rpms/selinux-policy/F-8 booleans-targeted.conf, 1.35, 1.36 policy-20070703.patch, 1.165, 1.166 selinux-policy.spec, 1.600, 1.601
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jan 8 19:59:13 UTC 2008
- Previous message (by thread): rpms/selinux-policy/devel policy-20071130.patch, 1.28, 1.29 selinux-policy.spec, 1.580, 1.581
- Next message (by thread): rpms/bcfg2/F-7 .cvsignore, 1.7, 1.8 bcfg2.spec, 1.13, 1.14 sources, 1.7, 1.8
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31868
Modified Files:
booleans-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Thu Jan 3 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-74
- Allow updatedb to getatt on fifo_files
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/booleans-targeted.conf,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- booleans-targeted.conf 17 Nov 2007 11:30:22 -0000 1.35
+++ booleans-targeted.conf 8 Jan 2008 19:58:28 -0000 1.36
@@ -4,7 +4,7 @@
# Allow making a modified private filemapping executable (text relocation).
#
-allow_execmod = false
+allow_execmod = true
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.165
retrieving revision 1.166
diff -u -r1.165 -r1.166
--- policy-20070703.patch 31 Dec 2007 22:53:38 -0000 1.165
+++ policy-20070703.patch 8 Jan 2008 19:58:28 -0000 1.166
@@ -1892,8 +1892,8 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.8/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2007-12-06 10:00:22.000000000 -0500
-@@ -152,6 +152,24 @@
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2008-01-08 08:11:19.000000000 -0500
+@@ -152,6 +152,45 @@
########################################
## <summary>
@@ -1915,10 +1915,31 @@
+
+########################################
+## <summary>
++## Send and receive messages from
++## rpm_script over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_script_dbus_chat',`
++ gen_require(`
++ type rpm_script_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 rpm_script_t:dbus send_msg;
++ allow rpm_script_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -210,6 +228,24 @@
+@@ -210,6 +249,24 @@
########################################
## <summary>
@@ -1943,7 +1964,7 @@
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
-@@ -225,7 +261,30 @@
+@@ -225,7 +282,30 @@
')
files_search_tmp($1)
@@ -1974,7 +1995,7 @@
')
########################################
-@@ -289,3 +348,112 @@
+@@ -289,3 +369,112 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -3653,6 +3674,17 @@
files_search_var_lib($1)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.0.8/policy/modules/apps/slocate.te
+--- nsaserefpolicy/policy/modules/apps/slocate.te 2007-10-22 13:21:40.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/slocate.te 2008-01-03 10:02:40.000000000 -0500
+@@ -39,6 +39,7 @@
+
+ files_list_all(locate_t)
+ files_getattr_all_files(locate_t)
++files_getattr_all_pipes(locate_t)
+ files_getattr_all_sockets(locate_t)
+ files_read_etc_runtime_files(locate_t)
+ files_read_etc_files(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.0.8/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/userhelper.if 2007-12-02 21:15:34.000000000 -0500
@@ -3906,7 +3938,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-12-31 06:44:32.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-01-07 11:08:45.000000000 -0500
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -3948,7 +3980,7 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -163,8 +168,13 @@
+@@ -163,9 +168,15 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -3961,9 +3993,11 @@
+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
-@@ -180,6 +190,7 @@
+ /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
+@@ -180,6 +191,7 @@
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3971,7 +4005,7 @@
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +270,23 @@
+@@ -259,3 +271,23 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4593,7 +4627,7 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-12-04 22:17:10.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2008-01-08 06:14:55.000000000 -0500
@@ -343,8 +343,7 @@
########################################
@@ -5572,8 +5606,35 @@
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.8/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/storage.if 2007-12-02 21:15:34.000000000 -0500
-@@ -673,3 +673,61 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.if 2008-01-08 06:26:29.000000000 -0500
+@@ -106,6 +106,26 @@
+
+ ########################################
+ ## <summary>
++## dontaudit the caller attempts to read from a fixed disk.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`storage_dontaudit_raw_read_fixed_disk',`
++ gen_require(`
++ attribute fixed_disk_raw_read;
++ type fixed_disk_device_t;
++ ')
++
++ dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
++ dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts made by the caller to read
+ ## fixed disk device nodes.
