rpms/selinux-policy/devel policy-20071130.patch, 1.118, 1.119 policygentool, 1.10, 1.11 selinux-policy.spec, 1.646, 1.647
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Apr 8 03:17:54 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2705
Modified Files:
policy-20071130.patch policygentool selinux-policy.spec
Log Message:
* Sat Apr 5 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-29
- Fix initial install
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.118
retrieving revision 1.119
diff -u -r1.118 -r1.119
--- policy-20071130.patch 6 Apr 2008 12:06:47 -0000 1.118
+++ policy-20071130.patch 8 Apr 2008 03:17:46 -0000 1.119
@@ -1932,8 +1932,34 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.3.1/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/netutils.te 2008-04-04 12:06:55.000000000 -0400
-@@ -94,6 +94,10 @@
++++ serefpolicy-3.3.1/policy/modules/admin/netutils.te 2008-04-07 21:56:32.000000000 -0400
+@@ -50,6 +50,7 @@
+ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+
+ kernel_search_proc(netutils_t)
++kernel_read_sysctl(netutils_t)
+
+ corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
+@@ -78,6 +79,8 @@
+ init_use_fds(netutils_t)
+ init_use_script_ptys(netutils_t)
+
++auth_use_nsswitch(netutils_t)
++
+ libs_use_ld_so(netutils_t)
+ libs_use_shared_libs(netutils_t)
+
+@@ -85,8 +88,6 @@
+
+ miscfiles_read_localization(netutils_t)
+
+-sysnet_read_config(netutils_t)
+-
+ userdom_use_all_users_fds(netutils_t)
+
+ optional_policy(`
+@@ -94,6 +95,10 @@
')
optional_policy(`
@@ -1944,7 +1970,7 @@
xen_append_log(netutils_t)
')
-@@ -107,12 +111,14 @@
+@@ -107,12 +112,14 @@
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
@@ -1959,6 +1985,75 @@
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
+@@ -123,6 +130,8 @@
+ files_read_etc_files(ping_t)
+ files_dontaudit_search_var(ping_t)
+
++auth_use_nsswitch(ping_t)
++
+ libs_use_ld_so(ping_t)
+ libs_use_shared_libs(ping_t)
+
+@@ -130,9 +139,6 @@
+
+ miscfiles_read_localization(ping_t)
+
+-sysnet_read_config(ping_t)
+-sysnet_dns_name_resolve(ping_t)
+-
+ ifdef(`hide_broken_symptoms',`
+ init_dontaudit_use_fds(ping_t)
+ ')
+@@ -143,14 +149,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(ping_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(ping_t)
+-')
+-
+-optional_policy(`
+ pcmcia_use_cardmgr_fds(ping_t)
+ ')
+
+@@ -166,7 +164,6 @@
+ allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+ allow traceroute_t self:rawip_socket create_socket_perms;
+ allow traceroute_t self:packet_socket create_socket_perms;
+-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+ allow traceroute_t self:udp_socket create_socket_perms;
+
+ kernel_read_system_state(traceroute_t)
+@@ -200,6 +197,8 @@
+
+ init_use_fds(traceroute_t)
+
++auth_use_nsswitch(traceroute_t)
++
+ libs_use_ld_so(traceroute_t)
+ libs_use_shared_libs(traceroute_t)
+
+@@ -212,17 +211,7 @@
+ dev_read_urand(traceroute_t)
+ files_read_usr_files(traceroute_t)
+
+-sysnet_read_config(traceroute_t)
+-
+ tunable_policy(`user_ping',`
+ term_use_all_user_ttys(traceroute_t)
+ term_use_all_user_ptys(traceroute_t)
+ ')
+-
+-optional_policy(`
+- nis_use_ypbind(traceroute_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(traceroute_t)
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.3.1/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/prelink.te 2008-04-04 12:06:55.000000000 -0400
@@ -6480,7 +6575,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-04-07 14:56:13.000000000 -0400
@@ -7,11 +7,11 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -6494,16 +6589,7 @@
#
# /dev
#
-@@ -58,6 +58,8 @@
-
- /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-+/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
- /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
- /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
- /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -67,6 +69,12 @@
+@@ -67,6 +67,12 @@
/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
@@ -6516,7 +6602,7 @@
/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -99,11 +107,6 @@
+@@ -99,11 +105,6 @@
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6528,7 +6614,7 @@
#
# /sbin
#
-@@ -127,6 +130,8 @@
+@@ -127,6 +128,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6537,7 +6623,7 @@
#
# /usr
#
-@@ -144,10 +149,7 @@
+@@ -144,10 +147,7 @@
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6549,7 +6635,7 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -178,6 +180,8 @@
+@@ -178,6 +178,8 @@
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6558,7 +6644,7 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -185,8 +189,12 @@
