rpms/selinux-policy/devel booleans-targeted.conf, 1.39, 1.40 policy-20071130.patch, 1.119, 1.120 selinux-policy.spec, 1.647, 1.648
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Apr 8 19:18:34 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17924
Modified Files:
booleans-targeted.conf policy-20071130.patch
selinux-policy.spec
Log Message:
* Tue Apr 8 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-30
- Allow passwd to communicate with user sockets to change gnome-keyring
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- booleans-targeted.conf 5 Apr 2008 10:39:05 -0000 1.39
+++ booleans-targeted.conf 8 Apr 2008 19:17:28 -0000 1.40
@@ -269,8 +269,8 @@
# Allow nsplugin execmem/execstack for bad plugins
#
-allow_nsplugin_execmem=false
+allow_nsplugin_execmem=true
# Allow unconfined domain to transition to confined domain
#
-allow_unconfined_nsplugin_transition=true
+allow_unconfined_nsplugin_transition=false
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.119
retrieving revision 1.120
diff -u -r1.119 -r1.120
--- policy-20071130.patch 8 Apr 2008 03:17:46 -0000 1.119
+++ policy-20071130.patch 8 Apr 2008 19:17:28 -0000 1.120
@@ -2794,7 +2794,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.3.1/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/usermanage.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/usermanage.te 2008-04-08 09:10:03.000000000 -0400
@@ -97,6 +97,7 @@
# allow checking if a shell is executable
@@ -2827,7 +2827,15 @@
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
-@@ -503,6 +507,7 @@
+@@ -334,6 +338,7 @@
+ # user generally runs this from their home directory, so do not audit a search
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(passwd_t)
++userdom_unpriv_users_stream_connect(passwd_t)
+
+ optional_policy(`
+ nscd_domtrans(passwd_t)
+@@ -503,6 +508,7 @@
userdom_use_unpriv_users_fds(useradd_t)
# for when /root is the cwd
userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
@@ -2835,7 +2843,7 @@
# Add/remove user home directories
userdom_home_filetrans_generic_user_home_dir(useradd_t)
userdom_manage_all_users_home_content_dirs(useradd_t)
-@@ -525,6 +530,12 @@
+@@ -525,6 +531,12 @@
')
optional_policy(`
@@ -5207,8 +5215,8 @@
+HOME_DIR/\.local.* gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-04-05 07:58:19.000000000 -0400
-@@ -0,0 +1,352 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-04-08 13:32:39.000000000 -0400
+@@ -0,0 +1,353 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -5376,6 +5384,7 @@
+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
++ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
@@ -5563,8 +5572,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-06 06:06:06.000000000 -0400
-@@ -0,0 +1,187 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-08 13:28:42.000000000 -0400
+@@ -0,0 +1,188 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5630,6 +5639,7 @@
+corenet_all_recvfrom_unlabeled(nsplugin_t)
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
++corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
@@ -6723,7 +6733,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-05 15:02:25.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-08 13:28:17.000000000 -0400
@@ -75,6 +75,7 @@
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
@@ -6765,10 +6775,11 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -133,10 +139,12 @@
+@@ -133,10 +139,13 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
++network_port(pulseaudio, tcp,4713,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
@@ -6778,7 +6789,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -148,11 +156,11 @@
+@@ -148,11 +157,11 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -6792,7 +6803,7 @@
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
-@@ -170,7 +178,12 @@
+@@ -170,7 +179,12 @@
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -7382,13 +7393,12 @@