+ ## </summary>
+@@ -673,3 +693,61 @@
typeattribute $1 storage_unconfined_type;
')
@@ -8155,7 +8216,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-12-24 06:13:08.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-01-08 08:11:51.000000000 -0500
@@ -50,6 +50,12 @@
## </param>
#
@@ -8216,7 +8277,7 @@
class dbus send_msg;
')
-@@ -202,9 +224,12 @@
+@@ -202,9 +224,16 @@
# SE-DBus specific permissions
allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@@ -8226,10 +8287,14 @@
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
+ dbus_read_config($2)
++
++ optional_policy(`
++ rpm_script_dbus_chat($2)
++ ')
')
#######################################
-@@ -236,11 +261,12 @@
+@@ -236,11 +265,12 @@
class dbus send_msg;
')
@@ -8245,7 +8310,7 @@
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
-@@ -271,6 +297,60 @@
+@@ -271,6 +301,60 @@
allow $2 $1_dbusd_t:dbus send_msg;
')
@@ -8306,7 +8371,7 @@
########################################
## <summary>
## Read dbus configuration.
-@@ -286,6 +366,7 @@
+@@ -286,6 +370,7 @@
type dbusd_etc_t;
')
@@ -8314,7 +8379,7 @@
allow $1 dbusd_etc_t:file read_file_perms;
')
-@@ -346,3 +427,55 @@
+@@ -346,3 +431,55 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -8441,7 +8506,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.0.8/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dcc.te 2007-12-13 15:53:15.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dcc.te 2008-01-04 09:46:21.000000000 -0500
@@ -124,7 +124,7 @@
# dcc procmail interface local policy
#
@@ -8451,12 +8516,14 @@
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
-@@ -148,6 +148,8 @@
+@@ -148,6 +148,10 @@
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
+kernel_read_system_state(dcc_client_t)
+
++auth_use_nsswitch(dcc_client_t)
++
libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)
@@ -9171,6 +9238,14 @@
+ exim_manage_var_lib(exim_lib_update_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.0.8/policy/modules/services/fail2ban.fc
+--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-01-08 13:31:58.000000000 -0500
+@@ -1,3 +1,4 @@
++/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+ /var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+ /var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.0.8/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/fetchmail.te 2007-12-02 21:15:34.000000000 -0500
@@ -11082,7 +11157,7 @@
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/openvpn.te 2007-12-10 09:37:24.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/openvpn.te 2008-01-08 12:10:23.000000000 -0500
@@ -35,7 +35,7 @@
# openvpn local policy
#
@@ -11092,7 +11167,23 @@
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -108,6 +108,14 @@
+@@ -47,6 +47,7 @@
+ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
+ read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
+ read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
++can_exec(openvpn_t,openvpn_etc_t)
+
+ allow openvpn_t openvpn_var_log_t:file manage_file_perms;
+ logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
+@@ -77,6 +78,7 @@
+ corenet_sendrecv_openvpn_server_packets(openvpn_t)
+ corenet_rw_tun_tap_dev(openvpn_t)
+ corenet_tcp_connect_openvpn_port(openvpn_t)
++corenet_tcp_connect_http_port(openvpn_t)
+
+ dev_search_sysfs(openvpn_t)
+ dev_read_rand(openvpn_t)
+@@ -108,6 +110,14 @@
dbus_system_bus_client_template(openvpn,openvpn_t)
dbus_connect_system_bus(openvpn_t)
dbus_send_system_bus(openvpn_t)
@@ -11903,7 +11994,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2007-12-26 18:17:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2008-01-08 11:06:01.000000000 -0500
@@ -30,6 +30,8 @@
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -11930,14 +12021,15 @@
miscfiles_read_localization(procmail_t)
# only works until we define a different type for maildir
-@@ -97,17 +102,16 @@
+@@ -97,17 +102,20 @@
')
optional_policy(`
- logging_send_syslog_msg(procmail_t)
--')
--
--optional_policy(`
++ cron_read_pipes(procmail_t)
+ ')
+
+ optional_policy(`
- nis_use_ypbind(procmail_t)
