rpms/selinux-policy/devel policy-20071130.patch,1.50,1.51

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Mon Feb 4 17:17:40 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9996

Modified Files:
	policy-20071130.patch 
Log Message:
* Sun Feb 3 2008 Dan Walsh <dwalsh at redhat.com> 3.2.6-4
- Fixes for nsplugin


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -r1.50 -r1.51
--- policy-20071130.patch	3 Feb 2008 13:39:47 -0000	1.50
+++ policy-20071130.patch	4 Feb 2008 17:17:30 -0000	1.51
@@ -4528,7 +4528,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.6/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc	2008-02-04 10:23:03.000000000 -0500
 @@ -1,9 +1,9 @@
  #
  # HOME_DIR/
@@ -4568,11 +4568,13 @@
  
  ifdef(`distro_gentoo',`
  /opt/vmware/workstation/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-@@ -49,3 +55,4 @@
+@@ -49,3 +55,6 @@
  /opt/vmware/workstation/bin/vmware-wizard --	gen_context(system_u:object_r:vmware_exec_t,s0)
  /opt/vmware/workstation/bin/vmware	--	gen_context(system_u:object_r:vmware_exec_t,s0)
  ')
 +/var/log/vmware.* 	--	gen_context(system_u:object_r:vmware_log_t,s0)
++/var/run/vmnat.* 	-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
++/var/run/vmware.* 		gen_context(system_u:object_r:vmware_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.6/policy/modules/apps/vmware.if
 --- nsaserefpolicy/policy/modules/apps/vmware.if	2007-02-19 11:32:52.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/apps/vmware.if	2008-02-01 16:01:42.000000000 -0500
@@ -4747,7 +4749,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc	2008-02-04 11:10:30.000000000 -0500
 @@ -7,11 +7,11 @@
  /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4799,13 +4801,14 @@
  
  /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +291,6 @@
+@@ -284,3 +291,7 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
 +/usr/lib(64)?/nspluginwrapper/npconfig	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib(64)?/nspluginwrapper/npviewer	gen_context(system_u:object_r:bin_t,s0)
 +
++/usr/lib(64)?/ConsoleKit/scripts(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.6/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2007-11-14 08:17:58.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.if	2008-02-01 16:01:42.000000000 -0500
@@ -5457,7 +5460,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.6/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/kernel/files.if	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/kernel/files.if	2008-02-04 12:03:13.000000000 -0500
 @@ -1266,6 +1266,24 @@
  
  ########################################
@@ -6109,7 +6112,7 @@
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.6/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/services/apache.if	2008-02-01 16:48:52.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/apache.if	2008-02-04 10:16:22.000000000 -0500
 @@ -18,10 +18,6 @@
  		attribute httpd_script_exec_type;
  		type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -8205,16 +8208,17 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.6/policy/modules/services/consolekit.fc
 --- nsaserefpolicy/policy/modules/services/consolekit.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc	2008-02-04 11:46:55.000000000 -0500
 @@ -1,3 +1,5 @@
  /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
  
  /var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
 +
 +/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+Binary files nsaserefpolicy/policy/modules/services/consolekit.pp and serefpolicy-3.2.6/policy/modules/services/consolekit.pp differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.6/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te	2008-02-01 22:35:15.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/consolekit.te	2008-02-04 11:52:57.000000000 -0500
 @@ -13,6 +13,9 @@
  type consolekit_var_run_t;
  files_pid_file(consolekit_var_run_t)
@@ -8225,7 +8229,7 @@
  ########################################
  #
  # consolekit local policy
-@@ -24,6 +27,9 @@
+@@ -24,20 +27,26 @@
  allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
  allow consolekit_t self:unix_dgram_socket create_socket_perms;
  
@@ -8235,7 +8239,13 @@
  manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
  files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
  
-@@ -36,8 +42,10 @@
+ kernel_read_system_state(consolekit_t)
+ 
+ corecmd_exec_bin(consolekit_t)
++corecmd_exec_shell(consolekit_t)
+ 
+ dev_read_urand(consolekit_t)
+ dev_read_sysfs(consolekit_t)
  
  domain_read_all_domains_state(consolekit_t)
  domain_use_interactive_fds(consolekit_t)
@@ -8246,7 +8256,13 @@
  # needs to read /var/lib/dbus/machine-id
  files_read_var_lib_files(consolekit_t)
  
