rpms/selinux-policy/devel policy-20071130.patch, 1.117, 1.118 selinux-policy.spec, 1.645, 1.646
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Sun Apr 6 12:06:56 UTC 2008
- Previous message (by thread): rpms/cairo/devel .cvsignore, 1.38, 1.39 cairo.spec, 1.84, 1.85 sources, 1.38, 1.39
- Next message (by thread): rpms/selinux-policy/F-8 policy-20070703.patch, 1.198, 1.199 selinux-policy.spec, 1.624, 1.625
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10959
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Sat Apr 5 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-29
-
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.117
retrieving revision 1.118
diff -u -r1.117 -r1.118
--- policy-20071130.patch 5 Apr 2008 12:01:36 -0000 1.117
+++ policy-20071130.patch 6 Apr 2008 12:06:47 -0000 1.118
@@ -2662,16 +2662,19 @@
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-04 12:06:55.000000000 -0400
-@@ -28,6 +28,7 @@
++++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-06 07:10:39.000000000 -0400
+@@ -26,8 +26,10 @@
+ files_read_etc_files(tmpreaper_t)
+ files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
++
# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
+files_dontaudit_getattr_lost_found_dirs(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -42,6 +43,22 @@
+@@ -42,6 +44,22 @@
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
@@ -3644,8 +3647,8 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.3.1/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/gpg.te 2008-04-04 12:06:55.000000000 -0400
-@@ -7,15 +7,229 @@
++++ serefpolicy-3.3.1/policy/modules/apps/gpg.te 2008-04-05 08:04:41.000000000 -0400
+@@ -7,15 +7,230 @@
#
# Type for gpg or pgp executables.
@@ -3693,6 +3696,7 @@
+manage_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
+manage_lnk_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
+allow gpg_t user_gpg_secret_t:dir create_dir_perms;
++userdom_user_home_dir_filetrans_user_home_content(user, gpg_t, file)
+userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir)
+userdom_manage_user_home_content_files(user,gpg_t)
+userdom_manage_user_tmp_files(user,gpg_t)
@@ -5464,8 +5468,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-05 07:52:00.000000000 -0400
-@@ -0,0 +1,186 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-06 06:06:06.000000000 -0400
+@@ -0,0 +1,187 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5577,6 +5581,7 @@
+userdom_tmp_filetrans_user_tmp(user,nsplugin_t, { file dir sock_file })
+userdom_read_user_tmpfs_files(user,nsplugin_t)
+
++userdom_read_user_home_content_symlinks(user, nsplugin_t)
+userdom_read_user_home_content_files(user, nsplugin_t)
+userdom_read_user_tmp_files(user, nsplugin_t)
+userdom_write_user_tmp_sockets(user, nsplugin_t)
@@ -6632,8 +6637,16 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-04 12:06:55.000000000 -0400
-@@ -82,6 +82,7 @@
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-05 15:02:25.000000000 -0400
+@@ -75,6 +75,7 @@
+ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
+ network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+ network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
++network_port(audit, tcp,60,s0)
+ network_port(auth, tcp,113,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+ type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
+@@ -82,6 +83,7 @@
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
network_port(comsat, udp,512,s0)
@@ -6641,7 +6654,7 @@
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
-@@ -91,6 +92,7 @@
+@@ -91,6 +93,7 @@
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(fingerd, tcp,79,s0)
@@ -6649,7 +6662,7 @@
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -109,6 +111,7 @@
+@@ -109,6 +112,7 @@
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
@@ -6657,7 +6670,7 @@
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-@@ -122,6 +125,8 @@
+@@ -122,6 +126,8 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -6666,7 +6679,7 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -133,10 +138,12 @@
+@@ -133,10 +139,12 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
@@ -6679,7 +6692,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -148,11 +155,11 @@
+@@ -148,11 +156,11 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -6693,7 +6706,7 @@
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
-@@ -170,7 +177,12 @@
+@@ -170,7 +178,12 @@
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -7217,7 +7230,7 @@
type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-04-05 06:32:29.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-04-05 15:31:46.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -7240,15 +7253,7 @@
# create child processes in the domain
allow domain self:process { fork sigchld };
-@@ -96,6 +104,7 @@
-
- # list the root directory
- files_list_root(domain)
-+files_getattr_all_dirs(domain)
-
- tunable_policy(`global_ssp',`
- # enable reading of urandom for all domains:
-@@ -140,7 +149,7 @@
+@@ -140,7 +148,7 @@
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -7257,7 +7262,7 @@
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -148,3 +157,30 @@
+@@ -148,3 +156,31 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7265,6 +7270,7 @@
+tunable_policy(`allow_domain_fd_use',`
+ # Allow all domains to use fds past to them
+ allow domain domain:fd use;
++ files_getattr_all_dirs(domain)
+')
+
+optional_policy(`
@@ -7290,7 +7296,7 @@
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-06 06:52:30.000000000 -0400