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.3.1/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.fc 2008-04-07 21:39:29.000000000 -0400
-@@ -31,7 +31,7 @@
- /boot/\.journal <<none>>
++++ serefpolicy-3.3.1/policy/modules/kernel/files.fc 2008-04-08 13:17:18.000000000 -0400
+@@ -32,6 +32,7 @@
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/boot/lost\+found/.* <<none>>
--/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-+/boot(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+ /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
++/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
#
# /emul
@@ -10993,7 +11003,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-07 22:36:44.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-08 10:52:26.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -11033,7 +11043,7 @@
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
-@@ -47,16 +57,37 @@
+@@ -47,23 +57,72 @@
auth_use_nsswitch(consolekit_t)
@@ -11074,19 +11084,20 @@
optional_policy(`
unconfined_dbus_chat(consolekit_t)
-@@ -64,6 +95,33 @@
+ ')
')
- optional_policy(`
++polkit_read_lib(consolekit_t)
++
++optional_policy(`
+ polkit_domtrans_auth(consolekit_t)
-+ polkit_read_lib(consolekit_t)
+')
+
-+optional_policy(`
+ optional_policy(`
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
+ xserver_ptrace_xdm(consolekit_t)
- ')
++')
+
+optional_policy(`
+ #reading .Xauthity
@@ -11101,7 +11112,7 @@
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_list_nfs(consolekit_t)
+ fs_dontaudit_rw_nfs_files(consolekit_t)
-+')
+ ')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_list_cifs(consolekit_t)
@@ -11928,7 +11939,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-08 11:43:01.000000000 -0400
@@ -43,14 +43,13 @@
type cupsd_var_run_t;
@@ -12073,7 +12084,7 @@
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +219,15 @@
+@@ -195,15 +219,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -12086,6 +12097,7 @@
+selinux_validate_context(cupsd_t)
init_exec_script_files(cupsd_t)
++init_read_utmp(cupsd_t)
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
@@ -12093,7 +12105,7 @@
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
-@@ -219,17 +243,22 @@
+@@ -219,17 +244,22 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@@ -12118,7 +12130,7 @@
')
optional_policy(`
-@@ -242,12 +271,21 @@
+@@ -242,12 +272,21 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -12140,7 +12152,7 @@
')
optional_policy(`
-@@ -263,6 +301,10 @@
+@@ -263,6 +302,10 @@
')
optional_policy(`
@@ -12151,7 +12163,7 @@
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -326,6 +368,7 @@
+@@ -326,6 +369,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -12159,7 +12171,7 @@
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -353,6 +396,7 @@
+@@ -353,6 +397,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
@@ -12167,7 +12179,7 @@
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -372,6 +416,10 @@
+@@ -372,6 +417,10 @@
')
optional_policy(`
@@ -12178,7 +12190,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -387,6 +435,7 @@
+@@ -387,6 +436,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -12186,7 +12198,7 @@
')
optional_policy(`
-@@ -499,15 +548,10 @@
+@@ -499,15 +549,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -12203,7 +12215,7 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -537,14 +581,14 @@
+@@ -537,14 +582,14 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -12220,7 +12232,7 @@
domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
-@@ -564,7 +608,8 @@
+@@ -564,7 +609,8 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -12230,7 +12242,7 @@
optional_policy(`
seutil_sigchld_newrole(hplip_t)
-@@ -645,3 +690,37 @@
+@@ -645,3 +691,39 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -12268,6 +12280,8 @@
+userdom_manage_generic_user_home_content_files(cups_pdf_t)
+
+lpd_manage_spool(cups_pdf_t)
++
++rw_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if
--- nsaserefpolicy/policy/modules/services/cvs.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-04-04 12:06:55.000000000 -0400
