rpms/selinux-policy/F-8 Makefile.devel, 1.9, 1.10 policy-20070703.patch, 1.180, 1.181 selinux-policy.spec, 1.609, 1.610
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Feb 11 22:55:09 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1620
Modified Files:
Makefile.devel policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Feb 1 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-84
- Allow fail2ban to create sock_files in /var/run
Index: Makefile.devel
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/Makefile.devel,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- Makefile.devel 11 Aug 2007 11:18:09 -0000 1.9
+++ Makefile.devel 11 Feb 2008 22:54:33 -0000 1.10
@@ -10,13 +10,14 @@
endif
ifeq ($(MLSENABLED),1)
- TYPE ?= mcs
+ NTYPE = mcs
endif
-ifeq ($(NAME), mls)
- TYPE ?= mls
+ifeq ($(NAME),mls)
+ NTYPE = mls
endif
+TYPE ?= $(NTYPE)
+
HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile
-
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.180
retrieving revision 1.181
diff -u -r1.180 -r1.181
--- policy-20070703.patch 31 Jan 2008 20:59:53 -0000 1.180
+++ policy-20070703.patch 11 Feb 2008 22:54:33 -0000 1.181
@@ -2926,7 +2926,7 @@
application_executable_file(gconfd_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-02-06 09:05:24.000000000 -0500
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -2939,10 +2939,12 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
+-/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+-/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-+
++/usr/local/matlab/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/matlab(/.*)?/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -3996,7 +3998,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-02-11 14:27:53.000000000 -0500
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4033,7 +4035,7 @@
#
# /usr
#
-@@ -126,10 +132,10 @@
+@@ -126,10 +132,11 @@
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -4043,10 +4045,11 @@
/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/drivers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -163,9 +169,15 @@
+@@ -163,9 +170,15 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -4063,7 +4066,7 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
-@@ -180,6 +192,7 @@
+@@ -180,6 +193,7 @@
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
@@ -4071,7 +4074,7 @@
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +272,23 @@
+@@ -259,3 +273,23 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4097,7 +4100,7 @@
+/usr/lib/nspluginwrapper/npconfig -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2008-02-11 14:37:53.000000000 -0500
@@ -903,9 +903,11 @@
interface(`corenet_udp_bind_generic_port',`
gen_require(`
@@ -4110,7 +4113,35 @@
')
########################################
-@@ -1449,6 +1451,43 @@
+@@ -1386,10 +1388,11 @@
+ #
+ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute port_type;
++ type hi_reserved_port_t, reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1404,10 +1407,11 @@
+ #
+ interface(`corenet_udp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute port_type;
++ type hi_reserved_port_t, reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1449,6 +1453,43 @@
########################################
## <summary>
@@ -4156,7 +4187,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-01-22 09:06:06.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-02-11 16:24:42.000000000 -0500
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -4169,7 +4200,7 @@
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
-@@ -67,6 +72,7 @@
+@@ -67,11 +72,12 @@
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
@@ -4177,6 +4208,12 @@
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+-type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
++type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strictx
+ network_port(clamd, tcp,3310,s0)
+ network_port(clockspeed, udp,4041,s0)
+ network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@@ -93,10 +99,11 @@
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -4630,7 +4667,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2008-02-01 23:39:13.000000000 -0500
@@ -6,6 +6,22 @@
# Declarations
#
@@ -4668,7 +4705,13 @@
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -134,3 +154,32 @@
+@@ -129,8 +149,37 @@
+
+ # For /proc/pid
+ allow unconfined_domain_type domain:dir r_dir_perms;
+-allow unconfined_domain_type domain:file r_file_perms;
++allow unconfined_domain_type domain:file rw_file_perms;
+ allow unconfined_domain_type domain:lnk_file r_file_perms;
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -5574,8 +5617,17 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.8/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2008-01-17 09:03:07.000000000 -0500
-@@ -359,7 +359,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2008-02-06 16:44:55.000000000 -0500
+@@ -255,6 +255,8 @@
+ fs_rw_tmpfs_chr_files(kernel_t)
+ ')
+
++userdom_generic_user_home_dir_filetrans_generic_user_home_content(kernel_t, { file dir })
++
+ tunable_policy(`read_default_t',`
+ files_list_default(kernel_t)
+ files_read_default_files(kernel_t)
+@@ -359,7 +361,7 @@
allow kern_unconfined proc_type:{ dir file lnk_file } *;
@@ -7775,8 +7827,23 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.te 2008-01-31 15:35:05.000000000 -0500
-@@ -50,6 +50,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/cron.te 2008-02-02 00:06:32.000000000 -0500
+@@ -12,14 +12,6 @@
+
+ ## <desc>
+ ## <p>
+-## Allow system cron jobs to relabel filesystem
+-## for restoring file contexts.