+@@ -185,8 +187,12 @@
/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6571,7 +6657,7 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
-@@ -213,9 +221,10 @@
+@@ -213,9 +219,10 @@
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6583,7 +6669,7 @@
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +293,10 @@
+@@ -284,3 +291,10 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7294,6 +7380,18 @@
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.3.1/policy/modules/kernel/files.fc
+--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-10-29 18:02:31.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/files.fc 2008-04-07 21:39:29.000000000 -0400
+@@ -31,7 +31,7 @@
+ /boot/\.journal <<none>>
+ /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /boot/lost\+found/.* <<none>>
+-/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
++/boot(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+
+ #
+ # /emul
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-06 06:52:30.000000000 -0400
@@ -8848,7 +8946,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-04 16:08:27.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-07 14:54:08.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10895,7 +10993,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-05 11:51:54.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-07 22:36:44.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -14637,8 +14735,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te
--- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-04-04 12:06:55.000000000 -0400
-@@ -0,0 +1,39 @@
++++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-04-07 22:37:02.000000000 -0400
+@@ -0,0 +1,40 @@
+policy_module(gamin,1.0.0)
+
+########################################
@@ -14657,6 +14755,7 @@
+
+# Init script handling
+domain_use_interactive_fds(gamin_t)
++allow gamin_t self:capability sys_ptrace;
+
+# internal communication is often done using fifo and unix sockets.
+allow gamin_t self:fifo_file rw_file_perms;
@@ -14766,7 +14865,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-07 22:47:29.000000000 -0400
@@ -0,0 +1,53 @@
+policy_module(gnomeclock,1.0.0)
+########################################
@@ -14789,7 +14888,7 @@
+allow gnomeclock_t self:fifo_file rw_file_perms;
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+
-+corecmd_search_bin(gnomeclock_t)
++corecmd_exec_bin(gnomeclock_t)
+
+files_read_etc_files(gnomeclock_t)
+files_read_usr_files(gnomeclock_t)
@@ -15344,7 +15443,7 @@
+/etc/rc.d/init.d/krb5kdc -- gen_context(system_u:object_r:kerberos_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.3.1/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.if 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.if 2008-04-07 20:46:54.000000000 -0400
@@ -43,7 +43,13 @@
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -15371,11 +15470,14 @@
optional_policy(`
tunable_policy(`allow_kerberos',`
pcscd_stream_connect($1)
-@@ -172,3 +174,156 @@
- allow $1 krb5kdc_conf_t:file read_file_perms;
+@@ -169,6 +171,158 @@
+ ')
+
+ files_search_etc($1)
+- allow $1 krb5kdc_conf_t:file read_file_perms;
++ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++')
- ')
-+
+########################################
+## <summary>
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
@@ -15422,7 +15524,7 @@
+ corenet_udp_sendrecv_kerberos_master_port($1)
+ corenet_udp_bind_all_nodes($1)
+ ')
-+')
+ ')
+
+########################################
+## <summary>
@@ -17019,8 +17121,8 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-04-04 12:06:55.000000000 -0400
-@@ -1,7 +1,10 @@
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-04-07 14:55:55.000000000 -0400
+@@ -1,7 +1,11 @@
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -17031,6 +17133,7 @@
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
++/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-04-04 12:06:55.000000000 -0400
@@ -17058,18 +17161,22 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-05 15:04:32.000000000 -0400
-@@ -13,6 +13,9 @@
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-07 14:54:21.000000000 -0400
+@@ -13,6 +13,13 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
++type NetworkManager_script_exec_t;
++init_script_type(NetworkManager_script_exec_t)
++init_script_domtrans_spec(NetworkManager_t,httpd_script_exec_t)
++
########################################
#
# Local policy
-@@ -20,9 +23,9 @@
+@@ -20,9 +27,9 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -17081,7 +17188,7 @@
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-@@ -38,10 +41,14 @@