-@@ -50,12 +58,25 @@
+@@ -47,15 +56,31 @@
+ 
+ auth_use_nsswitch(consolekit_t)
+ 
++init_telinit(consolekit_t)
++init_rw_utmp(consolekit_t)
++
  libs_use_ld_so(consolekit_t)
  libs_use_shared_libs(consolekit_t)
  
@@ -8273,17 +8289,19 @@
  	hal_dbus_chat(consolekit_t)
  
  	optional_policy(`
-@@ -64,6 +85,32 @@
+@@ -64,6 +89,33 @@
  ')
  
  optional_policy(`
 +	polkit_domtrans_auth(consolekit_t)
++	polkit_search_lib(consolekit_t)
 +')
 +
 +optional_policy(`
  	xserver_read_all_users_xauth(consolekit_t)
  	xserver_stream_connect_xdm_xserver(consolekit_t)
- ')
++	xserver_ptrace_xdm(consolekit_t)
++')
 +
 +optional_policy(`
 +	#reading .Xauthity
@@ -8298,14 +8316,13 @@
 +tunable_policy(`use_nfs_home_dirs',`
 +	fs_dontaudit_list_nfs(consolekit_t)
 +	fs_dontaudit_rw_nfs_files(consolekit_t)
-+')
+ ')
 +
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_dontaudit_list_cifs(consolekit_t)
 +	fs_dontaudit_rw_cifs_files(consolekit_t)
 +')
 +
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.6/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2006-11-16 17:15:21.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/services/cron.fc	2008-02-01 16:01:42.000000000 -0500
@@ -12652,7 +12669,7 @@
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.6/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/mta.te	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/mta.te	2008-02-04 12:04:01.000000000 -0500
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -12670,7 +12687,7 @@
  
  mta_base_mail_template(system)
  role system_r types system_mail_t;
-@@ -37,30 +40,43 @@
+@@ -37,30 +40,45 @@
  #
  
  # newalias required this, not sure if it is needed in 'if' file
@@ -12679,6 +12696,8 @@
  
  read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
 +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
++
++files_read_all_tmp_files(system_mail_t)
  
  kernel_read_system_state(system_mail_t)
  kernel_read_network_state(system_mail_t)
@@ -12715,7 +12734,7 @@
  ')
  
  optional_policy(`
-@@ -73,6 +89,7 @@
+@@ -73,6 +91,7 @@
  
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
@@ -12723,7 +12742,7 @@
  	cron_dontaudit_write_pipes(system_mail_t)
  ')
  
-@@ -81,6 +98,11 @@
+@@ -81,6 +100,11 @@
  ')
  
  optional_policy(`
@@ -12735,7 +12754,7 @@
  	logrotate_read_tmp_files(system_mail_t)
  ')
  
-@@ -136,11 +158,33 @@
+@@ -136,11 +160,33 @@
  ')
  
  optional_policy(`
@@ -12753,7 +12772,7 @@
 -# should break this up among sections:
 +init_stream_connect_script(mailserver_delivery)
 +init_rw_script_stream_sockets(mailserver_delivery)
-+
+ 
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_manage_cifs_dirs(mailserver_delivery)
 +	fs_manage_cifs_files(mailserver_delivery)
@@ -12765,12 +12784,12 @@
 +	fs_manage_nfs_files(mailserver_delivery)
 +	fs_manage_nfs_symlinks(mailserver_delivery)
 +')
- 
++
 +# should break this up among sections:
  optional_policy(`
  	# why is mail delivered to a directory of type arpwatch_data_t?
  	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +198,4 @@
+@@ -154,3 +200,4 @@
  		cron_read_system_job_tmp_files(mta_user_agent)
  	')
  ')
@@ -14377,8 +14396,8 @@
 +/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.6/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/polkit.if	2008-02-01 16:01:42.000000000 -0500
-@@ -0,0 +1,59 @@
++++ serefpolicy-3.2.6/policy/modules/services/polkit.if	2008-02-04 11:48:36.000000000 -0500
+@@ -0,0 +1,62 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@@ -14437,6 +14456,9 @@
 +
 +	files_search_var_lib($1)
 +	read_files_pattern($1, polkit_var_lib_t,  polkit_var_lib_t)
++
++	# Broken placement
++	cron_read_system_job_lib_files($1)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.6/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
@@ -17750,7 +17772,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.6/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/sendmail.te	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/sendmail.te	2008-02-04 12:03:27.000000000 -0500
 @@ -20,13 +20,17 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -17779,7 +17801,7 @@
  