+ munin_dontaudit_search_lib(procmail_t)
')
@@ -11952,19 +12044,20 @@
')
optional_policy(`
-@@ -125,7 +129,12 @@
+@@ -125,7 +133,13 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
-+ spamassassin_read_user_home_files(procmail_t)
++ spamassassin_manage_user_home_files(procmail_t)
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
- ')
++
++')
+
+optional_policy(`
+ mailscanner_read_spool(procmail_t)
-+')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.0.8/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/pyzor.if 2007-12-02 21:15:34.000000000 -0500
@@ -12361,7 +12454,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2008-01-08 06:23:55.000000000 -0500
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -12400,12 +12493,14 @@
')
########################################
-@@ -91,9 +104,13 @@
+@@ -91,9 +104,15 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
++dev_read_lvm_control(nfsd_t)
++storage_dontaudit_raw_read_fixed_disk(nfsd_t)
+
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
@@ -12414,7 +12509,7 @@
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +140,7 @@
+@@ -123,6 +142,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -12422,7 +12517,7 @@
')
tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +161,9 @@
+@@ -143,6 +163,9 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -12432,7 +12527,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -158,6 +179,9 @@
+@@ -158,6 +181,9 @@
miscfiles_read_certs(gssd_t)
@@ -12658,7 +12753,7 @@
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.if 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-01-08 13:38:54.000000000 -0500
@@ -332,6 +332,25 @@
########################################
@@ -12693,7 +12788,7 @@
')
########################################
-@@ -493,3 +513,102 @@
+@@ -493,3 +513,103 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -12743,6 +12838,7 @@
+ type samba_share_t;
+ ')
+
++ allow $1 samba_share_t:filesystem getattr;
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
@@ -12798,7 +12894,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-01-08 13:40:35.000000000 -0500
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -12872,7 +12968,15 @@
allow smbd_t samba_net_tmp_t:file getattr;
-@@ -256,7 +254,7 @@
+@@ -239,6 +237,7 @@
+ manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
+ manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
+ manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
++allow smbd_t samba_share_t:filesystem getattr;
+
+ manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
+ manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
+@@ -256,7 +255,7 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@@ -12881,7 +12985,7 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -292,12 +290,13 @@
+@@ -292,12 +291,13 @@
fs_getattr_all_fs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
@@ -12897,7 +13001,7 @@
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,8 +320,6 @@
+@@ -321,8 +321,6 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -12906,7 +13010,7 @@
userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
-@@ -347,6 +344,17 @@
+@@ -347,6 +345,17 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -12924,7 +13028,7 @@
')
optional_policy(`
-@@ -398,7 +406,7 @@
+@@ -398,7 +407,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -12933,7 +13037,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -410,8 +418,7 @@
+@@ -410,8 +419,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -12943,7 +13047,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -421,6 +428,8 @@
+@@ -421,6 +429,8 @@
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -12952,7 +13056,7 @@
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -446,6 +455,7 @@
+@@ -446,6 +456,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -12960,7 +13064,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -462,17 +472,11 @@
+@@ -462,17 +473,11 @@
miscfiles_read_localization(nmbd_t)
@@ -12978,7 +13082,7 @@
seutil_sigchld_newrole(nmbd_t)
')
-@@ -506,6 +510,8 @@
+@@ -506,6 +511,8 @@
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