+-## </p>
+-## </desc>
+-gen_tunable(cron_can_relabel,false)
+-
+-## <desc>
+-## <p>
+ ## Enable extra rules in the cron domain
+ ## to support fcron.
+ ## </p>
+@@ -50,6 +42,7 @@
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
@@ -7784,7 +7851,7 @@
type crond_var_run_t;
files_pid_file(crond_var_run_t)
-@@ -71,6 +72,12 @@
+@@ -71,6 +64,12 @@
type system_crond_tmp_t;
files_tmp_file(system_crond_tmp_t)
@@ -7797,7 +7864,7 @@
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
-@@ -80,7 +87,7 @@
+@@ -80,7 +79,7 @@
# Cron Local policy
#
@@ -7806,7 +7873,7 @@
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
-@@ -99,18 +106,20 @@
+@@ -99,18 +98,20 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
@@ -7831,7 +7898,7 @@
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
-@@ -127,6 +136,8 @@
+@@ -127,6 +128,8 @@
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -7840,7 +7907,7 @@
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
-@@ -142,11 +153,14 @@
+@@ -142,11 +145,14 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
@@ -7855,7 +7922,7 @@
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -160,6 +174,16 @@
+@@ -160,6 +166,16 @@
mta_send_mail(crond_t)
@@ -7872,7 +7939,7 @@
ifdef(`distro_debian',`
optional_policy(`
# Debian logcheck has the home dir set to its cache
-@@ -180,29 +204,34 @@
+@@ -180,29 +196,34 @@
locallogin_link_keys(crond_t)
')
@@ -7915,7 +7982,7 @@
')
optional_policy(`
-@@ -239,7 +268,6 @@
+@@ -239,7 +260,6 @@
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
@@ -7923,7 +7990,7 @@
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -249,6 +277,8 @@
+@@ -249,6 +269,8 @@
# for this purpose.
allow system_crond_t system_cron_spool_t:file entrypoint;
@@ -7932,7 +7999,7 @@
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
-@@ -270,9 +300,16 @@
+@@ -270,9 +292,16 @@
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
@@ -7950,7 +8017,7 @@
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
-@@ -326,7 +363,7 @@
+@@ -326,7 +355,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -7959,7 +8026,7 @@
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
-@@ -334,6 +371,7 @@
+@@ -334,6 +363,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
@@ -7967,7 +8034,26 @@
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-@@ -384,6 +422,14 @@
+@@ -349,18 +379,6 @@
+ ')
+ ')
+
+-tunable_policy(`cron_can_relabel',`
+- seutil_domtrans_setfiles(system_crond_t)
+-',`
+- selinux_get_fs_mount(system_crond_t)
+- selinux_validate_context(system_crond_t)
+- selinux_compute_access_vector(system_crond_t)
+- selinux_compute_create_context(system_crond_t)
+- selinux_compute_relabel_context(system_crond_t)
+- selinux_compute_user_contexts(system_crond_t)
+- seutil_read_file_contexts(system_crond_t)
+-')
+-
+ optional_policy(`
+ # Needed for certwatch
+ apache_exec_modules(system_crond_t)
+@@ -384,6 +402,14 @@
')
optional_policy(`
@@ -7982,7 +8068,7 @@
mrtg_append_create_logs(system_crond_t)
')
-@@ -424,8 +470,7 @@
+@@ -424,8 +450,7 @@
')
optional_policy(`
@@ -7992,7 +8078,7 @@
')
optional_policy(`
-@@ -433,15 +478,12 @@
+@@ -433,15 +458,12 @@
')
optional_policy(`
@@ -9583,16 +9669,28 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.0.8/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-01-17 09:03:07.000000000 -0500
-@@ -1,3 +1,4 @@
++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-02-01 10:04:19.000000000 -0500
+@@ -1,3 +1,5 @@
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
/var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
++/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-01-21 13:49:36.000000000 -0500
-@@ -55,6 +55,8 @@
++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-02-01 07:42:49.000000000 -0500
+@@ -33,8 +33,9 @@
+ logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
+
+ # pid file
++manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
+ manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
+-files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
++files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file })
+
+ kernel_read_system_state(fail2ban_t)
+
+@@ -55,6 +56,8 @@
miscfiles_read_localization(fail2ban_t)
@@ -10386,7 +10484,7 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2008-01-21 13:47:32.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2008-02-11 17:49:24.000000000 -0500
@@ -87,6 +87,8 @@
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
@@ -10427,6 +10525,19 @@
')
#######################################
+@@ -210,9 +207,9 @@
+ userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file)
+ # for reading .forward - maybe we need a new type for it?
