rpms/selinux-policy/devel policy-20081111.patch, 1.15, 1.16 selinux-policy.spec, 1.757, 1.758
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Dec 22 19:36:17 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13177
Modified Files:
policy-20081111.patch selinux-policy.spec
Log Message:
* Thu Dec 18 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-12
- Add missing alias for home directory content
policy-20081111.patch:
Index: policy-20081111.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20081111.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- policy-20081111.patch 17 Dec 2008 21:15:07 -0000 1.15
+++ policy-20081111.patch 22 Dec 2008 19:35:46 -0000 1.16
@@ -240,6 +240,49 @@
$(appdir)/%: $(appconf)/%
@mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.1/man/man8/httpd_selinux.8
+--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-08-25 09:12:31.000000000 -0400
++++ serefpolicy-3.6.1/man/man8/httpd_selinux.8 2008-12-22 11:16:09.000000000 -0500
+@@ -41,7 +41,7 @@
+ - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
+
+ .SH NOTE
+-With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
++With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
+
+ .SH SHARING FILES
+ If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
+@@ -75,7 +75,7 @@
+ .EE
+
+ .PP
+-httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
++httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
+
+ .EX
+ setsebool -P httpd_tty_comm 1
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-3.6.1/man/man8/kerberos_selinux.8
+--- nsaserefpolicy/man/man8/kerberos_selinux.8 2008-08-07 11:15:14.000000000 -0400
++++ serefpolicy-3.6.1/man/man8/kerberos_selinux.8 2008-12-22 11:16:22.000000000 -0500
+@@ -12,7 +12,7 @@
+ .SH "DESCRIPTION"
+
+ Security-Enhanced Linux secures the system via flexible mandatory access
+-control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network.
++control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
+ .SH BOOLEANS
+ .PP
+ You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.1/man/man8/nfs_selinux.8
+--- nsaserefpolicy/man/man8/nfs_selinux.8 2008-08-07 11:15:14.000000000 -0400
++++ serefpolicy-3.6.1/man/man8/nfs_selinux.8 2008-12-22 11:17:18.000000000 -0500
+@@ -26,5 +26,5 @@
+ .SH AUTHOR
+ This manual page was written by Dan Walsh <dwalsh at redhat.com>.
+
+-.SH "SEE ALSpppO"
++.SH "SEE ALSO"
+ selinux(8), chcon(1), setsebool(8)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.1/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.1/man/man8/samba_selinux.8 2008-11-25 09:45:43.000000000 -0500
@@ -1690,7 +1733,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.1/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/gpg.te 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/apps/gpg.te 2008-12-18 10:33:48.000000000 -0500
@@ -60,7 +60,7 @@
allow gpg_t self:capability { ipc_lock setuid };
@@ -1749,7 +1792,7 @@
# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.
-@@ -136,13 +141,11 @@
+@@ -136,13 +141,13 @@
corenet_udp_bind_all_nodes(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
@@ -1763,10 +1806,12 @@
+fs_list_inotifyfs(gpg_helper_t)
+
+auth_use_nsswitch(gpg_helper_t)
++
++userdom_use_user_terminals(gpg_helper_t)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -157,6 +160,17 @@
+@@ -157,6 +162,17 @@
xserver_rw_xdm_pipes(gpg_t)
')
@@ -3879,7 +3924,7 @@
+xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc 2008-12-05 08:55:39.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc 2008-12-18 09:12:40.000000000 -0500
@@ -128,6 +128,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3902,7 +3947,7 @@
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -221,8 +221,8 @@
+@@ -221,14 +221,15 @@
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3913,7 +3958,14 @@
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -291,3 +291,12 @@
+ /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+@@ -291,3 +292,12 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -3928,7 +3980,7 @@
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.1/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.if 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.if 2008-12-19 15:12:15.000000000 -0500
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -3995,7 +4047,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-11-12 09:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-08 15:25:19.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-19 17:15:49.000000000 -0500
@@ -65,10 +65,12 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4009,7 +4061,7 @@
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
-@@ -79,11 +81,13 @@
+@@ -79,26 +81,33 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -4022,8 +4074,11 @@
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
++network_port(dccm, tcp,5679,s0, udp,5679,s0)
network_port(dbskkd, tcp,1178,s0)
-@@ -92,13 +96,16 @@
+-network_port(dhcpc, udp,68,s0)
++network_port(dhcpc, udp,68,s0, tcp,68,s0)