  corenet_all_recvfrom_unlabeled(sendmail_t)
  corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -69,10 +74,12 @@
+@@ -69,13 +74,16 @@
  
  # for piping mail to a command
  corecmd_exec_shell(sendmail_t)
@@ -17792,7 +17814,11 @@
  files_search_spool(sendmail_t)
  # for piping mail to a command
  files_read_etc_runtime_files(sendmail_t)
-@@ -97,20 +104,35 @@
++files_read_all_tmp_files(sendmail_t)
+ 
+ init_use_fds(sendmail_t)
+ init_use_script_ptys(sendmail_t)
+@@ -97,20 +105,35 @@
  
  userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
  userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
@@ -17829,7 +17855,7 @@
  	postfix_exec_master(sendmail_t)
  	postfix_read_config(sendmail_t)
  	postfix_search_spool(sendmail_t)
-@@ -118,6 +140,7 @@
+@@ -118,6 +141,7 @@
  
  optional_policy(`
  	procmail_domtrans(sendmail_t)
@@ -17837,7 +17863,7 @@
  ')
  
  optional_policy(`
-@@ -125,24 +148,25 @@
+@@ -125,24 +149,25 @@
  ')
  
  optional_policy(`
@@ -20191,7 +20217,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.6/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/xserver.if	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/xserver.if	2008-02-04 11:52:35.000000000 -0500
 @@ -15,6 +15,7 @@
  template(`xserver_common_domain_template',`
  	gen_require(`
@@ -20393,16 +20419,17 @@
 -	manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
 -	manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
 -	files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
+-
+-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 +	domtrans_pattern($2, xauth_exec_t, xauth_t)
  
--	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
--
 -	allow $2 $1_xauth_t:process signal;
 +	allow $2 xauth_t:process signal;
  
  	# allow ps to show xauth
 -	ps_process_pattern($2,$1_xauth_t)
--
++	ps_process_pattern($2,xauth_t)
+ 
 -	allow $2 $1_xauth_home_t:file manage_file_perms;
 -	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
 -
@@ -20416,8 +20443,7 @@
 -
 -	fs_getattr_xattr_fs($1_xauth_t)
 -	fs_search_auto_mountpoints($1_xauth_t)
-+	ps_process_pattern($2,xauth_t)
- 
+-
 -	# cjp: why?
 -	term_use_ptmx($1_xauth_t)
 -
@@ -20847,7 +20873,7 @@
  ')
  
  ########################################
-@@ -1312,3 +1411,45 @@
+@@ -1312,3 +1411,63 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -20893,9 +20919,27 @@
 +
 +')
 +
++########################################
++## <summary>
++##	Ptrace XDM 
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit
++##	</summary>
++## </param>
++#
++interface(`xserver_ptrace_xdm',`
++	gen_require(`
++		type xdm_t;
++	')
++
++	allow $1 xdm_t:process ptrace;
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.6/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/xserver.te	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/xserver.te	2008-02-04 11:50:03.000000000 -0500
 @@ -16,6 +16,13 @@
  
  ## <desc>
@@ -20970,18 +21014,19 @@
  xserver_common_domain_template(xdm)
  init_system_domain(xdm_xserver_t,xserver_exec_t)
  