files_list_var_lib(smbmount_t)
@@ -12987,7 +13091,7 @@
kernel_read_system_state(smbmount_t)
corenet_all_recvfrom_unlabeled(smbmount_t)
-@@ -533,6 +539,7 @@
+@@ -533,6 +540,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -12995,7 +13099,7 @@
corecmd_list_bin(smbmount_t)
-@@ -553,16 +560,11 @@
+@@ -553,16 +561,11 @@
logging_search_logs(smbmount_t)
@@ -13014,7 +13118,7 @@
')
########################################
-@@ -570,24 +572,28 @@
+@@ -570,24 +573,28 @@
# SWAT Local policy
#
@@ -13051,7 +13155,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -597,7 +603,11 @@
+@@ -597,7 +604,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -13064,7 +13168,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -622,23 +632,24 @@
+@@ -622,23 +633,24 @@
dev_read_urand(swat_t)
@@ -13091,7 +13195,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -652,13 +663,16 @@
+@@ -652,13 +664,16 @@
kerberos_use(swat_t)
')
@@ -13114,7 +13218,7 @@
########################################
#
-@@ -672,7 +686,6 @@
+@@ -672,7 +687,6 @@
allow winbind_t self:fifo_file { read write };
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -13122,7 +13226,7 @@
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
-@@ -709,6 +722,8 @@
+@@ -709,6 +723,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -13131,7 +13235,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +748,9 @@
+@@ -733,7 +749,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -13141,7 +13245,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -746,9 +763,6 @@
+@@ -746,9 +764,6 @@
miscfiles_read_localization(winbind_t)
@@ -13151,7 +13255,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +772,6 @@
+@@ -758,10 +773,6 @@
')
optional_policy(`
@@ -13162,7 +13266,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -784,6 +794,8 @@
+@@ -784,6 +795,8 @@
allow winbind_helper_t samba_var_t:dir search;
files_list_var_lib(winbind_helper_t)
@@ -13171,7 +13275,7 @@
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
term_list_ptys(winbind_helper_t)
-@@ -804,6 +816,7 @@
+@@ -804,6 +817,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -13179,7 +13283,7 @@
')
########################################
-@@ -828,3 +841,37 @@
+@@ -828,3 +842,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -13476,7 +13580,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2008-01-08 06:17:14.000000000 -0500
@@ -27,8 +27,8 @@
# setroubleshootd local policy
#
@@ -13497,11 +13601,13 @@
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -67,12 +69,13 @@
+@@ -67,13 +69,18 @@
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
+dev_read_sysfs(setroubleshootd_t)
++dev_getattr_all_blk_files(setroubleshootd_t)
++dev_getattr_all_chr_files(setroubleshootd_t)
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
@@ -13510,9 +13616,12 @@
-files_getattr_all_dirs(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
++files_getattr_all_pipes(setroubleshootd_t)
++files_getattr_all_sockets(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
-@@ -111,3 +114,11 @@
+ fs_getattr_all_files(setroubleshootd_t)
+@@ -111,3 +118,11 @@
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
@@ -13699,7 +13808,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-12-31 17:49:25.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2008-01-04 09:49:16.000000000 -0500
@@ -286,6 +286,12 @@
userdom_manage_user_home_content_symlinks($1,spamd_t)
')
@@ -13721,7 +13830,7 @@
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
')
-@@ -531,3 +538,56 @@
+@@ -531,3 +538,89 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
@@ -13778,6 +13887,39 @@
+ allow $1 user_spamassassin_home_t:file read_file_perms;
+')
+
++########################################
++## <summary>
++## Read spamassassin per user homedir
++## </summary>
++## <desc>
++## <p>
++## Read spamassassin per user homedir
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`spamassassin_manage_user_home_files',`
++ gen_require(`
++ type user_spamassassin_home_t;
++ ')
++
