rpms/selinux-policy/devel policy-20081111.patch, 1.3, 1.4 selinux-policy.spec, 1.747, 1.748 policy-20080710.patch, 1.92, NONE
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Dec 3 22:18:32 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv899
Modified Files:
policy-20081111.patch selinux-policy.spec
Removed Files:
policy-20080710.patch
Log Message:
* Wed Dec 3 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-3
- Cleanup policy
policy-20081111.patch:
Index: policy-20081111.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20081111.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- policy-20081111.patch 2 Dec 2008 19:59:35 -0000 1.3
+++ policy-20081111.patch 3 Dec 2008 22:18:31 -0000 1.4
@@ -1102,7 +1102,7 @@
java_domtrans_unconfined(rpm_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.1/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-03 14:12:34.000000000 -0500
@@ -51,7 +51,7 @@
#
@@ -1112,7 +1112,7 @@
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
-@@ -64,33 +64,36 @@
+@@ -64,33 +64,37 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
@@ -1137,6 +1137,7 @@
dev_read_urand($1_sudo_t)
+ dev_rw_generic_usb_dev($1_sudo_t)
++ dev_list_sysfs($1_sudo_t)
fs_search_auto_mountpoints($1_sudo_t)
fs_getattr_xattr_fs($1_sudo_t)
@@ -1153,7 +1154,7 @@
domain_use_interactive_fds($1_sudo_t)
domain_sigchld_interactive_fds($1_sudo_t)
-@@ -102,9 +105,11 @@
+@@ -102,9 +106,11 @@
files_getattr_usr_files($1_sudo_t)
# for some PAM modules and for cwd
files_dontaudit_search_home($1_sudo_t)
@@ -1165,7 +1166,7 @@
logging_send_syslog_msg($1_sudo_t)
miscfiles_read_localization($1_sudo_t)
-@@ -114,6 +119,30 @@
+@@ -114,6 +120,30 @@
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
@@ -1456,8 +1457,8 @@
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.1/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-11-25 09:45:43.000000000 -0500
-@@ -91,3 +91,106 @@
++++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-03 16:50:28.000000000 -0500
+@@ -91,3 +91,131 @@
allow $1 gnome_home_t:file manage_file_perms;
userdom_search_user_home_dirs($1)
')
@@ -1506,6 +1507,30 @@
+
+########################################
+## <summary>
++## read gconf config files
++## </summary>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++template(`gnome_read_gconf_config',`
++ gen_require(`
++ type gconf_etc_t;
++ ')
++
++ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
++')
++
++########################################
++## <summary>
+## Execute gconf programs in
+## in the caller domain.
+## </summary>
@@ -1538,6 +1563,7 @@
+ type gconf_home_t;
+ ')
+
++ allow $1 gconf_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
@@ -2113,6 +2139,17 @@
userdom_search_user_home_dirs($1)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.1/policy/modules/apps/mozilla.te
+--- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-11-11 16:13:42.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/apps/mozilla.te 2008-12-03 09:00:27.000000000 -0500
+@@ -105,6 +105,7 @@
+ # Should not need other ports
+ corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+ corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
++corenet_tcp_connect_speech_port(mozilla_t)
+
+ dev_read_urand(mozilla_t)
+ dev_read_rand(mozilla_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.1/policy/modules/apps/mplayer.fc
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-11-11 16:13:42.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/apps/mplayer.fc 2008-11-25 09:45:43.000000000 -0500
@@ -2425,8 +2462,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-01 16:31:07.000000000 -0500
-@@ -0,0 +1,272 @@
++++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-03 09:00:12.000000000 -0500
+@@ -0,0 +1,273 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -2511,6 +2548,7 @@
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
++corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
@@ -3851,7 +3889,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-11-12 09:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-01 15:41:36.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-03 08:59:59.000000000 -0500
@@ -65,10 +65,12 @@
type server_packet_t, packet_type, server_packet_type;
@@ -3935,19 +3973,20 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -160,9 +179,10 @@
+@@ -160,9 +179,11 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
network_port(spamd, tcp,783,s0)
++network_port(speech, tcp,8036,s0)
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -171,13 +191,16 @@
+@@ -171,13 +192,16 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -4668,7 +4707,7 @@