+ # also for delivering mail to maildir
+- userdom_manage_user_home_content_dirs($1,mailserver_delivery)
+- userdom_manage_user_home_content_files($1,mailserver_delivery)
+- userdom_manage_user_home_content_symlinks($1,mailserver_delivery)
++ userdom_manage_all_users_home_content_dirs(mailserver_delivery)
++ userdom_manage_all_users_home_content_files(mailserver_delivery)
++ userdom_manage_all users_home_content_symlinks($1,mailserver_delivery)
+ userdom_manage_user_home_content_pipes($1,mailserver_delivery)
+ userdom_manage_user_home_content_sockets($1,mailserver_delivery)
+ userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
@@ -228,6 +225,11 @@
fs_manage_cifs_symlinks($1_mail_t)
')
@@ -12700,16 +12811,16 @@
allow pptp_t self:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.0.8/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/procmail.fc 2008-01-17 12:36:50.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/procmail.fc 2008-02-04 13:40:59.000000000 -0500
@@ -1,2 +1,4 @@
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
-+/var/log/procmail\.log -- gen_context(system_u:object_r:procmail_log_t,s0)
++/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.0.8/policy/modules/services/procmail.if
--- nsaserefpolicy/policy/modules/services/procmail.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/procmail.if 2008-01-17 12:45:51.000000000 -0500
-@@ -39,3 +39,22 @@
++++ serefpolicy-3.0.8/policy/modules/services/procmail.if 2008-02-06 10:22:52.000000000 -0500
+@@ -39,3 +39,41 @@
corecmd_search_bin($1)
can_exec($1,procmail_exec_t)
')
@@ -12732,6 +12843,25 @@
+ files_search_tmp($1)
+ allow $1 procmail_tmp_t:file read_file_perms;
+')
++
++########################################
++## <summary>
++## Read/write procmail tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`procmail_rw_tmp_files',`
++ gen_require(`
++ type procmail_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2008-01-31 12:57:41.000000000 -0500
@@ -12887,6 +13017,166 @@
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/q serefpolicy-3.0.8/policy/modules/services/q
+--- nsaserefpolicy/policy/modules/services/q 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/q 2008-02-04 13:55:48.000000000 -0500
+@@ -0,0 +1,156 @@
++seinfo(1) seinfo(1)
++
++
++
++NNAAMMEE
++ seinfo - SELinux policy query tool
++
++SSYYNNOOPPSSIISS
++ sseeiinnffoo [OPTIONS] [EXPRESSION] [POLICY ...]
++
++DDEESSCCRRIIPPTTIIOONN
++ sseeiinnffoo allows the user to query the components of a SELinux policy.
++
++PPOOLLIICCYY
++ sseeiinnffoo supports loading a SELinux policy in one of four formats.
++
++ source A single text file containing policy source for versions 12
++ through 21. This file is usually named policy.conf.
++
++ binary A single file containing a monolithic kernel binary policy for
++ versions 15 through 21. This file is usually named by version -
++ for example, policy.20.
++
++ modular
++ A list of policy packages each containing a loadable policy mod-
++ ule. The first module listed must be a base module.
++
++ policy list
++ A single text file containing all the information needed to load
++ a policy, usually exported by SETools graphical utilities.
++
++ If no policy file is provided, sseeiinnffoo will search for the system
++ default policy: checking first for a source policy, next for a binary
++ policy matching the running kernelâs preferred version, and finally for
++ the highest version that can be found. If no policy can be found,
++ sseeiinnffoo will print an error message and exit.