++ manage_files_pattern($1, user_spamassassin_home_t, user_spamassassin_home_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-27 11:47:32.000000000 -0500
@@ -16347,7 +16489,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-12-31 17:39:13.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/init.te 2008-01-08 13:53:49.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -16562,7 +16704,22 @@
')
optional_policy(`
-@@ -749,6 +801,12 @@
+@@ -715,9 +767,11 @@
+ squid_manage_logs(initrc_t)
+ ')
+
+-optional_policy(`
+- # allow init scripts to su
+- su_restricted_domain_template(initrc,initrc_t,system_r)
++ifndef(`targeted_policy',`
++ optional_policy(`
++ # allow init scripts to su
++ su_restricted_domain_template(initrc,initrc_t,system_r)
++ ')
+ ')
+
+ optional_policy(`
+@@ -749,6 +803,12 @@
')
')
@@ -17663,7 +17820,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2007-12-06 10:03:43.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2008-01-03 10:41:36.000000000 -0500
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -17758,7 +17915,7 @@
fs_getattr_xattr_fs(depmod_t)
-@@ -205,13 +226,19 @@
+@@ -205,13 +226,18 @@
userdom_read_staff_home_content_files(depmod_t)
userdom_read_sysadm_home_content_files(depmod_t)
@@ -17773,8 +17930,7 @@
optional_policy(`
rpm_rw_pipes(depmod_t)
-+ rpm_read_script_tmp_files(depmod_t)
-+
++ rpm_manage_script_tmp_files(depmod_t)
')
#################################
@@ -19435,7 +19591,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-31 09:17:49.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-01-07 13:07:55.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -20356,15 +20512,41 @@
files_type($2)
')
+@@ -1744,7 +1835,7 @@
+ type $1_home_dir_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ allow $2 $1_home_dir_t:dir search_dir_perms;
+ ')
+
+@@ -1778,7 +1869,7 @@
+ type $1_home_dir_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ allow $2 $1_home_dir_t:dir list_dir_perms;
+ ')
+
+@@ -1826,7 +1917,7 @@
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ allow $2 $1_home_dir_t:dir search_dir_perms;
+ domain_auto_trans($2,$1_home_t,$3)
+ ')
@@ -1894,10 +1985,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
+ attribute user_home_type;
- ')
-
- files_search_home($2)
-- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
++ ')
++
++ files_list_home($2)
+ manage_dirs_pattern($2,{ $1_home_dir_t user_home_type },$1_home_t)
+')
+
@@ -20398,12 +20580,104 @@
+template(`userdom_dontaudit_create_user_home_content_files',`
+ gen_require(`
+ type $1_home_dir_t;
-+ ')
-+
+ ')
+
+- files_search_home($2)
+- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ dontaudit $2 $1_home_dir_t:file create;
')
########################################
+@@ -1965,7 +2092,7 @@
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ ')
+
+@@ -2066,7 +2193,7 @@
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ ')
+
+@@ -2100,7 +2227,7 @@
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ ')
+
+@@ -2169,7 +2296,7 @@
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ allow $2 $1_home_dir_t:dir search_dir_perms;
+ manage_files_pattern($2,$1_home_t,$1_home_t)
+ ')
+@@ -2241,7 +2368,7 @@
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ allow $2 $1_home_dir_t:dir search_dir_perms;
+ manage_lnk_files_pattern($2,$1_home_t,$1_home_t)
+ ')
+@@ -2278,7 +2405,7 @@
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ allow $2 $1_home_dir_t:dir search_dir_perms;
+ manage_fifo_files_pattern($2,$1_home_t,$1_home_t)
+ ')
+@@ -2315,7 +2442,7 @@
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ allow $2 $1_home_dir_t:dir search_dir_perms;
+ manage_sock_files_pattern($2,$1_home_t,$1_home_t)
+ ')
+@@ -2365,7 +2492,7 @@
+ type $1_home_dir_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ filetrans_pattern($2,$1_home_dir_t,$3,$4)
+ ')
+
+@@ -2414,7 +2541,7 @@
+ type $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ filetrans_pattern($2,$1_home_t,$3,$4)
+ ')
+
+@@ -2458,7 +2585,7 @@
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+- files_search_home($2)
++ files_list_home($2)
+ filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3)
+ ')
