rpms/selinux-policy/F-8 policy-20070703.patch, 1.144, 1.145 selinux-policy.spec, 1.585, 1.586
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Nov 26 21:25:52 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19343
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Nov 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-62
- Allow xend to create xend_var_log_t directories
- dontaudit setfiles relabel of /proc /sys caused by named-chroot
- Add rules for pam_keyinit (setkeycreate, ipc_lock)
- Allow mount to read unlabeled directorys for reiserfs
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.144
retrieving revision 1.145
diff -u -r1.144 -r1.145
--- policy-20070703.patch 21 Nov 2007 23:35:44 -0000 1.144
+++ policy-20070703.patch 26 Nov 2007 21:25:47 -0000 1.145
@@ -1553,7 +1553,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.0.8/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2007-11-26 10:59:54.000000000 -0500
@@ -0,0 +1,58 @@
+policy_module(kismet,1.0.0)
+
@@ -1584,7 +1584,7 @@
+
+## internal communication is often done using fifo and unix sockets.
+#============= kismet_t ==============
-+allow kismet_t self:capability { setuid setgid };
++allow kismet_t self:capability { net_admin setuid setgid };
+
+corecmd_exec_bin(kismet_t)
+
@@ -3218,7 +3218,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-11-20 15:16:53.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-11-23 07:59:18.000000000 -0500
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
@@ -3228,7 +3228,7 @@
########################################
#
-@@ -52,6 +54,14 @@
+@@ -52,13 +54,21 @@
type $1_mozilla_tmpfs_t;
files_tmpfs_file($1_mozilla_tmpfs_t)
@@ -3243,6 +3243,14 @@
########################################
#
# Local policy
+ #
+
+ allow $1_mozilla_t self:capability { sys_nice setgid setuid };
+- allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
++ allow $1_mozilla_t self:process { ptrace sigkill signal setsched getsched setrlimit };
+ allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
+ allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
+ allow $1_mozilla_t self:sem create_sem_perms;
@@ -96,15 +106,37 @@
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
@@ -4027,7 +4035,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-20 08:26:02.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-26 15:53:19.000000000 -0500
@@ -4,6 +4,7 @@
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4036,7 +4044,7 @@
/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -14,22 +15,30 @@
+@@ -14,22 +15,31 @@
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -4051,6 +4059,7 @@
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
@@ -4067,7 +4076,7 @@
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-@@ -41,6 +50,11 @@
+@@ -41,6 +51,11 @@
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
@@ -4079,7 +4088,7 @@
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-@@ -49,6 +63,9 @@
+@@ -49,6 +64,9 @@
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4089,7 +4098,7 @@
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -65,9 +82,11 @@
+@@ -65,9 +83,11 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
@@ -4101,7 +4110,7 @@
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -95,11 +114,21 @@
+@@ -95,11 +115,21 @@
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4125,7 +4134,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-20 15:50:48.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-26 11:21:36.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -5123,7 +5132,7 @@
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-11-12 23:22:11.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-11-26 11:48:34.000000000 -0500