++
++EEXXPPRREESSSSIIOONNSS
++ One or more of the following component types can be queried. Each
++ option may only be specified once. If an option is provided multiple
++ times, the last instance will be used. Some components support the -x
++ flag to print expanded information about that component; if a particu-
++ lar component specified does not support expanded information, the flag
++ will be ignored for that component (see -x below). If no expressions
++ are provided, policy statistics will be printed (see --stats below).
++
++ -c[NAME], --class[=NAME]
++ Print a list of object classes or, if NAME is provided, print
++ the object class NAME. With -x, print a list of permissions for
++ each displayed object class.
++
++ --sensitivity[=NAME]
++ Print a list of sensitivities or, if NAME is provided, print the
++ sensitivity NAME. With -x, print the corresponding level state-
++ ment for each displayed sensitivity.
++
++ --category[=NAME]
++ Print a list of categories or, if NAME is provided, print the
++ category NAME. With -x, print a list of sensitivities with
++ which each displayed category may be associated.
++
++ -t[NAME], --type[=NAME]
++ Print a list of types (not including aliases or attributes) or,
++ if NAME is provided, print the type NAME. With -x, print a list
++ of attributes which include each displayed type.
++
++ -a[NAME], --attribute[=NAME]
++ Print a list of type attributes or, if NAME is provided, print
++ the attribute NAME. With -x, print a list of types assigned to
++ each displayed attribute.
++
++ -r[NAME], --role[=NAME]
++ Print a list of roles or, if NAME is provided, print the role
++ NAME. With -x, print a list of types assigned to each displayed
++ role.
++
++ -u[NAME], --user[=NAME]
++ Print a list of users or, if NAME is provided, print the user
++ NAME. With -x, print a list of roles assigned to each displayed
++ user.
++
++ -b[NAME], --bool[=NAME]
++ Print a list of conditional booleans or, if NAME is provided,
++ print the boolean NAME. With -x, print the default state of
++ each displayed conditional boolean.
++
++ --initialsid[=NAME]
++ Print a list of initial SIDs or, if NAME is provided, print the
++ initial SID NAME. With -x, print the context assigned to each
++ displayed SID.
++
++ --fs_use[=TYPE]
++ Print a list of fs_use statements or, if TYPE is provided, print
++ the statement for filesystem TYPE. There is no expanded infor-
++ mation for this component.
++
++ --genfscon[=TYPE]
++ Print a list of genfscon statements or, if TYPE is provided,
++ print the statement for the filesystem TYPE. There is no
++ expanded information for this component.
++
++ --netifcon[=NAME]
++ Print a list of netif contexts or, if NAME is provided, print
++ the statement for interface NAME. There is no expanded informa-
++ tion for this component.
++
++ --nodecon[=ADDR]
++ Print a list of node contexts or, if ADDR is provided, print the
++ statement for the node with address ADDR. There is no expanded
++ information for this component.
++
++ --portcon[=PORT]
++ Print a list of port contexts or, if PORT is provided, print the
++ statement for port PORT. There is no expanded information for
++ this component.
++
++ --protocol=PROTO
++ Print only portcon statements for the protocol PROTO. This
++ option is ignored if portcon statements are not printed or if no
++ statement exists for the requested port.
++
++ --all Print all components.
++
++OOPPTTIIOONNSS
++ -x, --expand
++ Print additional details for each component matching the expres-
++ sion. These details include the types assigned to an attribute
++ or role and the permissions for an object class. This option is
++ not available for all component types; see the description of
++ each component for the details this option will provide.
++
++ --stats
++ Print policy statistics including policy type and version infor-
++ mation and counts of all components and rules.
++
++ -h, --help
++ Print help information and exit.
++
++ -V, --version
++ Print version information and exit.
++
++AAUUTTHHOORR
++ This manual page was written by Jeremy A. Mowery <jmowery at tresys.com>.
++
++CCOOPPYYRRIIGGHHTT
++ Copyright(C) 2003-2007 Tresys Technology, LLC
++
++BBUUGGSS
++ Please report bugs via an email to setools-bugs at tresys.com.
