rpms/selinux-policy/devel policy-20071130.patch, 1.33, 1.34 selinux-policy.spec, 1.584, 1.585
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jan 15 20:43:10 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv996
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Jan 15 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-13
- Allow setroubleshoot to read policy config and send audit messages
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- policy-20071130.patch 14 Jan 2008 19:47:11 -0000 1.33
+++ policy-20071130.patch 15 Jan 2008 20:43:04 -0000 1.34
@@ -141,6 +141,21 @@
endef
# create-base-per-role-tmpl modulenames,outputfile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.2.5/man/man8/httpd_selinux.8
+--- nsaserefpolicy/man/man8/httpd_selinux.8 2007-10-12 08:56:10.000000000 -0400
++++ serefpolicy-3.2.5/man/man8/httpd_selinux.8 2008-01-15 09:08:57.000000000 -0500
+@@ -93,6 +93,11 @@
+ .EE
+
+ .PP
++httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
++
++.EX
++setsebool -P httpd_can_sendmail 1
++.PP
+ httpd can be configured to turn off internal scripting (PHP). PHP and other
+ loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.5/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400
+++ serefpolicy-3.2.5/policy/flask/access_vectors 2007-12-19 05:38:08.000000000 -0500
@@ -10050,6 +10065,15 @@
logrotate_exec(ntpd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.2.5/policy/modules/services/nx.fc
+--- nsaserefpolicy/policy/modules/services/nx.fc 2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/nx.fc 2008-01-15 13:47:19.000000000 -0500
+@@ -1,3 +1,5 @@
++
++/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+
+ /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-04 12:24:30.000000000 -0500
@@ -12013,9 +12037,23 @@
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.2.5/policy/modules/services/setroubleshoot.if
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2007-09-04 15:22:23.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.if 2008-01-15 12:19:51.000000000 -0500
+@@ -16,8 +16,8 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 setroubleshoot_var_run_t:sock_file write;
+- allow $1 setroubleshootd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshoot_t)
++ allow $1 setroubleshoot_var_run_t:sock_file read;
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2008-01-08 06:17:24.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2008-01-15 11:09:44.000000000 -0500
@@ -27,8 +27,8 @@
# setroubleshootd local policy
#
@@ -12056,7 +12094,21 @@
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
-@@ -110,6 +116,7 @@
+@@ -97,11 +103,13 @@
+
+ locallogin_dontaudit_use_fds(setroubleshootd_t)
+
++logging_send_audit_msgs(setroubleshootd_t)
+ logging_send_syslog_msg(setroubleshootd_t)
+ logging_stream_connect_auditd(setroubleshootd_t)
+
+ seutil_read_config(setroubleshootd_t)
+ seutil_read_file_contexts(setroubleshootd_t)
++seutil_read_bin_policy(setroubleshootd_t)
+
+ sysnet_read_config(setroubleshootd_t)
+
+@@ -110,6 +118,7 @@
optional_policy(`
dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
@@ -12158,14 +12210,18 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-14 11:58:23.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-15 14:51:50.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
-@@ -9,8 +9,12 @@
+@@ -6,11 +6,16 @@
+ /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+ /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
@@ -15147,7 +15203,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-08 13:52:56.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-15 09:55:44.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -15322,7 +15378,7 @@
+# Cron jobs used to start and stop services
+optional_policy(`
-+ cron_read_pipes(daemon)
++ cron_rw_pipes(daemon)
+')
+
optional_policy(`
@@ -17486,7 +17542,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-14 09:58:38.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-15 11:58:29.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -18318,7 +18374,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1187,12 +1165,11 @@
+@@ -1187,22 +1165,17 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -18333,7 +18389,17 @@
')
# Run pppd in pppd_t by default for user
-@@ -1278,8 +1255,6 @@
+ optional_policy(`
+ ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
+-
+- optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+- ')
+ ')
+
+ #######################################
+@@ -1278,8 +1251,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -18342,7 +18408,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1416,6 +1391,7 @@