@@ -352,6 +352,24 @@
########################################
@@ -5174,7 +5183,23 @@
## Allows caller to read the ring buffer.
## </summary>
## <param name="domain">
-@@ -1867,6 +1903,27 @@
+@@ -1137,6 +1173,7 @@
+ ')
+
+ dontaudit $1 proc_type:dir list_dir_perms;
++ dontaudit $1 proc_type:file getattr;
+ ')
+
+ ########################################
+@@ -1707,6 +1744,7 @@
+ ')
+
+ dontaudit $1 sysctl_type:dir list_dir_perms;
++ dontaudit $1 sysctl_type:file getattr;
+ ')
+
+ ########################################
+@@ -1867,6 +1905,27 @@
########################################
## <summary>
@@ -7451,7 +7476,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-11-21 09:29:27.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-11-26 13:00:40.000000000 -0500
@@ -48,9 +48,8 @@
type hplip_t;
type hplip_exec_t;
@@ -7464,7 +7489,7 @@
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
-@@ -81,12 +80,11 @@
+@@ -81,12 +80,12 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
@@ -7475,10 +7500,11 @@
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
-allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
++allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -105,7 +103,7 @@
+@@ -105,7 +104,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -7487,7 +7513,7 @@
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -122,13 +120,14 @@
+@@ -122,13 +121,14 @@
manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
@@ -7504,7 +7530,7 @@
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
-@@ -150,21 +149,26 @@
+@@ -150,21 +150,26 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -7532,7 +7558,7 @@
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
mls_file_read_all_levels(cupsd_t)
-@@ -174,6 +178,7 @@
+@@ -174,6 +179,7 @@
term_search_ptys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
@@ -7540,7 +7566,7 @@
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -187,7 +192,7 @@
+@@ -187,7 +193,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -7549,7 +7575,7 @@
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -196,12 +201,9 @@
+@@ -196,12 +202,9 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -7563,7 +7589,7 @@
init_exec_script_files(cupsd_t)
-@@ -221,17 +223,38 @@
+@@ -221,17 +224,38 @@
sysnet_read_config(cupsd_t)
@@ -7602,7 +7628,7 @@
apm_domtrans_client(cupsd_t)
')
-@@ -263,16 +286,16 @@
+@@ -263,16 +287,16 @@
')
optional_policy(`
@@ -7623,7 +7649,7 @@
seutil_sigchld_newrole(cupsd_t)
')
-@@ -331,6 +354,7 @@
+@@ -331,6 +355,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -7631,7 +7657,7 @@
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -377,6 +401,14 @@
+@@ -377,6 +402,14 @@
')
optional_policy(`
@@ -7646,7 +7672,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -393,6 +425,7 @@
+@@ -393,6 +426,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -7654,7 +7680,7 @@
')
optional_policy(`
-@@ -482,6 +515,8 @@
+@@ -482,6 +516,8 @@
files_read_etc_files(cupsd_lpd_t)
@@ -7663,7 +7689,7 @@
libs_use_ld_so(cupsd_lpd_t)
libs_use_shared_libs(cupsd_lpd_t)
-@@ -489,22 +524,12 @@
+@@ -489,22 +525,12 @@
miscfiles_read_localization(cupsd_lpd_t)
@@ -7686,7 +7712,7 @@
########################################
#
# HPLIP local policy
-@@ -525,11 +550,9 @@
+@@ -525,11 +551,9 @@
allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
@@ -7701,7 +7727,7 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -560,7 +583,9 @@
+@@ -560,7 +584,9 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -7712,7 +7738,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +612,6 @@
+@@ -587,8 +613,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -7721,7 +7747,7 @@
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
-@@ -668,3 +691,15 @@
+@@ -668,3 +692,15 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -11686,7 +11712,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-11-08 09:14:47.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-11-26 10:30:42.000000000 -0500
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -11694,7 +11720,8 @@
+corecmd_exec_bin(rpcd_t)
+
kernel_read_system_state(rpcd_t)
- kernel_search_network_state(rpcd_t)
+-kernel_search_network_state(rpcd_t)
++kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
+kernel_rw_fs_sysctls(rpcd_t)
@@ -12762,8 +12789,16 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-10-29 23:59:29.000000000 -0400
-@@ -67,6 +67,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-11-26 09:31:09.000000000 -0500
+@@ -53,6 +53,7 @@
+ kernel_read_kernel_sysctls(setroubleshootd_t)
+ kernel_read_system_state(setroubleshootd_t)
+ kernel_read_network_state(setroubleshootd_t)
++kernel_dontaudit_list_all_proc(setroubleshootd_t)
+
+ corecmd_exec_bin(setroubleshootd_t)
+ corecmd_exec_shell(setroubleshootd_t)
+@@ -67,6 +68,7 @@
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
@@ -12771,7 +12806,7 @@
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
-@@ -111,3 +112,11 @@
+@@ -111,3 +113,11 @@
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
@@ -14475,7 +14510,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-20 09:22:33.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-26 13:41:19.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -14507,13 +14542,16 @@
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,11 +178,31 @@
+@@ -176,11 +178,34 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_write_proc_files($1)