++
++SSEEEE AALLSSOO
++ sesearch(1), apol(1)
++
++
++
++ seinfo(1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.0.8/policy/modules/services/radius.fc
--- nsaserefpolicy/policy/modules/services/radius.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/radius.fc 2008-01-17 09:03:07.000000000 -0500
@@ -13673,7 +13963,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-01-31 11:27:27.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-02-06 08:56:20.000000000 -0500
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -13703,7 +13993,7 @@
kernel_read_proc_symlinks(samba_net_t)
corenet_all_recvfrom_unlabeled(samba_net_t)
-@@ -190,8 +196,7 @@
+@@ -190,19 +196,15 @@
miscfiles_read_localization(samba_net_t)
@@ -13712,8 +14002,9 @@
+samba_read_var_files(samba_net_t)
userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
++userdom_list_all_users_home_dirs(samba_net_t)
-@@ -199,10 +204,6 @@
+ optional_policy(`
kerberos_use(samba_net_t)
')
@@ -13724,7 +14015,7 @@
########################################
#
# smbd Local policy
-@@ -217,19 +218,16 @@
+@@ -217,19 +219,16 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
@@ -13747,7 +14038,7 @@
allow smbd_t samba_net_tmp_t:file getattr;
-@@ -239,6 +237,7 @@
+@@ -239,6 +238,7 @@
manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
@@ -13755,7 +14046,7 @@
manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
-@@ -256,7 +255,7 @@
+@@ -256,7 +256,7 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@@ -13764,7 +14055,7 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -292,12 +291,13 @@
+@@ -292,12 +292,13 @@
fs_getattr_all_fs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
@@ -13780,7 +14071,7 @@
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,12 +321,12 @@
+@@ -321,12 +322,12 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -13795,7 +14086,7 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -347,6 +347,17 @@
+@@ -347,6 +348,17 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -13813,7 +14104,7 @@
')
optional_policy(`
-@@ -398,7 +409,7 @@
+@@ -398,7 +410,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -13822,7 +14113,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -410,8 +421,7 @@
+@@ -410,8 +422,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -13832,7 +14123,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -421,6 +431,8 @@
+@@ -421,6 +432,8 @@
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -13841,7 +14132,7 @@
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -446,6 +458,7 @@
+@@ -446,6 +459,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -13849,7 +14140,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -462,17 +475,11 @@
+@@ -462,17 +476,11 @@
miscfiles_read_localization(nmbd_t)
@@ -13867,7 +14158,7 @@
seutil_sigchld_newrole(nmbd_t)
')
-@@ -506,6 +513,8 @@
+@@ -506,6 +514,8 @@
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
files_list_var_lib(smbmount_t)
@@ -13876,7 +14167,7 @@
kernel_read_system_state(smbmount_t)
corenet_all_recvfrom_unlabeled(smbmount_t)
-@@ -533,6 +542,7 @@
+@@ -533,6 +543,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -13884,7 +14175,7 @@
corecmd_list_bin(smbmount_t)
-@@ -553,16 +563,11 @@
+@@ -553,16 +564,11 @@
logging_search_logs(smbmount_t)
@@ -13903,7 +14194,7 @@
')
########################################
-@@ -570,24 +575,28 @@
+@@ -570,24 +576,28 @@
# SWAT Local policy
#
@@ -13940,7 +14231,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -597,7 +606,11 @@
+@@ -597,7 +607,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -13953,7 +14244,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -622,23 +635,24 @@
+@@ -622,23 +636,24 @@
dev_read_urand(swat_t)
@@ -13980,7 +14271,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -652,13 +666,16 @@
+@@ -652,13 +667,16 @@
kerberos_use(swat_t)
')
@@ -14003,7 +14294,7 @@
########################################
#
-@@ -672,7 +689,6 @@
+@@ -672,7 +690,6 @@
allow winbind_t self:fifo_file { read write };
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -14011,7 +14302,7 @@
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
-@@ -709,6 +725,8 @@