+@@ -1416,6 +1387,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -18350,7 +18416,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1781,10 +1757,14 @@
+@@ -1781,10 +1753,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -18366,7 +18432,7 @@
')
########################################
-@@ -1880,11 +1860,11 @@
+@@ -1880,11 +1856,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -18380,7 +18446,7 @@
')
########################################
-@@ -1914,11 +1894,11 @@
+@@ -1914,11 +1890,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -18394,7 +18460,7 @@
')
########################################
-@@ -1962,12 +1942,12 @@
+@@ -1962,12 +1938,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -18410,7 +18476,7 @@
')
########################################
-@@ -1997,10 +1977,10 @@
+@@ -1997,10 +1973,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -18423,7 +18489,7 @@
')
########################################
-@@ -2032,11 +2012,47 @@
+@@ -2032,11 +2008,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -18473,7 +18539,7 @@
')
########################################
-@@ -2068,10 +2084,10 @@
+@@ -2068,10 +2080,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -18486,7 +18552,7 @@
')
########################################
-@@ -2101,11 +2117,11 @@
+@@ -2101,11 +2113,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -18500,7 +18566,7 @@
')
########################################
-@@ -2135,11 +2151,11 @@
+@@ -2135,11 +2147,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -18515,7 +18581,7 @@
')
########################################
-@@ -2169,10 +2185,10 @@
+@@ -2169,10 +2181,10 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -18528,7 +18594,7 @@
')
########################################
-@@ -2202,11 +2218,11 @@
+@@ -2202,11 +2214,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -18542,7 +18608,7 @@
')
########################################
-@@ -2236,11 +2252,11 @@
+@@ -2236,11 +2248,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -18556,7 +18622,7 @@
')
########################################
-@@ -2270,10 +2286,10 @@
+@@ -2270,10 +2282,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -18569,7 +18635,7 @@
')
########################################
-@@ -2305,12 +2321,12 @@
+@@ -2305,12 +2317,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -18585,7 +18651,7 @@
')
########################################
-@@ -2342,10 +2358,10 @@
+@@ -2342,10 +2354,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -18598,7 +18664,7 @@
')
########################################
-@@ -2377,12 +2393,12 @@
+@@ -2377,12 +2389,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -18614,7 +18680,7 @@
')
########################################
-@@ -2414,12 +2430,12 @@
+@@ -2414,12 +2426,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -18630,7 +18696,7 @@
')
########################################
-@@ -2451,12 +2467,12 @@
+@@ -2451,12 +2463,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -18646,7 +18712,7 @@
')
########################################
-@@ -2501,11 +2517,11 @@
+@@ -2501,11 +2513,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -18660,7 +18726,7 @@
')
########################################
-@@ -2550,11 +2566,11 @@
+@@ -2550,11 +2562,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -18674,7 +18740,7 @@
')
########################################
-@@ -2594,11 +2610,11 @@
+@@ -2594,11 +2606,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -18688,7 +18754,7 @@
')
########################################
-@@ -2628,11 +2644,11 @@
+@@ -2628,11 +2640,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -18702,7 +18768,7 @@
')
########################################
-@@ -2662,11 +2678,11 @@
+@@ -2662,11 +2674,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -18716,7 +18782,7 @@
')
########################################
-@@ -2698,10 +2714,10 @@
+@@ -2698,10 +2710,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -18729,7 +18795,7 @@
')
########################################
-@@ -2733,10 +2749,10 @@
+@@ -2733,10 +2745,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -18742,7 +18808,7 @@
')
########################################
-@@ -2766,12 +2782,12 @@
+@@ -2766,12 +2778,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -18758,7 +18824,7 @@
')
########################################
-@@ -2803,10 +2819,10 @@
+@@ -2803,10 +2815,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -18771,7 +18837,7 @@
')
########################################
-@@ -2838,10 +2854,48 @@
+@@ -2838,10 +2850,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -18822,7 +18888,7 @@
