rpms/selinux-policy/F-10 policy-20080710.patch, 1.104, 1.105 selinux-policy.spec, 1.754, 1.755
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Dec 1 22:28:59 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11194
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Thu Nov 27 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-27
- Allow iptables dac permissions
- Allow awstates to use inotify
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.104
retrieving revision 1.105
diff -u -r1.104 -r1.105
--- policy-20080710.patch 25 Nov 2008 18:31:43 -0000 1.104
+++ policy-20080710.patch 1 Dec 2008 22:28:27 -0000 1.105
@@ -1737,6 +1737,18 @@
## Send and receive messages from
## Vpnc over dbus.
## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.5.13/policy/modules/apps/awstats.te
+--- nsaserefpolicy/policy/modules/apps/awstats.te 2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/awstats.te 2008-11-27 06:11:59.000000000 -0500
+@@ -47,6 +47,8 @@
+ # e.g. /usr/share/awstats/lang/awstats-en.txt
+ files_read_usr_files(awstats_t)
+
++fs_list_inotifyfs(awstats_t)
++
+ libs_read_lib_files(awstats_t)
+ libs_use_ld_so(awstats_t)
+ libs_use_shared_libs(awstats_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.13/policy/modules/apps/ethereal.fc
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-10-17 08:49:14.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.fc 2008-11-24 10:49:49.000000000 -0500
@@ -4495,8 +4507,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-11-24 10:49:49.000000000 -0500
-@@ -0,0 +1,274 @@
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-12-01 16:31:11.000000000 -0500
+@@ -0,0 +1,276 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -4732,6 +4744,7 @@
+unprivuser_read_home_content_files(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
++ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
+ fs_read_nfs_symlinks(nsplugin_t)
@@ -4743,6 +4756,7 @@
+')
+
+tunable_policy(`use_samba_home_dirs',`
++ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
+ fs_read_cifs_symlinks(nsplugin_t)
@@ -4770,7 +4784,7 @@
+ allow nsplugin_t unconfined_mono_t:process signull;
+')
+
-+
++unconfined_execmem_exec(nsplugin_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.13/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.fc 2008-11-24 10:49:49.000000000 -0500
@@ -6480,7 +6494,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-11-27 17:36:06.000000000 -0500
@@ -1441,10 +1441,11 @@
#
interface(`corenet_tcp_bind_all_unreserved_ports',`
@@ -6509,9 +6523,34 @@
')
########################################
+@@ -1560,6 +1562,24 @@
+
+ ########################################
+ ## <summary>
++## Getattr the point-to-point device.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_getattr_ppp_dev',`
++ gen_require(`
++ type ppp_device_t;
++ ')
++
++ allow $1 ppp_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
+ ## Read and write the point-to-point device.
+ ## </summary>
+ ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-24 11:48:40.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-12-01 15:41:38.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.10.0)
@@ -6519,7 +6558,7 @@
########################################
#
-@@ -65,6 +65,7 @@
+@@ -65,10 +65,13 @@
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -6527,7 +6566,13 @@
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -79,26 +80,31 @@
+ network_port(afs_vl, udp,7003,s0)
++network_port(agentx, udp,705,s0, tcp,705,s0)
++
+ network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+ network_port(amavisd_recv, tcp,10024,s0)
+ network_port(amavisd_send, tcp,10025,s0)
+@@ -79,26 +82,31 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -6560,7 +6605,7 @@
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
-@@ -109,6 +115,7 @@
+@@ -109,6 +117,7 @@
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
@@ -6568,7 +6613,7 @@
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
