rpms/selinux-policy/devel policy-20070703.patch, 1.66, 1.67 selinux-policy.spec, 1.528, 1.529
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Sep 21 20:21:41 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3446
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Sep 21 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-7
- Allow cupsd_config_t to read/write usb_device_t
- Support for finger print reader,
- Many fixes for clvmd
- dbus starting networkmanager
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -r1.66 -r1.67
--- policy-20070703.patch 20 Sep 2007 22:30:51 -0000 1.66
+++ policy-20070703.patch 21 Sep 2007 20:21:36 -0000 1.67
@@ -1462,7 +1462,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 17:57:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 18:26:14.000000000 -0400
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -1482,7 +1482,7 @@
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-@@ -166,6 +165,60 @@
+@@ -166,6 +165,62 @@
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
@@ -1537,13 +1537,15 @@
+ dev_read_urand($1_java_t)
+ dev_read_rand($1_java_t)
+
++ fs_dontaudit_rw_tmpfs_files($1_java_t)
++
+ optional_policy(`
+ xserver_xdm_rw_shm($1_java_t)
+ ')
')
########################################
-@@ -219,3 +272,66 @@
+@@ -219,3 +274,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
@@ -1612,7 +1614,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.0.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.te 2007-09-20 18:14:17.000000000 -0400
+@@ -23,7 +23,7 @@
+ #
+
+ # execheap is needed for itanium/BEA jrocket
+-allow java_t self:process { execstack execmem execheap };
++allow java_t self:process { getsched sigkill execheap execmem execstack };
+
+ init_dbus_chat_script(java_t)
+
@@ -31,3 +31,7 @@
unconfined_domain_noaudit(java_t)
unconfined_dbus_chat(java_t)
@@ -1623,8 +1634,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 11:42:05.000000000 -0400
-@@ -18,3 +18,102 @@
++++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 18:25:48.000000000 -0400
+@@ -18,3 +18,103 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
')
@@ -1720,6 +1731,7 @@
+ userdom_unpriv_usertype($1, $1_mono_t)
+
+ allow $1_mono_t self:process { signal getsched execheap execmem };
++ allow $2 $1_mono_t:process noatsecure;
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
@@ -2250,7 +2262,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-09-21 14:41:45.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -2284,7 +2296,7 @@
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -259,3 +265,7 @@
+@@ -259,3 +265,8 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -2292,6 +2304,7 @@
+/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
++/lib(64)?/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-09-17 16:20:18.000000000 -0400
@@ -2415,7 +2428,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-09-21 14:29:01.000000000 -0400
@@ -20,6 +20,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -2424,6 +2437,14 @@
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
+@@ -98,6 +99,7 @@
+ /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
+ /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/input/uimput -c gen_context(system_u:object_r:scanner_device_t,s0)
+
+ /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-09-17 16:20:18.000000000 -0400
@@ -4904,7 +4925,7 @@
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-09-18 12:31:53.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-09-21 15:23:17.000000000 -0400
@@ -8,17 +8,14 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -4924,24 +4945,26 @@
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -26,6 +23,9 @@
+@@ -26,6 +23,11 @@
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/lib(64)?/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++# keep as separate lines to ensure proper sorting
++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -52,3 +52,4 @@
+@@ -52,3 +54,4 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-09-18 12:15:12.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-09-21 09:12:45.000000000 -0400
@@ -49,9 +49,6 @@
type hplip_exec_t;
init_daemon_domain(hplip_t,hplip_exec_t)
@@ -5103,7 +5126,15 @@
seutil_sigchld_newrole(cupsd_t)
')
-@@ -377,6 +400,14 @@
+@@ -331,6 +354,7 @@