-@@ -95,8 +134,8 @@
+@@ -95,8 +134,9 @@
  # XDM Local policy
  #
  
 -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
 -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
 +allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-+allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms };
++allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms };
++
  allow xdm_t self:fifo_file rw_fifo_file_perms;
  allow xdm_t self:shm create_shm_perms;
  allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +148,8 @@
+@@ -109,6 +149,8 @@
  allow xdm_t self:key { search link write };
  
  allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -20990,7 +21035,7 @@
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +172,22 @@
+@@ -131,15 +173,22 @@
  manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
  manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
  fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -21014,7 +21059,7 @@
  
  allow xdm_t xdm_xserver_t:process signal;
  allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +201,7 @@
+@@ -153,6 +202,7 @@
  allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
  
  allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -21022,7 +21067,16 @@
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -184,6 +233,7 @@
+@@ -173,6 +223,8 @@
+ 
+ corecmd_exec_shell(xdm_t)
+ corecmd_exec_bin(xdm_t)
++# Uses DBUS
++corecmd_bin_entry_type(xdm_t)
+ 
+ corenet_all_recvfrom_unlabeled(xdm_t)
+ corenet_all_recvfrom_netlabel(xdm_t)
+@@ -184,6 +236,7 @@
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_all_nodes(xdm_t)
  corenet_udp_bind_all_nodes(xdm_t)
@@ -21030,7 +21084,7 @@
  corenet_tcp_connect_all_ports(xdm_t)
  corenet_sendrecv_all_client_packets(xdm_t)
  # xdm tries to bind to biff_port_t
-@@ -196,6 +246,7 @@
+@@ -196,6 +249,7 @@
  dev_getattr_mouse_dev(xdm_t)
  dev_setattr_mouse_dev(xdm_t)
  dev_rw_apm_bios(xdm_t)
@@ -21038,7 +21092,7 @@
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -208,8 +259,8 @@
+@@ -208,8 +262,8 @@
  dev_setattr_video_dev(xdm_t)
  dev_getattr_scanner_dev(xdm_t)
  dev_setattr_scanner_dev(xdm_t)
@@ -21049,7 +21103,7 @@
  dev_getattr_power_mgmt_dev(xdm_t)
  dev_setattr_power_mgmt_dev(xdm_t)
  
-@@ -226,6 +277,7 @@
+@@ -226,6 +280,7 @@
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -21057,7 +21111,7 @@
  
  fs_getattr_all_fs(xdm_t)
  fs_search_auto_mountpoints(xdm_t)
-@@ -245,6 +297,7 @@
+@@ -245,6 +300,7 @@
  auth_domtrans_pam_console(xdm_t)
  auth_manage_pam_pid(xdm_t)
  auth_manage_pam_console_data(xdm_t)
@@ -21065,7 +21119,7 @@
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -256,12 +309,11 @@
+@@ -256,12 +312,11 @@
  libs_exec_lib_files(xdm_t)
  
  logging_read_generic_logs(xdm_t)
@@ -21079,7 +21133,7 @@
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -270,6 +322,10 @@
+@@ -270,6 +325,10 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -21090,7 +21144,7 @@
  
  xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
  
-@@ -304,7 +360,16 @@
+@@ -304,7 +363,16 @@
  ')
  
  optional_policy(`
@@ -21107,7 +21161,7 @@
  ')
  
  optional_policy(`
-@@ -322,6 +387,10 @@
+@@ -322,6 +390,10 @@
  ')
  
  optional_policy(`
@@ -21118,7 +21172,19 @@
  	loadkeys_exec(xdm_t)
  ')
  
-@@ -343,8 +412,8 @@
+@@ -335,6 +407,11 @@
+ ')
+ 
+ optional_policy(`
++	polkit_domtrans_auth(xdm_t)
++	polkit_read_lib(xdm_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(xdm_t)
+ ')
+ 
+@@ -343,8 +420,8 @@
  ')
  
  optional_policy(`
@@ -21128,7 +21194,7 @@
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +449,7 @@
+@@ -380,7 +457,7 @@
  allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
  
@@ -21137,7 +21203,7 @@
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +461,15 @@
+@@ -392,6 +469,15 @@
  can_exec(xdm_xserver_t, xkb_var_lib_t)
  files_search_var_lib(xdm_xserver_t)
  
@@ -21153,7 +21219,7 @@
  # VNC v4 module in X server
  corenet_tcp_bind_vnc_port(xdm_xserver_t)
  