+@@ -709,6 +726,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -14020,7 +14311,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +751,9 @@
+@@ -733,7 +752,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -14030,7 +14321,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -746,9 +766,6 @@
+@@ -746,9 +767,6 @@
miscfiles_read_localization(winbind_t)
@@ -14040,7 +14331,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +775,6 @@
+@@ -758,10 +776,6 @@
')
optional_policy(`
@@ -14051,7 +14342,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -784,6 +797,8 @@
+@@ -784,6 +798,8 @@
allow winbind_helper_t samba_var_t:dir search;
files_list_var_lib(winbind_helper_t)
@@ -14060,7 +14351,7 @@
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
term_list_ptys(winbind_helper_t)
-@@ -804,6 +819,7 @@
+@@ -804,6 +820,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -14068,7 +14359,7 @@
')
########################################
-@@ -828,3 +844,37 @@
+@@ -828,3 +845,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -14226,7 +14517,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-01-17 12:46:27.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-02-06 10:23:01.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -14327,7 +14618,7 @@
optional_policy(`
procmail_domtrans(sendmail_t)
-+ procmail_read_tmp_files(sendmail_t)
++ procmail_rw_tmp_files(sendmail_t)
+')
+
+optional_policy(`
@@ -14432,6 +14723,17 @@
+ dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.0.8/policy/modules/services/smartmon.te
+--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/smartmon.te 2008-02-01 08:42:06.000000000 -0500
+@@ -49,6 +49,7 @@
+ corenet_udp_sendrecv_all_ports(fsdaemon_t)
+
+ dev_read_sysfs(fsdaemon_t)
++dev_read_urand(fsdaemon_t)
+
+ domain_use_interactive_fds(fsdaemon_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.0.8/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/snmp.te 2008-01-17 09:03:07.000000000 -0500
@@ -16771,7 +17073,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-01-31 11:32:52.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-02-11 17:22:41.000000000 -0500
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -16822,13 +17124,14 @@
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
-@@ -111,19 +129,15 @@
+@@ -111,19 +129,16 @@
logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
+userdom_write_unpriv_users_tmp_files(pam_t)
-+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
+userdom_unlink_unpriv_users_tmp_files(pam_t)
++userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
++userdom_dontaudit_write_user_home_content_files(user, pam_t)
+userdom_append_unpriv_users_home_content_files(pam_t)
optional_policy(`
@@ -16846,7 +17149,7 @@
########################################
#
# PAM console local policy
-@@ -149,6 +163,8 @@
+@@ -149,6 +164,8 @@
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
@@ -16855,7 +17158,7 @@
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
-@@ -159,6 +175,8 @@
+@@ -159,6 +176,8 @@
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
@@ -16864,7 +17167,7 @@
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
-@@ -200,6 +218,7 @@
+@@ -200,6 +219,7 @@
fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t)
@@ -16872,7 +17175,7 @@
init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)
-@@ -236,7 +255,7 @@
+@@ -236,7 +256,7 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
@@ -16881,7 +17184,7 @@
')
########################################
-@@ -256,6 +275,7 @@
+@@ -256,6 +276,7 @@
userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
@@ -16889,7 +17192,7 @@
########################################
#
-@@ -302,3 +322,29 @@
+@@ -302,3 +323,31 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -16913,6 +17216,8 @@
+auth_use_nsswitch(updpwd_t)
+
+term_dontaudit_use_console(updpwd_t)
++term_dontaudit_use_all_user_ptys(updpwd_t)
++term_dontaudit_use_all_user_ttys(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
+term_dontaudit_use_generic_ptys(updpwd_t)
+
@@ -17779,7 +18084,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-02-11 16:25:54.000000000 -0500