+ network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
@@ -4032,6 +4087,7 @@
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
++network_port(ftps, tcp,990,s0, udp,990,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
@@ -4040,7 +4096,7 @@
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
-@@ -118,6 +125,8 @@
+@@ -118,6 +127,8 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -4049,7 +4105,7 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -127,6 +136,7 @@
+@@ -127,6 +138,7 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -4057,7 +4113,7 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -137,12 +147,21 @@
+@@ -137,12 +149,21 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -4079,7 +4135,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -160,9 +179,11 @@
+@@ -160,9 +181,11 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -4092,7 +4148,7 @@
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -171,14 +192,17 @@
+@@ -171,14 +194,17 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -7816,7 +7872,7 @@
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/apache.if 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/apache.if 2008-12-19 10:59:07.000000000 -0500
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -8048,7 +8104,55 @@
')
optional_policy(`
-@@ -579,7 +517,7 @@
+@@ -504,6 +442,47 @@
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to read
++## apache tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_read_tmp',`
++ gen_require(`
++ type httpd_config_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
++')
++
++########################################
++## <summary>
++## Dontaudit attempts ti write
++## apache tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_dontaudit_write_tmp',`
++ gen_require(`
++ type httpd_config_t;
++ ')
++
++ dontaudit $1 httpd_tmp_t:file write;
++')
++
++########################################
++## <summary>
++## Allow the specified domain to read
+ ## apache configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -579,7 +558,7 @@
## </param>
## <param name="role">
## <summary>
@@ -8057,7 +8161,7 @@
## </summary>
## </param>
## <rolecap/>
-@@ -715,6 +653,7 @@
+@@ -715,6 +694,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -8065,7 +8169,7 @@
')
########################################
-@@ -782,6 +721,32 @@
+@@ -782,6 +762,32 @@
########################################
## <summary>
@@ -8098,7 +8202,7 @@
## Execute all web scripts in the system
## script domain.
## </summary>
-@@ -791,16 +756,18 @@
+@@ -791,16 +797,18 @@
## </summary>
## </param>
#
@@ -8121,7 +8225,7 @@
')
')
-@@ -859,6 +826,8 @@
+@@ -859,6 +867,8 @@
## </summary>
## </param>
#
@@ -8130,7 +8234,7 @@
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
-@@ -884,7 +853,7 @@
+@@ -884,7 +894,7 @@
type httpd_squirrelmail_t;
')
@@ -8139,7 +8243,7 @@
')
########################################
-@@ -1040,3 +1009,160 @@
+@@ -1040,3 +1050,160 @@
allow httpd_t $1:process signal;
')
@@ -10365,9 +10469,13 @@
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.1/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/services/cups.fc 2008-11-25 09:45:43.000000000 -0500
-@@ -8,24 +8,35 @@
- /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++++ serefpolicy-3.6.1/policy/modules/services/cups.fc 2008-12-19 11:42:21.000000000 -0500
+@@ -5,27 +5,38 @@
+ /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -10414,13 +10522,14 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -43,10 +54,18 @@
+@@ -43,10 +54,19 @@
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
@@ -11162,7 +11271,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.1/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/dbus.te 2008-12-03 14:17:27.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/dbus.te 2008-12-17 16:46:31.000000000 -0500
@@ -9,14 +9,15 @@
#
# Delcarations
@@ -11233,15 +11342,18 @@
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
-@@ -91,7 +108,6 @@
+@@ -91,9 +108,9 @@
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_bin(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
++domain_read_all_domains_state(system_dbusd_t)
-@@ -101,6 +117,8 @@
+ files_read_etc_files(system_dbusd_t)
+ files_list_home(system_dbusd_t)
+@@ -101,6 +118,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -11250,7 +11362,7 @@
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -128,9 +146,34 @@
+@@ -128,9 +147,34 @@
')
optional_policy(`
@@ -12177,6 +12289,17 @@
+ polkit_read_lib(gnomeclock_t)
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.1/policy/modules/services/hal.fc
+--- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/hal.fc 2008-12-19 17:06:38.000000000 -0500
+@@ -5,6 +5,7 @@
+ /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+
+ /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
++/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
+ /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