## all protocols (TCP, UDP, etc)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.1/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/domain.te 2008-12-01 16:50:59.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/kernel/domain.te 2008-12-03 15:24:41.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -9666,7 +9705,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.1/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cron.te 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/cron.te 2008-12-03 14:11:06.000000000 -0500
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -9687,12 +9726,13 @@
type crond_var_run_t;
files_pid_file(crond_var_run_t)
-@@ -103,6 +109,12 @@
+@@ -103,6 +109,13 @@
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
@@ -9700,7 +9740,7 @@
########################################
#
# Admin crontab local policy
-@@ -130,7 +142,7 @@
+@@ -130,7 +143,7 @@
# Cron daemon local policy
#
@@ -9709,7 +9749,7 @@
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
-@@ -149,15 +161,14 @@
+@@ -149,15 +162,14 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
@@ -9728,7 +9768,7 @@
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
-@@ -183,6 +194,8 @@
+@@ -183,6 +195,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -9737,7 +9777,7 @@
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
-@@ -192,10 +205,13 @@
+@@ -192,10 +206,13 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
@@ -9751,7 +9791,7 @@
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -208,6 +224,7 @@
+@@ -208,6 +225,7 @@
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
@@ -9759,7 +9799,7 @@
ifdef(`distro_debian',`
# pam_limits is used
-@@ -227,21 +244,45 @@
+@@ -227,21 +245,45 @@
')
')
@@ -9806,7 +9846,7 @@
')
optional_policy(`
-@@ -283,6 +324,9 @@
+@@ -283,6 +325,9 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -9816,7 +9856,7 @@
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
-@@ -314,9 +358,13 @@
+@@ -314,9 +359,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -9831,7 +9871,7 @@
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +418,8 @@
+@@ -370,7 +419,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -9841,7 +9881,7 @@
auth_use_nsswitch(system_cronjob_t)
-@@ -378,6 +427,7 @@
+@@ -378,6 +428,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -9849,7 +9889,7 @@
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -428,11 +478,20 @@
+@@ -428,11 +479,20 @@
')
optional_policy(`
@@ -9870,7 +9910,7 @@
')
optional_policy(`
-@@ -460,8 +519,7 @@
+@@ -460,8 +520,7 @@
')
optional_policy(`
@@ -9880,7 +9920,7 @@
')
optional_policy(`
-@@ -469,17 +527,11 @@
+@@ -469,17 +528,11 @@
')
optional_policy(`
@@ -10661,8 +10701,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.1/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/dbus.te 2008-11-25 09:45:43.000000000 -0500
-@@ -9,11 +9,11 @@
++++ serefpolicy-3.6.1/policy/modules/services/dbus.te 2008-12-03 14:17:27.000000000 -0500
+@@ -9,14 +9,15 @@
#
# Delcarations
#
@@ -10676,7 +10716,11 @@
type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
-@@ -31,11 +31,23 @@
++typealias dbusd_exec_t alias system_dbusd_exec_t;
+
+ type session_dbusd_tmp_t;
+ typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
+@@ -31,11 +32,23 @@
files_tmp_file(system_dbusd_tmp_t)
type system_dbusd_var_lib_t;
@@ -10701,7 +10745,7 @@
##############################
#
# System bus local policy
-@@ -45,7 +57,7 @@
+@@ -45,7 +58,7 @@
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
@@ -10710,7 +10754,7 @@
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -53,6 +65,8 @@
+@@ -53,6 +66,8 @@
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@@ -10719,7 +10763,7 @@
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-@@ -75,6 +89,8 @@
+@@ -75,6 +90,8 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
@@ -10728,7 +10772,7 @@
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
-@@ -91,7 +107,6 @@
+@@ -91,7 +108,6 @@
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -10736,7 +10780,7 @@
domain_use_interactive_fds(system_dbusd_t)
-@@ -101,6 +116,8 @@
+@@ -101,6 +117,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -10745,7 +10789,7 @@
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -128,9 +145,34 @@
+@@ -128,9 +146,34 @@
')
optional_policy(`
@@ -12422,7 +12466,7 @@
-#')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.1/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/mta.if 2008-11-25 14:26:16.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/mta.if 2008-12-03 16:44:26.000000000 -0500
@@ -130,6 +130,15 @@
sendmail_create_log($1_mail_t)
')
@@ -12461,6 +12505,15 @@
')
')
+@@ -612,7 +624,7 @@
+ ')
+
+ files_dontaudit_search_spool($1)