+
++ # pam_keyring
++ allow $1 self:capability ipc_lock;
++ allow $1 self:process setkeycreate;
+ allow $1 self:key manage_key_perms;
+ userdom_manage_all_users_keys($1)
+
@@ -14539,7 +14577,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,20 +218,47 @@
+@@ -196,20 +221,48 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -14567,6 +14605,7 @@
+ userdom_set_rlimitnh($1)
+ userdom_unlink_unpriv_users_tmp_files($1)
++ userdom_write_unpriv_users_tmp_sockets($1)
+
+ optional_policy(`
+ mount_domtrans($1)
@@ -14588,7 +14627,7 @@
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -309,9 +358,6 @@
+@@ -309,9 +362,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -14598,7 +14637,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +375,8 @@
+@@ -329,6 +379,8 @@
optional_policy(`
kerberos_use($1)
@@ -14607,7 +14646,7 @@
')
optional_policy(`
-@@ -347,6 +395,37 @@
+@@ -347,6 +399,37 @@
########################################
## <summary>
@@ -14645,7 +14684,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +774,24 @@
+@@ -695,6 +778,24 @@
########################################
## <summary>
@@ -14670,7 +14709,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,16 +1415,14 @@
+@@ -1318,16 +1419,14 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -14690,7 +14729,7 @@
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
-@@ -1347,6 +1442,8 @@
+@@ -1347,6 +1446,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -14699,7 +14738,7 @@
')
')
-@@ -1381,3 +1478,181 @@
+@@ -1381,3 +1482,181 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -15815,7 +15854,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-20 10:00:18.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-23 05:57:38.000000000 -0500
@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15881,7 +15920,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +296,10 @@
+@@ -284,3 +296,11 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -15892,6 +15931,7 @@
+/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-10-29 23:59:29.000000000 -0400
@@ -16850,7 +16890,7 @@
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-10-30 16:29:07.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-11-26 11:49:02.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -16887,7 +16927,7 @@
########################################
#
-@@ -36,21 +44,22 @@
+@@ -36,21 +44,24 @@
#
# setuid/setgid needed to mount cifs
@@ -16911,10 +16951,12 @@
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
+kernel_search_debugfs(mount_t)
++# In order to mount reiserfs_t
++kernel_list_unlabeled(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
-@@ -63,6 +72,7 @@
+@@ -63,6 +74,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -16922,7 +16964,7 @@
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
-@@ -101,6 +111,8 @@
+@@ -101,6 +113,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -16931,7 +16973,7 @@
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)
-@@ -127,10 +139,15 @@
+@@ -127,10 +141,15 @@
')
')
@@ -16948,7 +16990,7 @@
')
optional_policy(`
-@@ -159,13 +176,9 @@
+@@ -159,13 +178,9 @@
fs_search_rpc(mount_t)
@@ -16963,7 +17005,7 @@
')
optional_policy(`
-@@ -189,10 +202,6 @@
+@@ -189,10 +204,6 @@
samba_domtrans_smbmount(mount_t)
')
@@ -16974,7 +17016,7 @@
########################################
#
# Unconfined mount local policy
-@@ -201,4 +210,29 @@
+@@ -201,4 +212,29 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -17325,7 +17367,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-11-12 11:41:10.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-11-26 09:32:21.000000000 -0500
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -17571,7 +17613,15 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -521,6 +504,11 @@
+@@ -516,11 +499,19 @@
+ allow setfiles_t self:capability { dac_override dac_read_search fowner };
+ dontaudit setfiles_t self:capability sys_tty_config;
+ allow setfiles_t self:fifo_file rw_file_perms;
++dontaudit setfiles_t self:dir relabelfrom;
++dontaudit setfiles_t self:file relabelfrom;
++dontaudit setfiles_t self:lnk_file relabelfrom;
+
+ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@@ -17583,7 +17633,7 @@
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -537,6 +525,7 @@
+@@ -537,6 +528,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -17591,7 +17641,7 @@
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -590,8 +579,16 @@
+@@ -590,8 +582,16 @@
fs_relabel_tmpfs_chr_file(setfiles_t)
')
@@ -18458,7 +18508,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-20 17:23:44.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-26 13:59:06.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -19435,7 +19485,33 @@
')
########################################
-@@ -3078,7 +3210,7 @@
+@@ -2994,6 +3126,25 @@
+
+ ########################################
+ ## <summary>
++## Connect to unpriviledged users over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_unpriv_users_stream_connect',`
++ gen_require(`
++ attribute user_tmpfile;
++ attribute userdomain;
++ ')
++
++ stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
++')
++
++########################################
++## <summary>
+ ## Create objects in a user temporary directory
+ ## with an automatic type transition to
+ ## a specified private type.