+ /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
+ /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.1/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/hal.if 2008-11-25 09:45:43.000000000 -0500
@@ -12194,18 +12317,24 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.1/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/hal.te 2008-12-12 09:32:41.000000000 -0500
-@@ -49,6 +49,9 @@
++++ serefpolicy-3.6.1/policy/modules/services/hal.te 2008-12-19 17:16:25.000000000 -0500
+@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
++type hald_dccm_t;
++type hald_dccm_exec_t;
++domain_type(hald_dccm_t)
++domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
++role system_r types hald_dccm_t;
++
########################################
#
# Local policy
-@@ -143,6 +146,7 @@
+@@ -143,6 +152,7 @@
files_getattr_all_dirs(hald_t)
files_read_kernel_img(hald_t)
files_rw_lock_dirs(hald_t)
@@ -12213,7 +12342,7 @@
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
-@@ -195,6 +199,7 @@
+@@ -195,6 +205,7 @@
seutil_read_file_contexts(hald_t)
sysnet_read_config(hald_t)
@@ -12221,7 +12350,7 @@
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -277,6 +282,12 @@
+@@ -277,6 +288,12 @@
')
optional_policy(`
@@ -12234,7 +12363,7 @@
rpc_search_nfs_state_data(hald_t)
')
-@@ -301,12 +312,16 @@
+@@ -301,12 +318,16 @@
virt_manage_images(hald_t)
')
@@ -12252,7 +12381,7 @@
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
-@@ -346,12 +361,17 @@
+@@ -346,12 +367,17 @@
miscfiles_read_localization(hald_acl_t)
@@ -12271,7 +12400,7 @@
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
-@@ -418,3 +438,7 @@
+@@ -418,3 +444,49 @@
files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -12279,6 +12408,48 @@
+# This is caused by a bug in hald and PolicyKit.
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
++
++########################################
++#
++# Local hald dccm policy
++#
++allow hald_dccm_t self:capability { net_bind_service };
++allow hald_dccm_t self:process getsched;
++allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
++allow hald_dccm_t self:udp_socket create_socket_perms;
++allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
++
++domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
++allow hald_t hald_dccm_t:process signal;
++allow hald_dccm_t hald_t:unix_stream_socket connectto;
++
++corenet_all_recvfrom_unlabeled(hald_dccm_t)
++corenet_all_recvfrom_netlabel(hald_dccm_t)
++corenet_tcp_sendrecv_all_if(hald_dccm_t)
++corenet_udp_sendrecv_all_if(hald_dccm_t)
++corenet_tcp_sendrecv_all_nodes(hald_dccm_t)
++corenet_udp_sendrecv_all_nodes(hald_dccm_t)
++corenet_tcp_sendrecv_all_ports(hald_dccm_t)
++corenet_udp_sendrecv_all_ports(hald_dccm_t)
++corenet_tcp_bind_all_nodes(hald_dccm_t)
++corenet_udp_bind_all_nodes(hald_dccm_t)
++corenet_udp_bind_dhcpc_port(hald_dccm_t)
++corenet_tcp_bind_ftps_port(hald_dccm_t)
++corenet_tcp_bind_dccm_port(hald_dccm_t)
++
++kernel_search_network_sysctl(hald_dccm_t)
++
++manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
++manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
++files_search_var_lib(hald_dccm_t)
++
++write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
++
++files_read_usr_files(hald_dccm_t)
++
++miscfiles_read_localization(hald_dccm_t)
++
++permissive hald_dccm_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.1/policy/modules/services/ifplugd.fc
--- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/ifplugd.fc 2008-11-25 09:45:43.000000000 -0500
@@ -13299,7 +13470,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-04 16:14:16.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-18 11:36:14.000000000 -0500
@@ -13,6 +13,9 @@
type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t)
@@ -16469,7 +16640,7 @@
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.1/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2008-11-11 16:13:45.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-12-02 15:09:03.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-12-18 11:31:37.000000000 -0500
@@ -174,9 +174,8 @@
type postfix_etc_t;
')
@@ -16517,10 +16688,46 @@
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
-@@ -465,6 +483,25 @@
+@@ -418,10 +436,10 @@
+ #
+ interface(`postfix_search_spool',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
+ ')
- ########################################
- ## <summary>
+- allow $1 postfix_spool_t:dir search_dir_perms;
++ allow $1 postfix_spool_type:dir search_dir_perms;
+ files_search_spool($1)
+ ')
+
+@@ -437,10 +455,10 @@
+ #
+ interface(`postfix_list_spool',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
+ ')
+
+- allow $1 postfix_spool_t:dir list_dir_perms;
++ allow $1 postfix_spool_type:dir list_dir_perms;
+ files_search_spool($1)
+ ')
+
+@@ -456,11 +474,30 @@
+ #
+ interface(`postfix_read_spool_files',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
++')
++
++########################################
++## <summary>
+## Manage postfix mail spool files.