+- dontaudit $1 mail_spool_t:dir search;
++ dontaudit $1 mail_spool_t:dir search_dir_perms;
+ dontaudit $1 mail_spool_t:lnk_file read;
+ dontaudit $1 mail_spool_t:file getattr;
+ ')
@@ -665,7 +677,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -12749,7 +12802,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-02 15:10:58.000000000 -0500
@@ -13,6 +13,9 @@
type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t)
@@ -12802,7 +12855,7 @@
corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
-@@ -73,24 +82,34 @@
+@@ -73,24 +82,35 @@
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
@@ -12828,6 +12881,7 @@
+auth_use_nsswitch(munin_t)
+
logging_send_syslog_msg(munin_t)
++logging_read_all_logs(munin_t)
+miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
@@ -12838,7 +12892,7 @@
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
-@@ -105,7 +124,21 @@
+@@ -105,7 +125,30 @@
')
optional_policy(`
@@ -12849,6 +12903,7 @@
+optional_policy(`
+ mta_read_config(munin_t)
+ mta_send_mail(munin_t)
++ mta_read_queue(munin_t)
+')
+
+optional_policy(`
@@ -12857,11 +12912,19 @@
+')
+
+optional_policy(`
++ postfix_list_spool(munin_t)
++')
++
++optional_policy(`
++ rpc_search_nfs_state_data(munin_t)
++')
++
++optional_policy(`
+ sendmail_read_log(munin_t)
')
optional_policy(`
-@@ -115,3 +148,9 @@
+@@ -115,3 +158,10 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -12871,6 +12934,7 @@
+
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.1/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.1/policy/modules/services/nagios.fc 2008-11-25 09:45:43.000000000 -0500
@@ -13904,6 +13968,29 @@
term_use_ptmx(ntpd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.1/policy/modules/services/nx.te
+--- nsaserefpolicy/policy/modules/services/nx.te 2008-11-11 16:13:47.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/nx.te 2008-12-03 14:42:01.000000000 -0500
+@@ -25,6 +25,9 @@
+ type nx_server_var_run_t;
+ files_pid_file(nx_server_var_run_t)
+
++type nx_server_home_ssh_t;
++files_type(nx_server_home_ssh_t)
++
+ ########################################
+ #
+ # NX server local policy
+@@ -44,6 +47,9 @@
+ manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
+ files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+
++manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
++manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
++
+ kernel_read_system_state(nx_server_t)
+ kernel_read_kernel_sysctls(nx_server_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.1/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.1/policy/modules/services/oddjob.fc 2008-11-25 09:45:43.000000000 -0500
@@ -14078,7 +14165,7 @@
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.1/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/openvpn.te 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/openvpn.te 2008-12-03 10:19:06.000000000 -0500
@@ -22,6 +22,9 @@
type openvpn_etc_t;
files_config_file(openvpn_etc_t)
@@ -14089,7 +14176,15 @@
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
-@@ -47,10 +50,11 @@
+@@ -40,6 +43,7 @@
+
+ allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+ allow openvpn_t self:process { signal getsched };
++allow openvpn_t self:fifo_file rw_fifo_file_perms;
+
+ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -47,10 +51,11 @@
allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -14103,6 +14198,15 @@
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+@@ -99,6 +104,8 @@
+
+ sysnet_dns_name_resolve(openvpn_t)
+ sysnet_exec_ifconfig(openvpn_t)
++sysnet_write_config(openvpn_t)
++sysnet_etc_filetrans_config(openvpn_t)
+
+ userdom_use_user_terminals(openvpn_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.1/policy/modules/services/pads.fc
--- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/pads.fc 2008-11-25 09:45:43.000000000 -0500
@@ -15863,7 +15967,7 @@
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.1/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2008-11-11 16:13:45.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-12-02 15:09:03.000000000 -0500
@@ -174,9 +174,8 @@
type postfix_etc_t;
')
@@ -19061,13 +19165,14 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.1/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/spamassassin.fc 2008-11-25 14:04:31.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/spamassassin.fc 2008-12-03 14:18:14.000000000 -0500
@@ -1,15 +1,24 @@
- HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
-
+-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
++HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
-+
+
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