-@@ -117,6 +124,8 @@
+@@ -117,6 +126,8 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -6577,7 +6622,7 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -126,6 +135,7 @@
+@@ -126,6 +137,7 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -6585,7 +6630,7 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -136,12 +146,21 @@
+@@ -136,12 +148,21 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -6607,7 +6652,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -159,9 +178,10 @@
+@@ -159,9 +180,10 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -6619,7 +6664,7 @@
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,13 +190,16 @@
+@@ -170,13 +192,16 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -7340,7 +7385,7 @@
## all protocols (TCP, UDP, etc)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-12-01 16:51:03.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -7412,7 +7457,7 @@
+ cron_rw_pipes(domain)
+ifdef(`hide_broken_symptoms',`
+ cron_dontaudit_rw_tcp_sockets(domain)
-+ allow domain domain:key search;
++ allow domain domain:key { link search };
+')
+')
+
@@ -17844,7 +17889,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-11-27 17:38:06.000000000 -0500
@@ -33,9 +33,9 @@
# networkmanager will ptrace itself if gdb is installed
@@ -17877,11 +17922,12 @@
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +83,17 @@
+@@ -81,13 +83,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
+corenet_rw_tun_tap_dev(NetworkManager_t)
++corenet_getattr_ppp_dev(NetworkManager_t)
dev_read_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
@@ -17895,7 +17941,7 @@
mls_file_read_all_levels(NetworkManager_t)
-@@ -104,9 +110,14 @@
+@@ -104,9 +111,14 @@
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
@@ -17910,7 +17956,7 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -119,27 +130,41 @@
+@@ -119,27 +131,41 @@
seutil_read_config(NetworkManager_t)
@@ -17959,7 +18005,7 @@
')
optional_policy(`
-@@ -151,8 +176,25 @@
+@@ -151,8 +177,25 @@
')
optional_policy(`
@@ -17987,7 +18033,7 @@
')
optional_policy(`
-@@ -160,23 +202,48 @@
+@@ -160,23 +203,48 @@
')
optional_policy(`
@@ -18038,7 +18084,7 @@
')
optional_policy(`
-@@ -194,7 +261,9 @@
+@@ -194,7 +262,9 @@
optional_policy(`
vpn_domtrans(NetworkManager_t)
@@ -22632,7 +22678,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.13/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ricci.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ricci.te 2008-12-01 14:00:58.000000000 -0500
@@ -133,6 +133,8 @@
dev_read_urand(ricci_t)
@@ -22695,6 +22741,17 @@
#Needed for editing /etc/fstab
files_manage_etc_files(ricci_modstorage_t)
+@@ -473,6 +475,10 @@
+
+ modutils_read_module_deps(ricci_modstorage_t)
+
++consoletype_exec(ricci_modstorage_t)
++
++mount_domtrans(ricci_modstorage_t)
++
+ optional_policy(`
+ ccs_stream_connect(ricci_modstorage_t)
+ ccs_read_config(ricci_modstorage_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.13/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2008-10-17 08:49:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/rlogin.te 2008-11-24 10:49:49.000000000 -0500
@@ -24501,7 +24558,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.13/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/snmp.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/snmp.te 2008-12-01 15:41:14.000000000 -0500
@@ -9,6 +9,9 @@
type snmpd_exec_t;
init_daemon_domain(snmpd_t, snmpd_exec_t)
@@ -24537,7 +24594,15 @@
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-@@ -76,13 +83,14 @@
+@@ -66,6 +73,7 @@
+ corenet_tcp_bind_snmp_port(snmpd_t)
+ corenet_udp_bind_snmp_port(snmpd_t)
+ corenet_sendrecv_snmp_server_packets(snmpd_t)
++corenet_tcp_connect_agentx_port(snmpd_t)
+
+ dev_list_sysfs(snmpd_t)
+ dev_read_sysfs(snmpd_t)
+@@ -76,13 +84,14 @@
domain_use_interactive_fds(snmpd_t)
domain_signull_all_domains(snmpd_t)
domain_read_all_domains_state(snmpd_t)
@@ -24554,7 +24619,7 @@
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