+@@ -3078,7 +3229,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -19444,7 +19520,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4410,6 +4542,7 @@
+@@ -4410,6 +4561,7 @@
')
dontaudit $1 sysadm_home_dir_t:dir getattr;
@@ -19452,7 +19528,7 @@
')
########################################
-@@ -4574,6 +4707,7 @@
+@@ -4574,6 +4726,7 @@
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
@@ -19460,7 +19536,7 @@
')
########################################
-@@ -4609,11 +4743,29 @@
+@@ -4609,11 +4762,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -19491,7 +19567,7 @@
')
########################################
-@@ -4633,6 +4785,14 @@
+@@ -4633,6 +4804,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -19506,7 +19582,7 @@
')
########################################
-@@ -5323,7 +5483,7 @@
+@@ -5323,7 +5502,7 @@
attribute user_tmpfile;
')
@@ -19515,7 +19591,7 @@
')
########################################
-@@ -5346,6 +5506,25 @@
+@@ -5346,6 +5525,25 @@
########################################
## <summary>
@@ -19541,7 +19617,7 @@
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
-@@ -5529,6 +5708,24 @@
+@@ -5529,6 +5727,24 @@
########################################
## <summary>
@@ -19566,7 +19642,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5756,403 @@
+@@ -5559,3 +5775,403 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -20232,7 +20308,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.8/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/xen.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/xen.te 2007-11-26 09:56:09.000000000 -0500
@@ -45,9 +45,7 @@
type xenstored_t;
@@ -20263,6 +20339,24 @@
dev_filetrans(xend_t, xenctl_t, fifo_file)
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
+@@ -103,14 +100,14 @@
+ files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
+
+ # pid file
+-allow xend_t xend_var_run_t:dir setattr;
++manage_dirs_pattern(xend_t,xend_var_run_t,xend_var_run_t)
+ manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
+ manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
+ manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
+-files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file })
++files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file dir })
+
+ # log files
+-allow xend_t xend_var_log_t:dir setattr;
++manage_dirs_pattern(xend_t,xend_var_log_t,xend_var_log_t)
+ manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
+ manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
+ logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
@@ -122,15 +119,13 @@
manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
@@ -20364,7 +20458,7 @@
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
-@@ -363,6 +368,19 @@
+@@ -363,6 +368,23 @@
sysnet_read_config(xm_t)
@@ -20384,6 +20478,10 @@
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
+')
++
++optional_policy(`
++ unconfined_domain(xend_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.8/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/guest.fc 2007-11-08 09:00:09.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.585
retrieving revision 1.586
diff -u -r1.585 -r1.586
--- selinux-policy.spec 21 Nov 2007 23:35:44 -0000 1.585
+++ selinux-policy.spec 26 Nov 2007 21:25:47 -0000 1.586
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 61%{?dist}
+Release: 62%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -305,6 +305,7 @@
%triggerpostun targeted -- selinux-policy-targeted =< 3.0.8-59-1
semanage user -m -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+semanage login -m -r s0-s0:c0.c1023 __default__ 2> /dev/null
exit 0
%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-14-1
@@ -380,6 +381,12 @@
%endif
%changelog
+* Mon Nov 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-62
+- Allow xend to create xend_var_log_t directories
+- dontaudit setfiles relabel of /proc /sys caused by named-chroot
+- Add rules for pam_keyinit (setkeycreate, ipc_lock)
+- Allow mount to read unlabeled directorys for reiserfs
+
* Wed Nov 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-61
- Allow xguest to mount hal devices and read/write file systems
- that do not support extended attributes. Allows kiosk users to
More information about the fedora-extras-commits
mailing list