@@ -16394,7 +16408,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-04-08 10:11:15.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -16463,15 +16477,17 @@
')
optional_policy(`
-@@ -73,6 +95,7 @@
+@@ -73,7 +95,9 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
+ cron_read_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
++ cron_dontaudit_write_system_job_tmp_files(system_mail_t)
')
-@@ -81,6 +104,11 @@
+ optional_policy(`
+@@ -81,6 +105,11 @@
')
optional_policy(`
@@ -16483,7 +16499,7 @@
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,11 +164,38 @@
+@@ -136,11 +165,38 @@
')
optional_policy(`
@@ -16523,7 +16539,7 @@
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +209,4 @@
+@@ -154,3 +210,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -17161,7 +17177,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-07 14:54:21.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-08 14:34:18.000000000 -0400
@@ -13,6 +13,13 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -17223,7 +17239,15 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -129,21 +144,21 @@
+@@ -113,6 +128,7 @@
+ userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
+ # Read gnome-keyring
+ userdom_read_unpriv_users_home_content_files(NetworkManager_t)
++userdom_unpriv_users_stream_connect(NetworkManager_t)
+
+ optional_policy(`
+ bind_domtrans(NetworkManager_t)
+@@ -129,21 +145,21 @@
')
optional_policy(`
@@ -17250,7 +17274,7 @@
')
optional_policy(`
-@@ -155,19 +170,20 @@
+@@ -155,19 +171,20 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
@@ -19532,7 +19556,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.3.1/policy/modules/services/privoxy.fc
--- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-04-08 10:04:40.000000000 -0400
@@ -1,6 +1,10 @@
/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
@@ -28208,7 +28232,7 @@
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-08 14:25:58.000000000 -0400
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
@@ -28269,7 +28293,22 @@
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
-@@ -146,17 +159,19 @@
+@@ -136,6 +149,14 @@
+ ')
+
+ optional_policy(`
++ unconfined_domain(clvmd_t)
++')
++
++optional_policy(`
++ unconfined_domain(lvm_t)
++')
++
++optional_policy(`
+ udev_read_db(clvmd_t)
+ ')
+
+@@ -146,17 +167,19 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -28292,7 +28331,7 @@
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
-@@ -188,6 +203,7 @@
+@@ -188,6 +211,7 @@
manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t)
filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file)
files_etc_filetrans(lvm_t,lvm_metadata_t,file)
@@ -28300,7 +28339,7 @@
kernel_read_system_state(lvm_t)
kernel_read_kernel_sysctls(lvm_t)
-@@ -204,7 +220,6 @@
+@@ -204,7 +228,6 @@
selinux_compute_user_contexts(lvm_t)
dev_create_generic_chr_files(lvm_t)
@@ -28308,7 +28347,7 @@
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
-@@ -224,6 +239,8 @@
+@@ -224,6 +247,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -28317,7 +28356,7 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -242,6 +259,7 @@
+@@ -242,6 +267,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -28325,7 +28364,7 @@
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
-@@ -250,6 +268,7 @@
+@@ -250,6 +276,7 @@
domain_use_interactive_fds(lvm_t)
@@ -28333,7 +28372,7 @@
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
-@@ -271,6 +290,8 @@
+@@ -271,6 +298,8 @@
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
@@ -28342,7 +28381,7 @@
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
-@@ -289,5 +310,18 @@
+@@ -289,5 +318,18 @@
')
optional_policy(`
@@ -28474,7 +28513,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-08 14:30:44.000000000 -0400
@@ -22,6 +22,8 @@
type insmod_exec_t;
application_domain(insmod_t,insmod_exec_t)
@@ -28600,12 +28639,13 @@
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(depmod_t)