-@@ -94,6 +102,8 @@
+@@ -94,6 +103,8 @@
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
@@ -24563,7 +24628,7 @@
libs_use_ld_so(snmpd_t)
libs_use_shared_libs(snmpd_t)
-@@ -121,7 +131,7 @@
+@@ -121,7 +132,7 @@
')
optional_policy(`
@@ -24572,7 +24637,7 @@
')
optional_policy(`
-@@ -152,3 +162,12 @@
+@@ -152,3 +163,12 @@
optional_policy(`
udev_read_db(snmpd_t)
')
@@ -26171,6 +26236,17 @@
+miscfiles_read_localization(ulogd_t)
+
+permissive ulogd_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.5.13/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te 2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/uucp.te 2008-11-25 14:26:42.000000000 -0500
+@@ -127,6 +127,7 @@
+
+ optional_policy(`
+ mta_send_mail(uux_t)
++ mta_read_queue(uux_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2008-10-17 08:49:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/virt.fc 2008-11-24 10:49:49.000000000 -0500
@@ -27854,7 +27930,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-25 11:13:22.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-27 06:38:45.000000000 -0500
@@ -8,6 +8,14 @@
## <desc>
@@ -28042,7 +28118,7 @@
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
-@@ -229,6 +309,7 @@
+@@ -229,11 +309,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -28050,7 +28126,13 @@
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -241,6 +322,7 @@
+ corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+
++dev_rwx_zero(xdm_t)
+ dev_read_rand(xdm_t)
+ dev_read_sysfs(xdm_t)
+ dev_getattr_framebuffer_dev(xdm_t)
+@@ -241,6 +323,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -28058,7 +28140,7 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -253,14 +335,17 @@
+@@ -253,14 +336,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -28078,7 +28160,7 @@
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -271,9 +356,13 @@
+@@ -271,9 +357,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28092,7 +28174,7 @@
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -282,6 +371,7 @@
+@@ -282,6 +372,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28100,7 +28182,7 @@
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -290,6 +380,7 @@
+@@ -290,6 +381,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -28108,7 +28190,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -301,21 +392,26 @@
+@@ -301,21 +393,26 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -28140,7 +28222,7 @@
xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -348,10 +444,12 @@
+@@ -348,10 +445,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -28153,7 +28235,7 @@
')
optional_policy(`
-@@ -359,6 +457,22 @@
+@@ -359,6 +458,22 @@
')
optional_policy(`
@@ -28176,7 +28258,7 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -382,16 +496,34 @@
+@@ -382,16 +497,34 @@
')
optional_policy(`
@@ -28212,7 +28294,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -411,6 +543,10 @@
+@@ -411,6 +544,10 @@
')
optional_policy(`
@@ -28223,7 +28305,7 @@
xfs_stream_connect(xdm_t)
')
-@@ -427,7 +563,7 @@
+@@ -427,7 +564,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -28232,7 +28314,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -439,6 +575,15 @@
+@@ -439,6 +576,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -28248,7 +28330,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -450,10 +595,19 @@
+@@ -450,10 +596,19 @@
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
@@ -28269,7 +28351,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -468,8 +622,19 @@
+@@ -468,8 +623,19 @@
optional_policy(`
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
@@ -28289,7 +28371,7 @@
optional_policy(`
resmgr_stream_connect(xdm_t)
-@@ -481,8 +646,25 @@
+@@ -481,8 +647,25 @@
')
optional_policy(`
@@ -28317,7 +28399,7 @@
ifndef(`distro_redhat',`
allow xdm_xserver_t self:process { execheap execmem };
-@@ -491,7 +673,6 @@
+@@ -491,7 +674,6 @@
ifdef(`distro_rhel4',`
allow xdm_xserver_t self:process { execheap execmem };
')