-@@ -404,6 +482,7 @@
+@@ -404,6 +490,7 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -21161,7 +21227,7 @@
  
  xserver_use_all_users_fonts(xdm_xserver_t)
  
-@@ -420,6 +499,14 @@
+@@ -420,6 +507,14 @@
  ')
  
  optional_policy(`
@@ -21176,7 +21242,7 @@
  	resmgr_stream_connect(xdm_t)
  ')
  
-@@ -429,47 +516,103 @@
+@@ -429,47 +524,103 @@
  ')
  
  optional_policy(`
@@ -21909,7 +21975,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.6/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/system/init.if	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/init.if	2008-02-04 12:02:32.000000000 -0500
 @@ -211,6 +211,13 @@
  			kernel_dontaudit_use_fds($1)
  		')
@@ -22077,7 +22143,33 @@
  ')
  
  ########################################
-@@ -1252,7 +1289,7 @@
+@@ -1097,6 +1134,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Read init script temporary data.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_read_script_tmp_files',`
++	gen_require(`
++		type initrc_tmp_t;
++	')
++
++	files_search_tmp($1)
++	read_files_pattern($1,initrc_tmp_t,initrc_tmp_t)
++')
++
++########################################
++## <summary>
+ ##	Create files in a init script
+ ##	temporary data directory.
+ ## </summary>
+@@ -1252,7 +1308,7 @@
  		type initrc_var_run_t;
  	')
  
@@ -22086,7 +22178,7 @@
  ')
  
  ########################################
-@@ -1273,3 +1310,92 @@
+@@ -1273,3 +1329,92 @@
  	files_search_pids($1)
  	allow $1 initrc_var_run_t:file manage_file_perms;
  ')
@@ -22181,7 +22273,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.6/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/init.te	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/init.te	2008-02-04 11:10:57.000000000 -0500
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -23045,7 +23137,7 @@
 +HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.6/policy/modules/system/miscfiles.if
 --- nsaserefpolicy/policy/modules/system/miscfiles.if	2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if	2008-02-04 08:26:35.000000000 -0500
 @@ -489,3 +489,44 @@
  	manage_lnk_files_pattern($1,locale_t,locale_t)
  ')
@@ -25015,7 +25107,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.6/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/userdomain.if	2008-02-01 22:19:29.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/userdomain.if	2008-02-04 08:23:21.000000000 -0500
 @@ -29,9 +29,14 @@
  	')
  
@@ -28179,8 +28271,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-02 17:10:42.000000000 -0500
-@@ -0,0 +1,135 @@
++++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-04 11:23:06.000000000 -0500
+@@ -0,0 +1,137 @@
 +
 +policy_module(virt,1.0.0)
 +
@@ -28256,10 +28348,12 @@
 +logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
 +
 +read_files_pattern(virtd_t, virt_etc_t,  virt_etc_t)
++read_lnk_files_pattern(virtd_t, virt_etc_t,  virt_etc_t)
 +
 +manage_dirs_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
 +manage_files_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
-+files_trans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
++manage_lnk_files_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
++filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 +
 +corenet_all_recvfrom_unlabeled(virtd_t)
 +corenet_all_recvfrom_netlabel(virtd_t)
@@ -28699,8 +28793,8 @@
 +## <summary>Policy for staff user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.6/policy/modules/users/staff.te
 --- nsaserefpolicy/policy/modules/users/staff.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/users/staff.te	2008-02-01 16:01:42.000000000 -0500
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.2.6/policy/modules/users/staff.te	2008-02-04 08:26:47.000000000 -0500
+@@ -0,0 +1,51 @@
 +policy_module(staff,1.0.1)
 +userdom_unpriv_user_template(staff)
 +
@@ -28708,6 +28802,8 @@
 +userdom_role_change_template(staff, sysadm)
 +userdom_dontaudit_use_sysadm_terms(staff_t)
 +
++allow $staff_t self:capability sys_nice;
++
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +
@@ -28716,6 +28812,8 @@
 +modutils_read_module_config(staff_t)
 +modutils_read_module_deps(staff_t)
 +
++miscfiles_read_hwdata(staff_t)
++
 +sudo_per_role_template(staff, staff_t, staff_r)
 +seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
 +

More information about the fedora-extras-commits mailing list