@@ -1266,6 +1266,24 @@
########################################
@@ -7391,7 +7397,16 @@
## Create, read, write, and delete symbolic links in /mnt.
## </summary>
## <param name="domain">
-@@ -4712,12 +4791,14 @@
+@@ -3357,6 +3436,8 @@
+ delete_lnk_files_pattern($1,tmpfile,tmpfile)
+ delete_fifo_files_pattern($1,tmpfile,tmpfile)
+ delete_sock_files_pattern($1,tmpfile,tmpfile)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
+ ')
+
+ ########################################
+@@ -4712,12 +4793,14 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -7407,7 +7422,7 @@
')
')
-@@ -4756,3 +4837,54 @@
+@@ -4756,3 +4839,54 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -7488,7 +7503,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-06 07:10:46.000000000 -0400
@@ -310,6 +310,25 @@
########################################
@@ -7515,7 +7530,15 @@
## Mount an automount pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -1171,6 +1190,25 @@
+@@ -737,6 +756,7 @@
+ attribute noxattrfs;
+ ')
+
++ list_dirs_pattern($1,noxattrfs,noxattrfs)
+ read_files_pattern($1,noxattrfs,noxattrfs)
+ ')
+
+@@ -1171,6 +1191,25 @@
########################################
## <summary>
@@ -7541,7 +7564,7 @@
## Create, read, write, and delete files
## on a DOS filesystem.
## </summary>
-@@ -1625,7 +1663,7 @@
+@@ -1625,7 +1664,7 @@
type nfs_t;
')
@@ -7550,7 +7573,7 @@
')
########################################
-@@ -2903,6 +2941,7 @@
+@@ -2903,6 +2942,7 @@
type tmpfs_t;
')
@@ -7558,7 +7581,7 @@
dontaudit $1 tmpfs_t:file rw_file_perms;
')
-@@ -3039,6 +3078,25 @@
+@@ -3039,6 +3079,25 @@
########################################
## <summary>
@@ -7584,7 +7607,7 @@
## Relabel block nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -3224,6 +3282,7 @@
+@@ -3224,6 +3283,7 @@
')
allow $1 filesystem_type:filesystem getattr;
@@ -7592,7 +7615,7 @@
')
########################################
-@@ -3551,3 +3610,123 @@
+@@ -3551,3 +3611,123 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
@@ -10872,7 +10895,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-05 11:51:54.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -10958,7 +10981,7 @@
optional_policy(`
+ polkit_domtrans_auth(consolekit_t)
-+ polkit_search_lib(consolekit_t)
++ polkit_read_lib(consolekit_t)
+')
+
+optional_policy(`
@@ -14354,6 +14377,20 @@
+ files_list_pids($1)
+ manage_all_pattern($1,fetchmail_var_run_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.3.1/policy/modules/services/fetchmail.te
+--- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/fetchmail.te 2008-04-06 06:16:45.000000000 -0400
+@@ -90,6 +90,10 @@
+ ')
+
+ optional_policy(`
++ sendmail_manage_log(fetchmail_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(fetchmail_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.3.1/policy/modules/services/ftp.fc
--- nsaserefpolicy/policy/modules/services/ftp.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/ftp.fc 2008-04-04 12:06:55.000000000 -0400
@@ -16495,7 +16532,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-04-06 05:33:44.000000000 -0400
@@ -25,26 +25,33 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -16546,7 +16583,7 @@
corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
-@@ -73,27 +82,36 @@
+@@ -73,27 +82,37 @@
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
@@ -16581,10 +16618,11 @@
-sysnet_read_config(munin_t)
+sysnet_exec_ifconfig(munin_t)
++netutils_domtrans_ping(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
-@@ -108,7 +126,21 @@
+@@ -108,7 +127,21 @@
')
optional_policy(`
@@ -16607,7 +16645,7 @@
')
optional_policy(`
-@@ -118,3 +150,9 @@
+@@ -118,3 +151,9 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -17020,7 +17058,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-05 15:04:32.000000000 -0400
@@ -13,6 +13,9 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -17066,8 +17104,11 @@
mls_file_read_all_levels(NetworkManager_t)
-@@ -86,6 +94,8 @@
+@@ -84,8 +92,11 @@
+ files_read_usr_files(NetworkManager_t)
+
init_read_utmp(NetworkManager_t)
++init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+auth_use_nsswitch(NetworkManager_t)
@@ -17075,7 +17116,7 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -129,21 +139,21 @@
+@@ -129,21 +140,21 @@
')
optional_policy(`
@@ -17102,7 +17143,7 @@
')
optional_policy(`
-@@ -155,19 +165,20 @@
+@@ -155,19 +166,20 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
@@ -18002,7 +18043,7 @@