+## </summary>
+## <param name="domain">
@@ -16531,18 +16738,15 @@
+#
+interface(`postfix_manage_spool_files',`
+ gen_require(`
-+ type postfix_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute postfix user mail programs
- ## in their respective domains.
- ## </summary>
++ attribute postfix_spool_type;
+ ')
+
+ files_search_spool($1)
+- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
++ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
+ ')
+
+ ########################################
@@ -481,3 +518,23 @@
typeattribute $1 postfix_user_domtrans;
@@ -16569,8 +16773,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.1/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/postfix.te 2008-11-25 09:45:43.000000000 -0500
-@@ -1,11 +1,19 @@
++++ serefpolicy-3.6.1/policy/modules/services/postfix.te 2008-12-22 10:48:45.000000000 -0500
+@@ -1,11 +1,20 @@
-policy_module(postfix, 1.9.2)
+policy_module(postfix, 1.9.1)
@@ -16588,10 +16792,18 @@
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool, false)
+
++attribute postfix_spool_type;
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
-@@ -19,7 +27,7 @@
+@@ -13,13 +22,13 @@
+
+ postfix_server_domain_template(bounce)
+
+-type postfix_spool_bounce_t;
++type postfix_spool_bounce_t, postfix_spool_type;
+ files_type(postfix_spool_bounce_t)
+
postfix_server_domain_template(cleanup)
type postfix_etc_t;
@@ -16600,7 +16812,7 @@
type postfix_exec_t;
application_executable_file(postfix_exec_t)
-@@ -27,6 +35,12 @@
+@@ -27,6 +36,12 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
@@ -16613,7 +16825,7 @@
type postfix_local_tmp_t;
files_tmp_file(postfix_local_tmp_t)
-@@ -34,6 +48,7 @@
+@@ -34,6 +49,7 @@
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t, postfix_map_exec_t)
@@ -16621,7 +16833,24 @@
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
-@@ -103,6 +118,7 @@
+@@ -68,13 +84,13 @@
+
+ postfix_server_domain_template(smtpd)
+
+-type postfix_spool_t;
++type postfix_spool_t, postfix_spool_type;
+ files_type(postfix_spool_t)
+
+-type postfix_spool_maildrop_t;
++type postfix_spool_maildrop_t, postfix_spool_type;
+ files_type(postfix_spool_maildrop_t)
+
+-type postfix_spool_flush_t;
++type postfix_spool_flush_t, postfix_spool_type;
+ files_type(postfix_spool_flush_t)
+
+ type postfix_public_t;
+@@ -103,6 +119,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
@@ -16629,7 +16858,7 @@
allow postfix_master_t postfix_etc_t:file rw_file_perms;
-@@ -142,6 +158,7 @@
+@@ -142,6 +159,7 @@
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -16637,7 +16866,17 @@
kernel_read_all_sysctls(postfix_master_t)
-@@ -170,6 +187,8 @@
+@@ -153,6 +171,9 @@
+ corenet_udp_sendrecv_all_nodes(postfix_master_t)
+ corenet_tcp_sendrecv_all_ports(postfix_master_t)
+ corenet_udp_sendrecv_all_ports(postfix_master_t)
++corenet_udp_bind_all_nodes(postfix_master_t)
++corenet_udp_bind_all_unreserved_ports(postfix_master_t)
++corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
+ corenet_tcp_bind_all_nodes(postfix_master_t)
+ corenet_tcp_bind_amavisd_send_port(postfix_master_t)
+ corenet_tcp_bind_smtp_port(postfix_master_t)
+@@ -170,6 +191,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -16646,7 +16885,7 @@
term_dontaudit_search_ptys(postfix_master_t)
-@@ -181,15 +200,14 @@
+@@ -181,15 +204,14 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -16666,7 +16905,7 @@
')
optional_policy(`
-@@ -202,9 +220,29 @@
+@@ -202,9 +224,29 @@
')
optional_policy(`
@@ -16696,7 +16935,7 @@
########################################
#
# Postfix bounce local policy
-@@ -245,6 +283,10 @@
+@@ -245,6 +287,10 @@
corecmd_exec_bin(postfix_cleanup_t)
@@ -16707,7 +16946,7 @@
########################################
#
# Postfix local local policy
-@@ -270,18 +312,29 @@
+@@ -270,18 +316,29 @@
files_read_etc_files(postfix_local_t)
@@ -16737,7 +16976,7 @@
')
optional_policy(`
-@@ -292,8 +345,7 @@
+@@ -292,8 +349,7 @@
#
# Postfix map local policy
#
@@ -16747,7 +16986,7 @@
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -340,10 +392,6 @@
+@@ -340,10 +396,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -16758,7 +16997,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -356,6 +404,11 @@
+@@ -356,6 +408,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -16770,7 +17009,7 @@
########################################
#
# Postfix pickup local policy
-@@ -380,6 +433,7 @@
+@@ -380,6 +437,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -16778,7 +17017,7 @@
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -387,6 +441,12 @@
+@@ -387,6 +445,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -16791,7 +17030,7 @@
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -396,6 +456,15 @@
+@@ -396,6 +460,15 @@
')
optional_policy(`
@@ -16807,7 +17046,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -432,8 +501,11 @@
+@@ -432,8 +505,11 @@
')
optional_policy(`
@@ -16821,7 +17060,7 @@