@@ -19180,7 +19285,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/spamassassin.te 2008-11-25 14:02:44.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/spamassassin.te 2008-12-03 09:05:00.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(spamassassin, 2.0.1)
@@ -19243,7 +19348,15 @@
type spamd_spool_t;
files_type(spamd_spool_t)
-@@ -221,11 +257,19 @@
+@@ -159,6 +195,7 @@
+ corenet_udp_sendrecv_all_ports(spamassassin_t)
+ corenet_tcp_connect_all_ports(spamassassin_t)
+ corenet_sendrecv_all_client_packets(spamassassin_t)
++ corenet_udp_bind_all_nodes(spamassassin_t)
+
+ sysnet_read_config(spamassassin_t)
+ ')
+@@ -221,11 +258,20 @@
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
@@ -19257,13 +19370,14 @@
# Allow connecting to a local spamd
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
++spamd_stream_connect(spamc_t)
kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -255,9 +299,15 @@
+@@ -255,9 +301,15 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -19279,7 +19393,7 @@
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -265,31 +315,34 @@
+@@ -265,31 +317,34 @@
sysnet_read_config(spamc_t)
@@ -19326,7 +19440,7 @@
')
########################################
-@@ -301,7 +354,7 @@
+@@ -301,7 +356,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -19335,7 +19449,7 @@
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -317,10 +370,13 @@
+@@ -317,10 +372,13 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -19350,7 +19464,7 @@
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +385,11 @@
+@@ -329,10 +387,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -19363,7 +19477,7 @@
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +439,27 @@
+@@ -382,22 +441,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -19395,7 +19509,7 @@
fs_manage_cifs_files(spamd_t)
')
-@@ -415,6 +477,7 @@
+@@ -415,6 +479,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -19403,7 +19517,7 @@
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -424,10 +487,6 @@
+@@ -424,10 +489,6 @@
')
optional_policy(`
@@ -19414,7 +19528,7 @@
postfix_read_config(spamd_t)
')
-@@ -442,6 +501,10 @@
+@@ -442,6 +503,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -20360,7 +20474,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-11-25 11:11:15.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-12-03 16:42:08.000000000 -0500
@@ -397,11 +397,12 @@
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -20745,7 +20859,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-11-27 06:23:46.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-03 16:48:20.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -20760,6 +20874,66 @@
## Allow xdm logins as sysadm
## </p>
## </desc>
+@@ -65,14 +72,14 @@
+
+ type iceauth_t;
+ type iceauth_exec_t;
+-typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
++typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t xguest_iceauth_t };
+ typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
+ application_domain(iceauth_t, iceauth_exec_t)
+ ubac_constrained(iceauth_t)
+
+ type iceauth_home_t;
+ typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
+-typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
++typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t };
+ files_poly_member(iceauth_home_t)
+ userdom_user_home_content(iceauth_home_t)
+
+@@ -112,17 +119,17 @@
+ typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
+
+ type user_fonts_t;
+-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
++typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t };
+ typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+ userdom_user_home_content(user_fonts_t)
+
+ type user_fonts_cache_t;
+-typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
++typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t xguest_fonts_cache_t unconfined_fonts_cache_t };
+ typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
+ userdom_user_home_content(user_fonts_cache_t)
+
+ type user_fonts_config_t;
+-typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
++typealias user_fonts_config_t alias { fonts_config_home_t staff_fonts_config_t sysadm_fonts_config_t xguest_fonts_config_t unconfined_fonts_config_t };
+ typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
+ userdom_user_home_content(user_fonts_config_t)
+
+@@ -134,18 +141,18 @@
+ type xauth_t;
+ type xauth_exec_t;
+ typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
+-typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
++typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t xguest_xauth_t unconfined_xauth_t };
+ application_domain(xauth_t, xauth_exec_t)
+ ubac_constrained(xauth_t)
+
+ type xauth_home_t;
+ typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
+-typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
++typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t xguest_xauth_home_t unconfined_xauth_home_t };
+ files_poly_member(xauth_home_t)
+ userdom_user_home_content(xauth_home_t)
+
+ type xauth_tmp_t;
+-typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
++typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t xguest_xauth_tmp_t unconfined_xauth_tmp_t };
+ typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
+ files_tmp_file(xauth_tmp_t)
+ ubac_constrained(xauth_tmp_t)
@@ -166,7 +173,10 @@
files_lock_file(xdm_lock_t)
@@ -20795,6 +20969,21 @@
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
+@@ -197,12 +216,12 @@
+
+ type xserver_tmp_t;
+ typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
+-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t };
++typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+ files_tmp_file(xserver_tmp_t)
+ ubac_constrained(xserver_tmp_t)
+
+ type xserver_tmpfs_t;
+-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
++typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t };
+ typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
+ files_tmpfs_file(xserver_tmpfs_t)
+ ubac_constrained(xserver_tmpfs_t)
@@ -256,6 +275,9 @@
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
@@ -20983,12 +21172,15 @@
')
optional_policy(`
-@@ -515,6 +575,22 @@
+@@ -515,12 +575,35 @@
')
optional_policy(`
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
++
++ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
++
+ corecmd_bin_entry_type(xdm_t)
+
+ dbus_system_bus_client(xdm_t)
@@ -21006,7 +21198,17 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -542,6 +618,18 @@
+ ')
+
+ optional_policy(`
++ gnome_read_gconf_config(xdm_t)
++')
++
++optional_policy(`
+ hostname_exec(xdm_t)
+ ')
+
+@@ -542,6 +625,18 @@
')
optional_policy(`
@@ -21025,7 +21227,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +638,8 @@
+@@ -550,8 +645,8 @@
')
optional_policy(`
@@ -21035,7 +21237,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -571,6 +659,10 @@
+@@ -571,6 +666,10 @@
')
optional_policy(`
@@ -21046,7 +21248,7 @@
xfs_stream_connect(xdm_t)
')
-@@ -635,6 +727,15 @@
+@@ -635,6 +734,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -21062,7 +21264,7 @@
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -682,6 +783,7 @@
+@@ -682,6 +790,7 @@
dev_rw_input_dev(xserver_t)
dev_rwx_zero(xserver_t)
@@ -21070,7 +21272,15 @@
domain_mmap_low(xserver_t)
files_read_etc_files(xserver_t)
-@@ -806,7 +908,7 @@
+@@ -697,6 +806,7 @@
+ fs_search_nfs(xserver_t)
+ fs_search_auto_mountpoints(xserver_t)
+ fs_search_ramfs(xserver_t)
++fs_list_inotifyfs(xdm_t)
+
+ mls_xwin_read_to_clearance(xserver_t)
+
+@@ -806,7 +916,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -21079,7 +21289,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +932,10 @@
+@@ -830,6 +940,10 @@
xserver_use_user_fonts(xserver_t)
@@ -21090,7 +21300,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +950,14 @@
+@@ -844,11 +958,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -21106,7 +21316,7 @@
')
optional_policy(`
-@@ -856,6 +965,11 @@
+@@ -856,6 +973,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -21118,7 +21328,7 @@
########################################
#
# Rules common to all X window domains
-@@ -972,6 +1086,21 @@
+@@ -972,6 +1094,21 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -21140,7 +21350,7 @@
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1115,12 @@
+@@ -986,3 +1123,13 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@@ -21153,6 +21363,7 @@
+tunable_policy(`allow_execstack',`
+ allow xdm_t self:process { execstack execmem };
+')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.1/policy/modules/services/zosremote.fc
--- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/zosremote.fc 2008-11-25 09:45:43.000000000 -0500
@@ -21293,7 +21504,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-03 09:10:20.000000000 -0500
@@ -43,6 +43,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -21378,11 +21589,12 @@
')
')
-@@ -207,19 +255,15 @@
+@@ -207,19 +255,16 @@
dev_read_rand($1)
dev_read_urand($1)
+ auth_use_nsswitch($1)
++ auth_rw_faillog($1)
+
logging_send_audit_msgs($1)
@@ -21402,7 +21614,7 @@
')
optional_policy(`
-@@ -230,6 +274,29 @@
+@@ -230,6 +275,29 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -21432,7 +21644,7 @@
')
########################################
-@@ -254,6 +321,7 @@
+@@ -254,6 +322,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -21440,7 +21652,7 @@
')
########################################
-@@ -1031,6 +1099,32 @@