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-05 11:55:13.000000000 -0400
@@ -0,0 +1,189 @@
+
+## <summary>policy for polkit_auth</summary>
@@ -19220,8 +19261,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-04-04 12:06:55.000000000 -0400
-@@ -0,0 +1,162 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-04-05 14:48:36.000000000 -0400
+@@ -0,0 +1,160 @@
+policy_module(prelude,1.0.0)
+
+########################################
@@ -19363,8 +19404,6 @@
+corenet_tcp_bind_all_nodes(audisp_prelude_t)
+corenet_tcp_connect_prelude_port(audisp_prelude_t)
+
-+allow audisp_prelude_t audisp_t:unix_stream_socket rw_socket_perms;
-+
+########################################
+#
+# prewikka_cgi Declarations
@@ -21132,7 +21171,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-04-04 16:10:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-04-06 07:25:37.000000000 -0400
@@ -59,6 +59,13 @@
## </desc>
gen_tunable(samba_share_nfs,false)
@@ -21406,20 +21445,22 @@
')
########################################
-@@ -774,6 +840,12 @@
+@@ -774,6 +840,14 @@
#
optional_policy(`
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
+ unconfined_domain(samba_unconfined_net_t)
++ role system_r types samba_unconfined_net_t;
++
+ manage_files_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t,file)
+
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -790,3 +862,40 @@
+@@ -790,3 +864,40 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -21552,7 +21593,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.3.1/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-04-06 06:16:17.000000000 -0400
@@ -149,3 +149,85 @@
logging_log_filetrans($1,sendmail_log_t,file)
@@ -25465,7 +25506,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-06 06:54:26.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -25702,7 +25743,7 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -208,8 +328,8 @@
+@@ -208,14 +328,15 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -25713,7 +25754,14 @@
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
-@@ -226,9 +346,12 @@
+ domain_use_interactive_fds(xdm_t)
+ # Do not audit denied probes of /proc.
+ domain_dontaudit_read_all_domains_state(xdm_t)
++domain_dontaudit_ptrace_all_domains_state(xdm_t)
+
+ files_read_etc_files(xdm_t)
+ files_read_var_files(xdm_t)
+@@ -226,9 +347,12 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -25726,7 +25774,7 @@
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -237,6 +360,7 @@
+@@ -237,6 +361,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25734,7 +25782,7 @@
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -245,6 +369,7 @@
+@@ -245,6 +370,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -25742,17 +25790,18 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,22 +381,28 @@
+@@ -256,22 +382,28 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
+logging_send_audit_msgs(xdm_t)
miscfiles_read_localization(xdm_t)
- miscfiles_read_fonts(xdm_t)
-
--sysnet_read_config(xdm_t)
+-miscfiles_read_fonts(xdm_t)
-
+-sysnet_read_config(xdm_t)
++miscfiles_manage_fonts(xdm_t)
+
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -25773,7 +25822,12 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -301,10 +432,15 @@
+@@ -297,14 +429,20 @@
+ # xserver_rw_session_template(xdm,unpriv_userdomain)
+ # dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
+ # allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
++ userdom_dontaudit_write_sysadm_home_dirs(xdm_t)
+ ')
optional_policy(`
alsa_domtrans(xdm_t)
@@ -25790,7 +25844,7 @@
')
optional_policy(`
-@@ -312,6 +448,23 @@
+@@ -312,6 +450,23 @@
')
optional_policy(`
@@ -25814,7 +25868,7 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +475,10 @@
+@@ -322,6 +477,10 @@
')
optional_policy(`
@@ -25825,7 +25879,7 @@
loadkeys_exec(xdm_t)
')
-@@ -335,6 +492,11 @@
+@@ -335,6 +494,11 @@
')
optional_policy(`
@@ -25837,7 +25891,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +505,8 @@
+@@ -343,8 +507,8 @@
')
optional_policy(`
@@ -25847,7 +25901,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +542,7 @@
+@@ -380,7 +544,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -25856,7 +25910,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +554,15 @@
+@@ -392,6 +556,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -25872,7 +25926,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +575,17 @@