+ dev_read_sysfs(cupsd_config_t)
+ dev_read_urand(cupsd_config_t)
+ dev_read_rand(cupsd_config_t)
++dev_rw_generic_usb_dev(cupsd_config_t)
+
+ fs_getattr_all_fs(cupsd_config_t)
+ fs_search_auto_mountpoints(cupsd_config_t)
+@@ -377,6 +401,14 @@
')
optional_policy(`
@@ -5118,7 +5149,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -526,11 +557,6 @@
+@@ -526,11 +558,6 @@
cups_stream_connect(hplip_t)
@@ -5130,7 +5161,7 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -560,7 +586,7 @@
+@@ -560,7 +587,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5139,7 +5170,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +613,6 @@
+@@ -587,8 +614,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -5189,7 +5220,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-20 15:31:09.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-21 06:44:48.000000000 -0400
@@ -50,6 +50,12 @@
## </param>
#
@@ -5330,7 +5361,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-20 12:01:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-21 14:44:08.000000000 -0400
@@ -23,6 +23,9 @@
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
@@ -5350,7 +5381,7 @@
manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
-@@ -116,9 +121,18 @@
+@@ -116,9 +121,22 @@
')
optional_policy(`
@@ -5358,6 +5389,10 @@
+')
+
+optional_policy(`
++ networkmanager_domtrans(system_dbusd_t)
++')
++
++optional_policy(`
sysnet_domtrans_dhcpc(system_dbusd_t)
')
@@ -6134,7 +6169,7 @@
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-19 13:28:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-21 14:55:44.000000000 -0400
@@ -155,6 +155,8 @@
selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t)
@@ -6152,6 +6187,15 @@
allow hald_acl_t self:fifo_file read_fifo_file_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
+@@ -344,6 +347,8 @@
+
+ files_read_usr_files(hald_mac_t)
+
++kernel_read_system_state(hald_mac_t)
++
+ libs_use_ld_so(hald_mac_t)
+ libs_use_shared_libs(hald_mac_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-09-12 10:34:50.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-09-17 16:20:18.000000000 -0400
@@ -7921,7 +7965,7 @@
consoletype_exec(rhgb_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.0.8/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ricci.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ricci.te 2007-09-21 10:21:12.000000000 -0400
@@ -138,6 +138,7 @@
files_create_boot_flag(ricci_t)
@@ -7930,6 +7974,15 @@
auth_append_login_records(ricci_t)
init_dontaudit_stream_connect_script(ricci_t)
+@@ -260,7 +261,7 @@
+ # ricci_modclusterd local policy
+ #
+
+-allow ricci_modclusterd_t self:capability sys_nice;
++allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
+ allow ricci_modclusterd_t self:process { signal sigkill setsched };
+ allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
+ allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
@@ -321,6 +322,10 @@
')
@@ -7941,6 +7994,24 @@
unconfined_use_fds(ricci_modclusterd_t)
')
+@@ -468,9 +473,6 @@
+
+ logging_send_syslog_msg(ricci_modstorage_t)
+
+-lvm_domtrans(ricci_modstorage_t)
+-lvm_manage_config(ricci_modstorage_t)
+-
+ miscfiles_read_localization(ricci_modstorage_t)
+
+ modutils_read_module_deps(ricci_modstorage_t)
+@@ -482,6 +484,7 @@
+
+ optional_policy(`
+ lvm_domtrans(ricci_modstorage_t)
++ lvm_manage_config(ricci_modstorage_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-09-17 16:20:18.000000000 -0400
@@ -11141,6 +11212,18 @@
seutil_sigchld_newrole(iptables_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.0.8/policy/modules/system/iscsi.te
+--- nsaserefpolicy/policy/modules/system/iscsi.te 2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/iscsi.te 2007-09-21 14:55:01.000000000 -0400
+@@ -68,6 +68,8 @@
+
+ files_read_etc_files(iscsid_t)
+
++kernel_read_system_state(iscsid_t)
++
+ libs_use_ld_so(iscsid_t)
+ libs_use_shared_libs(iscsid_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-08-02 08:17:28.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-09-18 10:51:20.000000000 -0400
@@ -11862,7 +11945,7 @@
files_dontaudit_search_isid_type_dirs(syslogd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.8/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/lvm.fc 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/lvm.fc 2007-09-21 09:54:46.000000000 -0400