@@ -28325,7 +28407,7 @@
########################################
#
-@@ -512,6 +693,27 @@
+@@ -512,6 +694,27 @@
allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28353,7 +28435,7 @@
ifdef(`TODO',`
# Need to further investigate these permissions and
# perhaps define derived types.
-@@ -544,3 +746,73 @@
+@@ -544,3 +747,73 @@
#
allow pam_t xdm_t:fifo_file { getattr ioctl write };
') dnl end TODO
@@ -29696,8 +29778,14 @@
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.5.13/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/iptables.te 2008-11-24 14:40:10.000000000 -0500
-@@ -27,7 +27,7 @@
++++ serefpolicy-3.5.13/policy/modules/system/iptables.te 2008-11-27 06:12:54.000000000 -0500
+@@ -22,12 +22,12 @@
+ # Iptables local policy
+ #
+
+-allow iptables_t self:capability { net_admin net_raw };
++allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
+ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:rawip_socket create_socket_perms;
@@ -29737,7 +29825,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-01 16:41:03.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -29754,7 +29842,22 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
-@@ -84,7 +87,8 @@
+@@ -75,16 +78,18 @@
+ /opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/opt/RealPlayer/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ ')
++/opt/(real/)?RealPlayer/codecs(/.*)? gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/(real/)?RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/opt/(real/)?RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/opt/(real/)?RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/opt/(real/)?RealPlayer/plugins(/.*)? gen_context(system_u:object_r:textrel_shlib_t,s0)
++
ifdef(`distro_redhat',`
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29764,7 +29867,7 @@
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -115,9 +119,17 @@
+@@ -115,9 +120,17 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29782,7 +29885,7 @@
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -127,12 +139,14 @@
+@@ -127,12 +140,14 @@
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29797,7 +29900,7 @@
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -168,7 +182,8 @@
+@@ -168,7 +183,8 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29807,7 +29910,7 @@
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -187,6 +202,7 @@
+@@ -187,6 +203,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29815,7 +29918,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,7 +262,7 @@
+@@ -246,7 +263,7 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29824,7 +29927,7 @@
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +283,8 @@
+@@ -267,6 +284,8 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29833,7 +29936,7 @@
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +309,8 @@
+@@ -291,6 +310,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29842,7 +29945,7 @@
') dnl end distro_redhat
#
-@@ -310,3 +330,19 @@
+@@ -310,3 +331,21 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -29862,6 +29965,8 @@
+/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-17 08:49:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/libraries.te 2008-11-24 10:49:49.000000000 -0500
@@ -30520,7 +30625,7 @@
samba_run_smbmount($1, $2, $3)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-11-27 06:39:45.000000000 -0500
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -30647,7 +30752,22 @@
')
optional_policy(`
-@@ -181,6 +198,11 @@
+@@ -174,6 +191,14 @@
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client_template(mount, mount_t)
++
++ optional_policy(`
++ hal_dbus_chat(mount_t)
++ ')
++')
++
++optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ # for a bug in the X server
+ rhgb_dontaudit_rw_stream_sockets(mount_t)
+@@ -181,6 +206,11 @@
')
')
@@ -30659,7 +30779,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -188,6 +210,7 @@
+@@ -188,6 +218,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -30667,14 +30787,14 @@
')
########################################
-@@ -198,4 +221,26 @@
+@@ -198,4 +229,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
+ optional_policy(`
+ hal_dbus_chat(unconfined_mount_t)
-+ ')
')
++')
+
+########################################
+#
@@ -31876,7 +31996,7 @@
xen_append_log(ifconfig_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.5.13/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-11-25 16:15:15.000000000 -0500
@@ -13,8 +13,11 @@
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -31888,7 +32008,7 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
+
-+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
++/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.13/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2008-10-17 08:49:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-11-24 10:49:49.000000000 -0500
@@ -32049,7 +32169,7 @@
+/usr/lib(64)?/gcl-[^/]+/unixport/saved_.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.13/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.if 2008-12-01 16:30:54.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -32129,7 +32249,7 @@
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
-@@ -654,3 +678,248 @@
+@@ -654,3 +678,267 @@
allow $1 unconfined_tmp_t:file { getattr write append };
')
@@ -32209,6 +32329,25 @@
+
+########################################
+## <summary>
++## execute the execmem applications
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_execmem_exec',`
++
++ gen_require(`
++ type execmem_exec_t;
++ ')
++
++ can_exec($1, execmem_exec_t)
++')
++
++########################################
++## <summary>
+## allow attempts to use unconfined ttys and ptys.
+## </summary>
+## <param name="domain">
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.754
retrieving revision 1.755
diff -u -r1.754 -r1.755
--- selinux-policy.spec 25 Nov 2008 18:31:43 -0000 1.754
+++ selinux-policy.spec 1 Dec 2008 22:28:28 -0000 1.755
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 26%{?dist}
+Release: 27%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -457,6 +457,11 @@
%endif
%changelog
+* Thu Nov 27 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-27
+- Allow iptables dac permissions
+- Allow awstates to use inotify
+
+
* Tue Nov 25 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-26
- Allow dhcpc to read ypbind.pid
More information about the fedora-extras-commits
mailing list