-@@ -219,11 +243,12 @@
+@@ -219,11 +243,13 @@
optional_policy(`
# Read System.map from home directories.
- unconfined_read_home_content_files(depmod_t)
+ unconfined_dontaudit_use_terminals(depmod_t)
++ unconfined_domain(depmod_t)
')
optional_policy(`
@@ -30756,7 +30796,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-07 22:54:48.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-08 14:33:30.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -31589,7 +31629,7 @@
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -923,70 +921,68 @@
+@@ -923,70 +921,69 @@
allow $1_t self:context contains;
@@ -31631,6 +31671,7 @@
- application_exec_all($1_t)
+ auth_dontaudit_write_login_records($1_t)
++ auth_rw_cache($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
@@ -31692,7 +31733,7 @@
')
')
-@@ -1020,9 +1016,6 @@
+@@ -1020,9 +1017,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -31702,7 +31743,7 @@
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1031,16 +1024,29 @@
+@@ -1031,16 +1025,29 @@
#
# privileged home directory writers
@@ -31738,7 +31779,7 @@
')
#######################################
-@@ -1068,6 +1074,13 @@
+@@ -1068,6 +1075,13 @@
userdom_restricted_user_template($1)
@@ -31752,7 +31793,7 @@
userdom_xwindows_client_template($1)
##############################
-@@ -1076,14 +1089,16 @@
+@@ -1076,14 +1090,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -31774,7 +31815,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1106,29 @@
+@@ -1091,32 +1107,29 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -31818,7 +31859,7 @@
')
')
-@@ -1127,10 +1139,10 @@
+@@ -1127,10 +1140,10 @@
## </summary>
## <desc>
## <p>
@@ -31833,7 +31874,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1164,7 +1176,6 @@
+@@ -1164,7 +1177,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
@@ -31841,7 +31882,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1193,12 +1204,11 @@
+@@ -1193,12 +1205,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -31856,7 +31897,7 @@
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1217,27 @@
+@@ -1207,7 +1218,27 @@
')
optional_policy(`
@@ -31885,7 +31926,7 @@
')
')
-@@ -1284,8 +1314,6 @@
+@@ -1284,8 +1315,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -31894,7 +31935,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1307,8 +1335,6 @@
+@@ -1307,8 +1336,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -31903,7 +31944,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1363,13 +1389,6 @@
+@@ -1363,13 +1390,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -31917,7 +31958,7 @@
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1441,7 @@
+@@ -1422,6 +1442,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -31925,7 +31966,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1807,14 @@
+@@ -1787,10 +1808,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -31941,7 +31982,7 @@
')
########################################
-@@ -1886,11 +1910,11 @@
+@@ -1886,11 +1911,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -31955,7 +31996,7 @@
')
########################################
-@@ -1920,11 +1944,11 @@
+@@ -1920,11 +1945,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -31969,7 +32010,7 @@
')
########################################
-@@ -1968,12 +1992,12 @@
+@@ -1968,12 +1993,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -31985,7 +32026,7 @@
')
########################################
-@@ -2003,10 +2027,11 @@
+@@ -2003,10 +2028,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -31999,7 +32040,7 @@
')
########################################
-@@ -2038,11 +2063,47 @@
+@@ -2038,11 +2064,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -32049,7 +32090,7 @@
')
########################################
-@@ -2074,10 +2135,10 @@
+@@ -2074,10 +2136,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -32062,7 +32103,7 @@
')
########################################
-@@ -2107,11 +2168,11 @@
+@@ -2107,11 +2169,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -32076,7 +32117,7 @@
')
########################################
-@@ -2141,11 +2202,11 @@
+@@ -2141,11 +2203,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -32091,7 +32132,7 @@
')
########################################
-@@ -2175,10 +2236,14 @@
+@@ -2175,10 +2237,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -32108,7 +32149,7 @@
')
########################################
-@@ -2208,11 +2273,11 @@
+@@ -2208,11 +2274,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -32122,7 +32163,7 @@
')
########################################
-@@ -2242,11 +2307,11 @@
+@@ -2242,11 +2308,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -32136,7 +32177,7 @@
')
########################################
-@@ -2276,10 +2341,10 @@
+@@ -2276,10 +2342,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -32149,7 +32190,7 @@