+@@ -38,10 +45,14 @@
manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
@@ -17096,7 +17203,7 @@
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -67,6 +74,7 @@
+@@ -67,6 +78,7 @@
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
@@ -17104,7 +17211,7 @@
mls_file_read_all_levels(NetworkManager_t)
-@@ -84,8 +92,11 @@
+@@ -84,8 +96,11 @@
files_read_usr_files(NetworkManager_t)
init_read_utmp(NetworkManager_t)
@@ -17116,7 +17223,7 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -129,21 +140,21 @@
+@@ -129,21 +144,21 @@
')
optional_policy(`
@@ -17143,7 +17250,7 @@
')
optional_policy(`
-@@ -155,19 +166,20 @@
+@@ -155,19 +170,20 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
@@ -20497,7 +20604,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-07 22:12:28.000000000 -0400
@@ -60,10 +60,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -20566,11 +20673,12 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -157,8 +177,13 @@
+@@ -157,8 +177,14 @@
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
-+auth_read_cache(gssd_t)
++auth_use_nsswitch(gssd_t)
++auth_rw_cache(gssd_t)
+
miscfiles_read_certs(gssd_t)
@@ -25506,7 +25614,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-06 06:54:26.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-07 22:44:31.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -25757,7 +25865,7 @@
domain_use_interactive_fds(xdm_t)
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
-+domain_dontaudit_ptrace_all_domains_state(xdm_t)
++domain_dontaudit_ptrace_all_domains(xdm_t)
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
@@ -26363,7 +26471,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-05 07:50:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-07 22:13:19.000000000 -0400
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
@@ -26517,7 +26625,7 @@
')
')
-@@ -1491,3 +1563,23 @@
+@@ -1491,3 +1563,41 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -26541,6 +26649,24 @@
+ read_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
++########################################
++## <summary>
++## Read/Write authentication cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`auth_rw_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ rw_files_pattern($1, auth_cache_t, auth_cache_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-04-04 12:06:56.000000000 -0400
@@ -30630,7 +30756,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-06 07:10:40.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-07 22:54:48.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -33100,6 +33226,15 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
+@@ -5559,7 +5933,7 @@
+ attribute userdomain;
+ ')
+
+- read_files_pattern($1,userdomain,userdomain)
++ ps_process_pattern($1,userdomain)
+ kernel_search_proc($1)
+ ')
+
@@ -5674,7 +6048,7 @@
########################################
Index: policygentool
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policygentool,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- policygentool 17 Nov 2006 19:20:09 -0000 1.10
+++ policygentool 8 Apr 2008 03:17:46 -0000 1.11
@@ -241,7 +241,7 @@
# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
-# semodule -l myapp.pp
+# semodule -i myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
Now you can turn on permissive mode, start your application and avc messages
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.646
retrieving revision 1.647
diff -u -r1.646 -r1.647
--- selinux-policy.spec 6 Apr 2008 12:06:47 -0000 1.646
+++ selinux-policy.spec 8 Apr 2008 03:17:46 -0000 1.647
@@ -292,11 +292,11 @@
%post targeted
if [ $1 -eq 1 ]; then
%loadpolicy targeted
-semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
-semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
-semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
-semanage user -a -P guest -R guest_r guest_u
-semanage user -a -P xguest -R xguest_r xguest_u
+semanage user -a -S targeted -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
+semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
+semanage user -a -S targeted -R guest_r guest_u
+semanage user -a -S targeted -R xguest_r xguest_u
restorecon -R /root /var/log /var/run 2> /dev/null
else
semodule -s targeted -r moilscanner 2>/dev/null
@@ -388,7 +388,7 @@
%changelog
* Sat Apr 5 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-29
--
+- Fix initial install
* Fri Apr 4 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-28
- Allow radvd to use fifo_file
More information about the fedora-extras-commits
mailing list