+@@ -404,9 +577,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -25890,7 +25944,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +599,22 @@
+@@ -420,6 +601,22 @@
')
optional_policy(`
@@ -25913,7 +25967,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +624,139 @@
+@@ -429,47 +626,139 @@
')
optional_policy(`
@@ -27024,7 +27078,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-04-06 06:35:10.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -27314,6 +27368,17 @@
zebra_read_config(initrc_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te
+--- nsaserefpolicy/policy/modules/system/iptables.te 2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-04-06 05:52:40.000000000 -0400
+@@ -48,6 +48,7 @@
+
+ fs_getattr_xattr_fs(iptables_t)
+ fs_search_auto_mountpoints(iptables_t)
++fs_list_inotifyfs(iptables_t)
+
+ mls_file_read_all_levels(iptables_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-04-04 12:06:56.000000000 -0400
@@ -27327,8 +27392,19 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-05 07:22:08.000000000 -0400
-@@ -133,6 +133,7 @@
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-05 08:09:49.000000000 -0400
+@@ -69,8 +69,10 @@
+ ifdef(`distro_gentoo',`
+ # despite the extensions, they are actually libs
+ /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
++/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
+ /opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0)
+ /opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
++/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
+
+ /opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -133,6 +135,7 @@
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27336,7 +27412,7 @@
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -165,6 +166,7 @@
+@@ -165,6 +168,7 @@
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27344,7 +27420,7 @@
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -183,6 +185,7 @@
+@@ -183,6 +187,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27352,7 +27428,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -242,7 +245,7 @@
+@@ -242,7 +247,7 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27361,7 +27437,7 @@
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -287,11 +290,15 @@
+@@ -287,11 +292,15 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27377,7 +27453,7 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -304,3 +311,11 @@
+@@ -304,3 +313,11 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -27391,7 +27467,7 @@
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-05 07:34:59.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-06 06:36:11.000000000 -0400
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
@@ -27428,7 +27504,15 @@
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
-@@ -86,6 +94,10 @@
+@@ -70,6 +78,7 @@
+ files_delete_etc_files(ldconfig_t)
+
+ init_use_script_ptys(ldconfig_t)
++init_read_script_tmp_files(ldconfig_t)
+
+ libs_use_ld_so(ldconfig_t)
+ libs_use_shared_libs(ldconfig_t)
+@@ -86,6 +95,10 @@
')
')
@@ -27439,7 +27523,7 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
-@@ -102,4 +114,10 @@
+@@ -102,4 +115,10 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
@@ -27503,16 +27587,17 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-04-04 12:06:56.000000000 -0400
-@@ -4,6 +4,7 @@
++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-04-05 15:01:37.000000000 -0400
+@@ -4,6 +4,8 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
++/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -46,7 +47,7 @@
+@@ -46,7 +48,7 @@
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
@@ -27521,7 +27606,7 @@
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
-@@ -57,3 +58,8 @@
+@@ -57,3 +59,8 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -27532,7 +27617,7 @@
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-05 14:44:00.000000000 -0400
@@ -213,12 +213,7 @@
## </param>
#
@@ -27758,8 +27843,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-04-04 12:06:56.000000000 -0400
-@@ -61,10 +61,24 @@
++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-04-05 15:23:59.000000000 -0400
+@@ -61,10 +61,29 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -27781,10 +27866,15 @@
+type audisp_var_run_t;
+files_pid_file(audisp_var_run_t)
+
++type audisp_remote_t;
++type audisp_remote_exec_t;
++domain_type(audisp_remote_t)
++domain_entry_file(audisp_remote_t, audisp_remote_exec_t)