')
########################################
-@@ -2311,12 +2376,12 @@
+@@ -2311,12 +2377,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -32165,7 +32206,7 @@
')
########################################
-@@ -2348,10 +2413,10 @@
+@@ -2348,10 +2414,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -32178,7 +32219,7 @@
')
########################################
-@@ -2383,12 +2448,12 @@
+@@ -2383,12 +2449,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -32194,7 +32235,7 @@
')
########################################
-@@ -2420,12 +2485,12 @@
+@@ -2420,12 +2486,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -32210,7 +32251,7 @@
')
########################################
-@@ -2457,12 +2522,12 @@
+@@ -2457,12 +2523,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -32226,7 +32267,7 @@
')
########################################
-@@ -2507,11 +2572,11 @@
+@@ -2507,11 +2573,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -32240,7 +32281,7 @@
')
########################################
-@@ -2556,11 +2621,11 @@
+@@ -2556,11 +2622,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -32254,7 +32295,7 @@
')
########################################
-@@ -2600,11 +2665,11 @@
+@@ -2600,11 +2666,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -32268,7 +32309,7 @@
')
########################################
-@@ -2634,11 +2699,11 @@
+@@ -2634,11 +2700,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -32282,7 +32323,7 @@
')
########################################
-@@ -2668,11 +2733,11 @@
+@@ -2668,11 +2734,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -32296,7 +32337,7 @@
')
########################################
-@@ -2704,10 +2769,10 @@
+@@ -2704,10 +2770,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -32309,7 +32350,7 @@
')
########################################
-@@ -2739,10 +2804,10 @@
+@@ -2739,10 +2805,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -32322,7 +32363,7 @@
')
########################################
-@@ -2772,12 +2837,12 @@
+@@ -2772,12 +2838,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -32338,7 +32379,7 @@
')
########################################
-@@ -2809,10 +2874,10 @@
+@@ -2809,10 +2875,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -32351,7 +32392,7 @@
')
########################################
-@@ -2844,10 +2909,48 @@
+@@ -2844,10 +2910,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -32402,7 +32443,7 @@
')
########################################
-@@ -2877,12 +2980,12 @@
+@@ -2877,12 +2981,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -32418,7 +32459,7 @@
')
########################################
-@@ -2914,10 +3017,10 @@
+@@ -2914,10 +3018,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -32431,7 +32472,7 @@
')
########################################
-@@ -2949,12 +3052,12 @@
+@@ -2949,12 +3053,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -32447,7 +32488,7 @@
')
########################################
-@@ -2986,11 +3089,11 @@
+@@ -2986,11 +3090,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -32461,7 +32502,7 @@
')
########################################
-@@ -3022,11 +3125,11 @@
+@@ -3022,11 +3126,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -32475,7 +32516,7 @@
')
########################################
-@@ -3058,11 +3161,11 @@
+@@ -3058,11 +3162,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -32489,7 +32530,7 @@
')
########################################
-@@ -3094,11 +3197,11 @@
+@@ -3094,11 +3198,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -32503,7 +32544,7 @@
')
########################################
-@@ -3130,11 +3233,11 @@
+@@ -3130,11 +3234,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -32517,7 +32558,7 @@
')
########################################
-@@ -3179,10 +3282,10 @@
+@@ -3179,10 +3283,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -32530,7 +32571,7 @@
files_search_tmp($2)
')
-@@ -3223,10 +3326,10 @@
+@@ -3223,10 +3327,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -32543,7 +32584,7 @@
')
########################################
-@@ -3254,24 +3357,24 @@
+@@ -3254,24 +3358,24 @@
## </summary>
## </param>
#
@@ -32572,7 +32613,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3290,23 +3393,24 @@
+@@ -3290,23 +3394,24 @@
## </summary>
## </param>
#
@@ -32604,7 +32645,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3321,25 +3425,28 @@
+@@ -3321,25 +3426,28 @@
## </param>
## <param name="domain">
## <summary>
@@ -32639,7 +32680,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3358,18 +3465,86 @@
+@@ -3358,18 +3466,86 @@
## </summary>
## </param>
#
@@ -32729,7 +32770,7 @@
## </summary>
## <desc>
## <p>
-@@ -4231,11 +4406,11 @@
+@@ -4231,11 +4407,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -32743,7 +32784,7 @@
')
########################################