@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -17857,7 +18162,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +299,15 @@
+@@ -284,3 +299,16 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -17873,6 +18178,7 @@
+/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2008-01-17 09:03:07.000000000 -0500
@@ -19348,7 +19654,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2008-01-21 15:06:05.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2008-02-02 00:06:45.000000000 -0500
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -19627,7 +19933,7 @@
')
+optional_policy(`
-+ cron_rw_pipes(setfiles_t)
++ cron_system_entry(setfiles_t, setfiles_exec_t)
+')
+
+optional_policy(`
@@ -20515,7 +20821,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-02-11 17:21:49.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -21521,7 +21827,18 @@
read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
-@@ -2066,7 +2193,7 @@
+@@ -2034,6 +2161,10 @@
+ ')
+
+ dontaudit $2 $1_home_t:file write;
++ fs_dontaudit_list_nfs($2)
++ fs_dontaudit_rw_nfs_files($2)
++ fs_dontaudit_list_cifs($2)
++ fs_dontaudit_rw_cifs_files($2)
+ ')
+
+ ########################################
+@@ -2066,7 +2197,7 @@
type $1_home_dir_t, $1_home_t;
')
@@ -21530,7 +21847,7 @@
read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
-@@ -2100,7 +2227,7 @@
+@@ -2100,7 +2231,7 @@
type $1_home_dir_t, $1_home_t;
')
@@ -21539,7 +21856,7 @@
exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
-@@ -2169,7 +2296,7 @@
+@@ -2169,7 +2300,7 @@
type $1_home_dir_t, $1_home_t;
')
@@ -21548,7 +21865,7 @@
allow $2 $1_home_dir_t:dir search_dir_perms;
manage_files_pattern($2,$1_home_t,$1_home_t)
')
-@@ -2241,7 +2368,7 @@
+@@ -2241,7 +2372,7 @@
type $1_home_dir_t, $1_home_t;
')
@@ -21557,7 +21874,7 @@
allow $2 $1_home_dir_t:dir search_dir_perms;
manage_lnk_files_pattern($2,$1_home_t,$1_home_t)
')
-@@ -2278,7 +2405,7 @@
+@@ -2278,7 +2409,7 @@
type $1_home_dir_t, $1_home_t;
')
@@ -21566,7 +21883,7 @@
allow $2 $1_home_dir_t:dir search_dir_perms;
manage_fifo_files_pattern($2,$1_home_t,$1_home_t)
')
-@@ -2315,7 +2442,7 @@
+@@ -2315,7 +2446,7 @@
type $1_home_dir_t, $1_home_t;
')
@@ -21575,7 +21892,7 @@
allow $2 $1_home_dir_t:dir search_dir_perms;
manage_sock_files_pattern($2,$1_home_t,$1_home_t)
')
-@@ -2365,7 +2492,7 @@
+@@ -2365,7 +2496,7 @@
type $1_home_dir_t;
')
@@ -21584,7 +21901,7 @@
filetrans_pattern($2,$1_home_dir_t,$3,$4)
')
-@@ -2414,7 +2541,7 @@
+@@ -2414,7 +2545,7 @@
type $1_home_t;
')
@@ -21593,7 +21910,7 @@
filetrans_pattern($2,$1_home_t,$3,$4)
')
-@@ -2458,7 +2585,7 @@
+@@ -2458,7 +2589,7 @@
type $1_home_dir_t, $1_home_t;
')
@@ -21602,7 +21919,7 @@
filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3)
')
-@@ -2994,6 +3121,25 @@
+@@ -2994,6 +3125,25 @@
########################################
## <summary>
@@ -21628,7 +21945,7 @@
## Create objects in a user temporary directory
## with an automatic type transition to
## a specified private type.
-@@ -3078,7 +3224,7 @@
+@@ -3078,7 +3228,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -21637,7 +21954,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -3086,11 +3232,11 @@
+@@ -3086,11 +3236,11 @@
########################################
## <summary>
@@ -21651,7 +21968,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3122,6 +3268,42 @@
+@@ -3122,6 +3272,42 @@
########################################
## <summary>
@@ -21694,7 +22011,7 @@
## List users untrusted directories.
## </summary>
## <desc>
-@@ -4089,7 +4271,7 @@
+@@ -4089,7 +4275,7 @@
type staff_home_dir_t;
')
@@ -21703,7 +22020,7 @@
allow $1 staff_home_dir_t:dir search_dir_perms;
')
-@@ -4128,7 +4310,7 @@
+@@ -4128,7 +4314,7 @@
type staff_home_dir_t;
')
@@ -21712,7 +22029,7 @@
allow $1 staff_home_dir_t:dir manage_dir_perms;
')
-@@ -4147,7 +4329,7 @@
+@@ -4147,7 +4333,7 @@
type staff_home_dir_t;
')
@@ -21721,7 +22038,7 @@
allow $1 staff_home_dir_t:dir relabelto;
')
-@@ -4185,7 +4367,7 @@
+@@ -4185,7 +4371,7 @@
type staff_home_dir_t, staff_home_t;
')
@@ -21730,7 +22047,7 @@
allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
-@@ -4410,6 +4592,7 @@
+@@ -4410,6 +4596,7 @@
')
dontaudit $1 sysadm_home_dir_t:dir getattr;
@@ -21738,7 +22055,7 @@
')
