit consolekit access to user homedir
More information about the fedora-extras-commits
mailing list