-@@ -4251,10 +4426,10 @@
+@@ -4251,10 +4427,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -32756,7 +32797,7 @@
')
########################################
-@@ -4270,11 +4445,11 @@
+@@ -4270,11 +4446,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -32770,7 +32811,7 @@
')
########################################
-@@ -4289,16 +4464,16 @@
+@@ -4289,16 +4465,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -32790,7 +32831,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4482,27 @@
+@@ -4307,12 +4483,27 @@
## </summary>
## </param>
#
@@ -32821,7 +32862,7 @@
')
########################################
-@@ -4327,13 +4517,13 @@
+@@ -4327,13 +4518,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -32839,7 +32880,7 @@
')
########################################
-@@ -4531,10 +4721,10 @@
+@@ -4531,10 +4722,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -32852,7 +32893,7 @@
')
########################################
-@@ -4551,10 +4741,10 @@
+@@ -4551,10 +4742,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -32865,7 +32906,7 @@
')
########################################
-@@ -4569,10 +4759,10 @@
+@@ -4569,10 +4760,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -32878,7 +32919,7 @@
')
########################################
-@@ -4588,10 +4778,10 @@
+@@ -4588,10 +4779,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -32891,7 +32932,7 @@
')
########################################
-@@ -4606,10 +4796,10 @@
+@@ -4606,10 +4797,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -32904,7 +32945,7 @@
')
########################################
-@@ -4625,10 +4815,10 @@
+@@ -4625,10 +4816,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -32917,7 +32958,7 @@
')
########################################
-@@ -4644,12 +4834,11 @@
+@@ -4644,12 +4835,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -32933,7 +32974,7 @@
')
########################################
-@@ -4676,10 +4865,10 @@
+@@ -4676,10 +4866,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -32946,7 +32987,7 @@
')
########################################
-@@ -4694,10 +4883,10 @@
+@@ -4694,10 +4884,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -32959,7 +33000,7 @@
')
########################################
-@@ -4712,13 +4901,13 @@
+@@ -4712,13 +4902,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -32977,7 +33018,7 @@
')
########################################
-@@ -4754,11 +4943,49 @@
+@@ -4754,11 +4944,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -33028,7 +33069,7 @@
')
########################################
-@@ -4778,6 +5005,14 @@
+@@ -4778,6 +5006,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -33043,7 +33084,7 @@
')
########################################
-@@ -4839,6 +5074,26 @@
+@@ -4839,6 +5075,26 @@
########################################
## <summary>
@@ -33070,7 +33111,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5114,25 @@
+@@ -4859,6 +5115,25 @@
########################################
## <summary>
@@ -33096,7 +33137,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5153,26 @@
+@@ -4879,6 +5154,26 @@
########################################
## <summary>
@@ -33123,7 +33164,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5409,7 @@
+@@ -5115,7 +5410,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -33132,7 +33173,7 @@
')
files_search_home($1)
-@@ -5304,6 +5598,50 @@
+@@ -5304,6 +5599,50 @@
########################################
## <summary>
@@ -33183,7 +33224,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +5847,42 @@
+@@ -5509,6 +5848,42 @@
########################################
## <summary>
@@ -33226,7 +33267,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5559,7 +5933,7 @@
+@@ -5559,7 +5934,7 @@
attribute userdomain;
')
@@ -33235,7 +33276,7 @@
kernel_search_proc($1)
')
-@@ -5674,7 +6048,7 @@
+@@ -5674,7 +6049,7 @@
########################################
## <summary>
@@ -33244,7 +33285,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5682,18 +6056,54 @@
+@@ -5682,18 +6057,54 @@
## </summary>
## </param>
#
@@ -33303,7 +33344,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5704,3 +6114,370 @@
+@@ -5704,3 +6115,370 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.647
retrieving revision 1.648
diff -u -r1.647 -r1.648
--- selinux-policy.spec 8 Apr 2008 03:17:46 -0000 1.647
+++ selinux-policy.spec 8 Apr 2008 19:17:28 -0000 1.648
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 29%{?dist}
+Release: 30%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
%endif
%changelog
+* Tue Apr 8 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-30
+- Allow passwd to communicate with user sockets to change gnome-keyring
+
* Sat Apr 5 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-29
- Fix initial install
More information about the fedora-extras-commits
mailing list