########################################
-@@ -4444,9 +4627,11 @@
+@@ -4444,9 +4631,11 @@
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
type sysadm_home_dir_t;
@@ -21750,7 +22067,7 @@
')
########################################
-@@ -4570,10 +4755,11 @@
+@@ -4570,10 +4759,11 @@
type sysadm_home_dir_t, sysadm_home_t;
')
@@ -21763,7 +22080,7 @@
')
########################################
-@@ -4609,11 +4795,29 @@
+@@ -4609,11 +4799,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -21794,7 +22111,7 @@
')
########################################
-@@ -4633,6 +4837,14 @@
+@@ -4633,6 +4841,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -21809,7 +22126,7 @@
')
########################################
-@@ -4895,7 +5107,7 @@
+@@ -4895,7 +5111,7 @@
type user_home_dir_t, user_home_t;
')
@@ -21818,7 +22135,7 @@
filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
')
-@@ -4933,7 +5145,7 @@
+@@ -4933,7 +5149,7 @@
type user_home_dir_t;
')
@@ -21827,7 +22144,7 @@
allow $1 user_home_dir_t:dir manage_dir_perms;
')
-@@ -4954,7 +5166,7 @@
+@@ -4954,7 +5170,7 @@
type user_home_t;
')
@@ -21836,7 +22153,7 @@
manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -4973,7 +5185,7 @@
+@@ -4973,7 +5189,7 @@
type staff_home_dir_t;
')
@@ -21845,7 +22162,7 @@
allow $1 user_home_dir_t:dir relabelto;
')
-@@ -4992,7 +5204,7 @@
+@@ -4992,7 +5208,7 @@
type user_home_t, user_home_dir_t;
')
@@ -21854,7 +22171,7 @@
allow $1 user_home_t:dir list_dir_perms;
read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5013,7 +5225,7 @@
+@@ -5013,7 +5229,7 @@
type user_home_t;
')
@@ -21863,7 +22180,7 @@
allow $1 user_home_t:file execute;
')
-@@ -5033,7 +5245,7 @@
+@@ -5033,7 +5249,7 @@
type user_home_dir_t, user_home_t;
')
@@ -21872,7 +22189,7 @@
manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5072,7 +5284,7 @@
+@@ -5072,7 +5288,7 @@
type user_home_t;
')
@@ -21881,7 +22198,7 @@
manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5092,7 +5304,7 @@
+@@ -5092,7 +5308,7 @@
type user_home_t;
')
@@ -21890,7 +22207,7 @@
manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5112,7 +5324,7 @@
+@@ -5112,7 +5328,7 @@
type user_home_t;
')
@@ -21899,7 +22216,7 @@
manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
-@@ -5131,7 +5343,7 @@
+@@ -5131,7 +5347,7 @@
attribute user_home_dir_type;
')
@@ -21908,7 +22225,7 @@
allow $1 user_home_dir_type:dir search_dir_perms;
')
-@@ -5151,7 +5363,7 @@
+@@ -5151,7 +5367,7 @@
attribute user_home_dir_type, user_home_type;
')
@@ -21917,7 +22234,7 @@
allow $1 user_home_type:dir list_dir_perms;
read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
-@@ -5173,7 +5385,7 @@
+@@ -5173,7 +5389,7 @@
attribute user_home_dir_type, user_home_type;
')
@@ -21926,7 +22243,7 @@
manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
-@@ -5193,7 +5405,7 @@
+@@ -5193,7 +5409,7 @@
attribute user_home_dir_type, user_home_type;
')
@@ -21935,7 +22252,7 @@
manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
-@@ -5323,7 +5535,7 @@
+@@ -5323,7 +5539,7 @@
attribute user_tmpfile;
')
@@ -21944,7 +22261,7 @@
')
########################################
-@@ -5346,6 +5558,25 @@
+@@ -5346,6 +5562,25 @@
########################################
## <summary>
@@ -21970,7 +22287,7 @@
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
-@@ -5529,6 +5760,24 @@
+@@ -5529,6 +5764,24 @@
########################################
## <summary>
@@ -21995,7 +22312,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5808,419 @@
+@@ -5559,3 +5812,419 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.609
retrieving revision 1.610
diff -u -r1.609 -r1.610
--- selinux-policy.spec 31 Jan 2008 20:59:53 -0000 1.609
+++ selinux-policy.spec 11 Feb 2008 22:54:33 -0000 1.610
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 83%{?dist}
+Release: 84%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
%endif
%changelog
+* Fri Feb 1 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-84
+- Allow fail2ban to create sock_files in /var/run
+
* Thu Jan 22 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-83
- Make oddjob_mkhomedir work with confined login domains
More information about the fedora-extras-commits
mailing list