++
########################################
#
# Auditctl local policy
-@@ -84,6 +98,7 @@
+@@ -84,6 +103,7 @@
kernel_read_kernel_sysctls(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)
@@ -27792,7 +27882,7 @@
domain_read_all_domains_state(auditctl_t)
domain_use_interactive_fds(auditctl_t)
-@@ -158,9 +173,12 @@
+@@ -158,9 +178,12 @@
mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
@@ -27805,7 +27895,7 @@
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
-@@ -171,6 +189,10 @@
+@@ -171,6 +194,10 @@
')
optional_policy(`
@@ -27816,7 +27906,7 @@
seutil_sigchld_newrole(auditd_t)
')
-@@ -208,6 +230,7 @@
+@@ -208,6 +235,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
@@ -27824,7 +27914,7 @@
domain_use_interactive_fds(klogd_t)
-@@ -252,7 +275,6 @@
+@@ -252,7 +280,6 @@
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
allow syslogd_t self:process { signal_perms setpgid };
@@ -27832,7 +27922,7 @@
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -262,7 +284,7 @@
+@@ -262,7 +289,7 @@
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -27841,7 +27931,7 @@
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
-@@ -274,6 +296,9 @@
+@@ -274,6 +301,9 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -27851,7 +27941,7 @@
# manage temporary files
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
-@@ -295,6 +320,7 @@
+@@ -295,6 +325,7 @@
kernel_read_messages(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
@@ -27859,7 +27949,7 @@
dev_filetrans(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
-@@ -327,6 +353,8 @@
+@@ -327,6 +358,8 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
@@ -27868,7 +27958,7 @@
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
-@@ -339,19 +367,20 @@
+@@ -339,19 +372,20 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -27891,7 +27981,7 @@
miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-@@ -380,15 +409,11 @@
+@@ -380,15 +414,11 @@
')
optional_policy(`
@@ -27909,7 +27999,7 @@
')
optional_policy(`
-@@ -399,3 +424,37 @@
+@@ -399,3 +429,64 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -27947,6 +28037,33 @@
+logging_domtrans_audisp(auditd_t)
+logging_audisp_signal(auditd_t)
+
++########################################
++#
++# audisp_remote local policy
++#
++
++logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
++
++allow audisp_remote_t self:tcp_socket create_socket_perms;
++
++corenet_all_recvfrom_unlabeled(audisp_remote_t)
++corenet_all_recvfrom_netlabel(audisp_remote_t)
++corenet_tcp_sendrecv_all_if(audisp_remote_t)
++corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
++corenet_tcp_connect_audit_port(audisp_remote_t)
++
++files_read_etc_files(audisp_remote_t)
++
++libs_use_ld_so(audisp_remote_t)
++libs_use_shared_libs(audisp_remote_t)
++
++logging_send_syslog_msg(audisp_remote_t)
++logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
++
++miscfiles_read_localization(audisp_remote_t)
++
++sysnet_dns_name_resolve(audisp_remote_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/lvm.fc 2008-04-04 12:06:56.000000000 -0400
@@ -28136,7 +28253,7 @@
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.3.1/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-06 06:44:20.000000000 -0400
@@ -489,3 +489,44 @@
manage_lnk_files_pattern($1,locale_t,locale_t)
')
@@ -29616,7 +29733,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-04-06 07:09:34.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -30513,7 +30630,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-05 07:57:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-06 07:10:40.000000000 -0400
@@ -29,9 +29,14 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.645
retrieving revision 1.646
diff -u -r1.645 -r1.646
--- selinux-policy.spec 5 Apr 2008 10:39:06 -0000 1.645
+++ selinux-policy.spec 6 Apr 2008 12:06:47 -0000 1.646
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
%endif
%changelog
+* Sat Apr 5 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-29
+-
+
* Fri Apr 4 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-28
- Allow radvd to use fifo_file
- dontaudit setfiles reading links
- Previous message (by thread): rpms/cairo/devel .cvsignore, 1.38, 1.39 cairo.spec, 1.84, 1.85 sources, 1.38, 1.39
- Next message (by thread): rpms/selinux-policy/F-8 policy-20070703.patch, 1.198, 1.199 selinux-policy.spec, 1.624, 1.625
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list