+
@@ -2994,6 +3121,25 @@
########################################
@@ -20496,6 +20770,42 @@
## List users untrusted directories.
## </summary>
## <desc>
+@@ -4089,7 +4271,7 @@
+ type staff_home_dir_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 staff_home_dir_t:dir search_dir_perms;
+ ')
+
+@@ -4128,7 +4310,7 @@
+ type staff_home_dir_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 staff_home_dir_t:dir manage_dir_perms;
+ ')
+
+@@ -4147,7 +4329,7 @@
+ type staff_home_dir_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 staff_home_dir_t:dir relabelto;
+ ')
+
+@@ -4185,7 +4367,7 @@
+ type staff_home_dir_t, staff_home_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
+ read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
+ read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
@@ -4410,6 +4592,7 @@
')
@@ -20516,7 +20826,12 @@
')
########################################
-@@ -4574,6 +4759,7 @@
+@@ -4570,10 +4755,11 @@
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
@@ -20570,6 +20885,132 @@
')
########################################
+@@ -4895,7 +5107,7 @@
+ type user_home_dir_t, user_home_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
+ ')
+
+@@ -4933,7 +5145,7 @@
+ type user_home_dir_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 user_home_dir_t:dir manage_dir_perms;
+ ')
+
+@@ -4954,7 +5166,7 @@
+ type user_home_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ ')
+
+@@ -4973,7 +5185,7 @@
+ type staff_home_dir_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 user_home_dir_t:dir relabelto;
+ ')
+
+@@ -4992,7 +5204,7 @@
+ type user_home_t, user_home_dir_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 user_home_t:dir list_dir_perms;
+ read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ ')
+@@ -5013,7 +5225,7 @@
+ type user_home_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 user_home_t:file execute;
+ ')
+
+@@ -5033,7 +5245,7 @@
+ type user_home_dir_t, user_home_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ ')
+
+@@ -5072,7 +5284,7 @@
+ type user_home_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ ')
+
+@@ -5092,7 +5304,7 @@
+ type user_home_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ ')
+
+@@ -5112,7 +5324,7 @@
+ type user_home_t;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ ')
+
+@@ -5131,7 +5343,7 @@
+ attribute user_home_dir_type;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
+ ')
+
+@@ -5151,7 +5363,7 @@
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ allow $1 user_home_type:dir list_dir_perms;
+ read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+@@ -5173,7 +5385,7 @@
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ ')
+
+@@ -5193,7 +5405,7 @@
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+- files_search_home($1)
++ files_list_home($1)
+ manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ ')
+
@@ -5323,7 +5535,7 @@
attribute user_tmpfile;
')
@@ -20770,7 +21211,7 @@
+ attribute user_home_dir_type, user_home_type;
+ ')
+
-+ files_search_home($1)
++ files_list_home($1)
+ allow $1 user_home_dir_type:dir list_dir_perms;
+ allow $1 user_home_type:file unlink;
+')
@@ -20791,7 +21232,7 @@
+ attribute user_home_dir_type, user_home_type;
+ ')
+
-+ files_search_home($1)
++ files_list_home($1)
+ append_files_pattern($1, user_home_dir_type, user_home_type)
+')
+
@@ -20812,7 +21253,7 @@
+ attribute user_home_dir_type;
+ ')
+
-+ files_search_home($1)
++ files_list_home($1)
+ dontaudit $1 user_home_dir_type:dir search_dir_perms;
+')
+
@@ -20956,7 +21397,7 @@
+ attribute user_home_type;
+ ')
+
-+ files_search_home($1)
++ files_list_home($1)
+ allow $1 user_home_type:file execute;
+')
+
@@ -20976,7 +21417,7 @@
+ attribute user_home_dir_type, user_home_type;
+ ')
+
-+ files_search_home($1)
++ files_list_home($1)
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
+ dontaudit $1 user_home_type:file read_lnk_file_perms;
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.600
retrieving revision 1.601
diff -u -r1.600 -r1.601
--- selinux-policy.spec 31 Dec 2007 21:06:12 -0000 1.600
+++ selinux-policy.spec 8 Jan 2008 19:58:28 -0000 1.601
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 73%{?dist}
+Release: 74%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -302,7 +302,6 @@
fi
exit 0
-
%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-69-1
semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
@@ -382,6 +381,9 @@
%endif
%changelog
+* Thu Jan 3 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-74
+- Allow updatedb to getatt on fifo_files
+
* Mon Dec 31 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-73
- Fix specification for clamav and clamd log files
- Previous message (by thread): rpms/selinux-policy/devel policy-20071130.patch, 1.28, 1.29 selinux-policy.spec, 1.580, 1.581
- Next message (by thread): rpms/bcfg2/F-7 .cvsignore, 1.7, 1.8 bcfg2.spec, 1.13, 1.14 sources, 1.7, 1.8
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list