@@ -15,6 +15,7 @@
#
/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
@@ -11873,19 +11956,66 @@
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2007-09-17 16:20:18.000000000 -0400
-@@ -150,7 +150,9 @@
++++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2007-09-21 15:33:57.000000000 -0400
+@@ -44,9 +44,9 @@
+ # Cluster LVM daemon local policy
+ #
+
+-allow clvmd_t self:capability { sys_admin mknod };
++allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
+ dontaudit clvmd_t self:capability sys_tty_config;
+-allow clvmd_t self:process signal_perms;
++allow clvmd_t self:process { signal_perms setsched };
+ dontaudit clvmd_t self:process ptrace;
+ allow clvmd_t self:socket create_socket_perms;
+ allow clvmd_t self:fifo_file rw_fifo_file_perms;
+@@ -85,6 +85,9 @@
+ corenet_sendrecv_generic_server_packets(clvmd_t)
+
+ dev_read_sysfs(clvmd_t)
++dev_manage_generic_symlinks(clvmd_t)
++dev_relabel_generic_dev_dirs(clvmd_t)
++dev_manage_generic_blk_files(clvmd_t)
+ dev_manage_generic_chr_files(clvmd_t)
+ dev_rw_lvm_control(clvmd_t)
+ dev_dontaudit_getattr_all_blk_files(clvmd_t)
+@@ -102,6 +105,7 @@
+
+ domain_use_interactive_fds(clvmd_t)
+
++storage_relabel_fixed_disk(clvmd_t)
+ storage_raw_read_fixed_disk(clvmd_t)
+
+ libs_use_ld_so(clvmd_t)
+@@ -113,6 +117,9 @@
+
+ seutil_dontaudit_search_config(clvmd_t)
+ seutil_sigchld_newrole(clvmd_t)
++seutil_read_config(clvmd_t)
++seutil_read_file_contexts(clvmd_t)
++seutil_search_default_contexts(clvmd_t)
+
+ sysnet_read_config(clvmd_t)
+
+@@ -150,7 +157,8 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+# lvm needs net_admin for multipath
-+
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -228,6 +230,8 @@
+@@ -208,7 +216,6 @@
+ selinux_compute_user_contexts(lvm_t)
+
+ dev_create_generic_chr_files(lvm_t)
+-dev_delete_generic_dirs(lvm_t)
+ dev_read_rand(lvm_t)
+ dev_read_urand(lvm_t)
+ dev_rw_lvm_control(lvm_t)
+@@ -228,6 +235,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -11894,7 +12024,7 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -246,6 +250,7 @@
+@@ -246,6 +255,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -11902,7 +12032,7 @@
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
-@@ -275,6 +280,8 @@
+@@ -275,6 +285,8 @@
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
@@ -11911,7 +12041,7 @@
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
-@@ -293,5 +300,15 @@
+@@ -293,5 +305,14 @@
')
optional_policy(`
@@ -11926,7 +12056,6 @@
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2007-09-17 16:20:18.000000000 -0400
@@ -12838,6 +12967,14 @@
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
+--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-05-29 14:10:58.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2007-09-21 06:46:14.000000000 -0400
+@@ -10,3 +10,4 @@
+ /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
+ /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-17 16:20:18.000000000 -0400
@@ -13047,7 +13184,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-21 06:44:58.000000000 -0400
@@ -5,28 +5,36 @@
#
# Declarations
@@ -13231,14 +13368,17 @@
')
########################################
-@@ -227,6 +223,17 @@
- unconfined_dbus_chat(unconfined_execmem_t)
+@@ -225,8 +221,20 @@
- optional_policy(`
-+ avahi_dbus_chat(unconfined_t)
-+ ')
+ init_dbus_chat_script(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
++ dbus_connect_system_bus(unconfined_execmem_t)
+
+ optional_policy(`
++ avahi_dbus_chat(unconfined_execmem_t)
++ ')
+
+ optional_policy(`
hal_dbus_chat(unconfined_execmem_t)
')
+
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.528
retrieving revision 1.529
diff -u -r1.528 -r1.529
--- selinux-policy.spec 20 Sep 2007 22:30:51 -0000 1.528
+++ selinux-policy.spec 21 Sep 2007 20:21:36 -0000 1.529
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,12 @@
%endif
%changelog
+* Fri Sep 21 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-7
+- Allow cupsd_config_t to read/write usb_device_t
+- Support for finger print reader,
+- Many fixes for clvmd
+- dbus starting networkmanager
+
* Thu Sep 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-5
- Fix java and mono to run in xguest account
More information about the fedora-extras-commits
mailing list