+@@ -1031,6 +1100,32 @@
########################################
## <summary>
@@ -21473,7 +21685,7 @@
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1297,6 +1391,10 @@
+@@ -1297,6 +1392,10 @@
')
optional_policy(`
@@ -21484,7 +21696,7 @@
nis_use_ypbind($1)
')
-@@ -1307,6 +1405,7 @@
+@@ -1307,6 +1406,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -21492,7 +21704,7 @@
')
')
-@@ -1341,3 +1440,61 @@
+@@ -1341,3 +1441,61 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -22640,7 +22852,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2008-11-18 18:57:21.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/logging.if 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/logging.if 2008-12-02 15:03:25.000000000 -0500
@@ -707,6 +707,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
@@ -24098,7 +24310,7 @@
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.1/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/sysnetwork.if 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/sysnetwork.if 2008-12-03 10:18:59.000000000 -0500
@@ -192,7 +192,25 @@
type dhcpc_state_t;
')
@@ -24786,7 +24998,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-12-02 14:32:40.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-12-03 14:30:00.000000000 -0500
@@ -6,35 +6,76 @@
# Declarations
#
@@ -25053,7 +25265,7 @@
')
########################################
-@@ -218,14 +289,58 @@
+@@ -218,14 +289,60 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -25078,7 +25290,7 @@
+
+optional_policy(`
+ xserver_rw_shm(unconfined_execmem_t)
- ')
++')
+
+########################################
+#
@@ -25099,11 +25311,13 @@
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
+')
+
++optional_policy(`
+tunable_policy(`allow_unconfined_nsplugin_transition',`', `
+ gen_require(`
+ type mozilla_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
+ ')
+')
+
+optional_policy(`
@@ -25116,14 +25330,16 @@
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.1/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.fc 2008-11-25 09:45:43.000000000 -0500
-@@ -1,4 +1,5 @@
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.fc 2008-12-03 14:15:33.000000000 -0500
+@@ -1,4 +1,7 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
++/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
++/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-02 14:58:08.000000000 -0500
@@ -27016,7 +27232,37 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.1/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.6.1/policy/support/obj_perm_sets.spt 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/support/obj_perm_sets.spt 2008-12-03 15:26:17.000000000 -0500
+@@ -179,20 +179,20 @@
+ #
+ # Directory (dir)
+ #
+-define(`getattr_dir_perms',`{ getattr }')
+-define(`setattr_dir_perms',`{ setattr }')
+-define(`search_dir_perms',`{ getattr search }')
++define(`getattr_dir_perms',`{ getattr open }')
++define(`setattr_dir_perms',`{ setattr open }')
++define(`search_dir_perms',`{ getattr search open }')
+ define(`list_dir_perms',`{ getattr search open read lock ioctl }')
+ define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
+ define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
+ define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
+-define(`create_dir_perms',`{ getattr create }')
+-define(`rename_dir_perms',`{ getattr rename }')
+-define(`delete_dir_perms',`{ getattr rmdir }')
++define(`create_dir_perms',`{ getattr create open }')
++define(`rename_dir_perms',`{ getattr rename open }')
++define(`delete_dir_perms',`{ getattr rmdir open }')
+ define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
+-define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
+-define(`relabelto_dir_perms',`{ getattr relabelto }')
+-define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
++define(`relabelfrom_dir_perms',`{ getattr open relabelfrom }')
++define(`relabelto_dir_perms',`{ getattr open relabelto }')
++define(`relabel_dir_perms',`{ getattr open relabelfrom relabelto }')
+
+ #
+ # Regular file (file)
@@ -312,3 +312,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.747
retrieving revision 1.748
diff -u -r1.747 -r1.748
--- selinux-policy.spec 1 Dec 2008 15:00:41 -0000 1.747
+++ selinux-policy.spec 3 Dec 2008 22:18:31 -0000 1.748
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
%endif
%changelog
+* Wed Dec 3 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-3
+- Cleanup policy
+
* Mon Dec 01 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm at gmail.com> - 3.6.1-2
- Rebuild for Python 2.6
--- policy-20080710.patch DELETED ---
More information about the fedora-extras-commits
mailing list