')
#######################################
-@@ -459,6 +531,15 @@
+@@ -459,6 +535,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -16837,7 +17076,7 @@
########################################
#
# Postfix qmgr local policy
-@@ -543,9 +624,18 @@
+@@ -543,9 +628,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -16856,7 +17095,7 @@
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -572,7 +662,7 @@
+@@ -572,7 +666,7 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -18606,7 +18845,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-12-15 12:23:46.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-12-22 10:23:30.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -18708,7 +18947,7 @@
# smbd Local policy
#
-allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner setgid setuid sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -19520,7 +19759,7 @@
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.1/policy/modules/services/snmp.fc
--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/services/snmp.fc 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/snmp.fc 2008-12-18 09:13:35.000000000 -0500
@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0)
@@ -19536,6 +19775,13 @@
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+@@ -15,5 +19,5 @@
+
+ /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+-/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0)
++/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+ /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.1/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/snmp.if 2008-11-25 09:45:43.000000000 -0500
@@ -20356,13 +20602,13 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-09 14:28:14.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-18 10:03:59.000000000 -0500
@@ -75,7 +75,7 @@
ubac_constrained(ssh_tmpfs_t)
type home_ssh_t;
-typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
-+typealias home_ssh_t alias { ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
++typealias home_ssh_t alias { ssh_home_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
files_type(home_ssh_t)
userdom_user_home_content(home_ssh_t)
@@ -20392,7 +20638,15 @@
dev_read_urand(ssh_t)
-@@ -202,6 +205,7 @@
+@@ -173,6 +176,7 @@
+ userdom_use_user_terminals(ssh_t)
+ # needs to read krb tgt
+ userdom_read_user_tmp_files(ssh_t)
++userdom_read_user_home_content_symlinks(ssh_t)
+
+ tunable_policy(`allow_ssh_keysign',`
+ domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+@@ -202,6 +206,7 @@
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port(ssh_t)
@@ -20400,7 +20654,7 @@
')
optional_policy(`
-@@ -318,6 +322,10 @@
+@@ -318,6 +323,10 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -20411,7 +20665,7 @@
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -331,6 +339,14 @@
+@@ -331,6 +340,14 @@
')
optional_policy(`
@@ -20426,7 +20680,7 @@
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -349,7 +365,11 @@
+@@ -349,7 +366,11 @@
')
optional_policy(`
@@ -20439,7 +20693,7 @@
unconfined_shell_domtrans(sshd_t)
')
-@@ -408,6 +428,8 @@
+@@ -408,6 +429,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -21473,7 +21727,7 @@
## display.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-11 14:53:37.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-17 16:39:38.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -21510,8 +21764,9 @@
type user_fonts_t;
-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
+-typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t };
- typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
++typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t user_fonts_home_t };
userdom_user_home_content(user_fonts_t)
type user_fonts_cache_t;
@@ -23581,7 +23836,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2008-11-18 18:57:21.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/logging.if 2008-12-09 14:23:42.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/logging.if 2008-12-18 11:32:40.000000000 -0500
@@ -707,6 +707,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
@@ -26131,7 +26386,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-11 15:08:45.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-18 10:02:36.000000000 -0500
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.757
retrieving revision 1.758
diff -u -r1.757 -r1.758
--- selinux-policy.spec 17 Dec 2008 21:15:08 -0000 1.757
+++ selinux-policy.spec 22 Dec 2008 19:35:46 -0000 1.758
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.1
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
%endif
%changelog
+* Thu Dec 18 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-12
+- Add missing alias for home directory content
+
* Wed Dec 17 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-11
- Fixes for IBM java location
More information about the fedora-extras-commits
mailing list