')
########################################
-@@ -2871,12 +2925,12 @@
+@@ -2871,12 +2921,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -18838,7 +18904,7 @@
')
########################################
-@@ -2908,10 +2962,10 @@
+@@ -2908,10 +2958,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -18851,7 +18917,7 @@
')
########################################
-@@ -2943,12 +2997,12 @@
+@@ -2943,12 +2993,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -18867,7 +18933,7 @@
')
########################################
-@@ -2980,11 +3034,11 @@
+@@ -2980,11 +3030,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -18881,7 +18947,7 @@
')
########################################
-@@ -3016,11 +3070,11 @@
+@@ -3016,11 +3066,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -18895,7 +18961,7 @@
')
########################################
-@@ -3052,11 +3106,11 @@
+@@ -3052,11 +3102,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -18909,7 +18975,7 @@
')
########################################
-@@ -3088,11 +3142,11 @@
+@@ -3088,11 +3138,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -18923,7 +18989,7 @@
')
########################################
-@@ -3124,11 +3178,11 @@
+@@ -3124,11 +3174,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -18937,7 +19003,7 @@
')
########################################
-@@ -3173,10 +3227,10 @@
+@@ -3173,10 +3223,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -18950,7 +19016,7 @@
files_search_tmp($2)
')
-@@ -3217,10 +3271,10 @@
+@@ -3217,10 +3267,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -18963,7 +19029,7 @@
')
########################################
-@@ -3248,6 +3302,42 @@
+@@ -3248,6 +3298,42 @@
## </summary>
## </param>
#
@@ -19006,7 +19072,7 @@
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4225,11 +4315,11 @@
+@@ -4225,11 +4311,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -19020,7 +19086,7 @@
')
########################################
-@@ -4245,10 +4335,10 @@
+@@ -4245,10 +4331,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -19033,7 +19099,7 @@
')
########################################
-@@ -4264,11 +4354,11 @@
+@@ -4264,11 +4350,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -19047,7 +19113,7 @@
')
########################################
-@@ -4283,16 +4373,16 @@
+@@ -4283,16 +4369,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -19067,7 +19133,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4301,12 +4391,27 @@
+@@ -4301,12 +4387,27 @@
## </summary>
## </param>
#
@@ -19098,7 +19164,7 @@
')
########################################
-@@ -4321,13 +4426,13 @@
+@@ -4321,13 +4422,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -19116,7 +19182,7 @@
')
########################################
-@@ -4525,10 +4630,10 @@
+@@ -4525,10 +4626,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -19129,7 +19195,7 @@
')
########################################
-@@ -4545,10 +4650,10 @@
+@@ -4545,10 +4646,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -19142,7 +19208,7 @@
')
########################################
-@@ -4563,10 +4668,10 @@
+@@ -4563,10 +4664,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -19155,7 +19221,7 @@
')
########################################
-@@ -4582,10 +4687,10 @@
+@@ -4582,10 +4683,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -19168,7 +19234,7 @@
')
########################################
-@@ -4600,10 +4705,10 @@
+@@ -4600,10 +4701,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -19181,7 +19247,7 @@
')
########################################
-@@ -4619,10 +4724,10 @@
+@@ -4619,10 +4720,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -19194,7 +19260,7 @@
')
########################################
-@@ -4638,12 +4743,11 @@
+@@ -4638,12 +4739,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -19210,7 +19276,7 @@
')
########################################
-@@ -4670,10 +4774,10 @@
+@@ -4670,10 +4770,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -19223,7 +19289,7 @@
')
########################################
-@@ -4688,10 +4792,10 @@
+@@ -4688,10 +4788,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -19236,7 +19302,7 @@
')
########################################
-@@ -4706,13 +4810,13 @@
+@@ -4706,13 +4806,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -19254,7 +19320,7 @@
')
########################################
-@@ -4748,11 +4852,48 @@
+@@ -4748,11 +4848,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -19264,6 +19330,7 @@
+ files_list_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
+')
++
+########################################
+## <summary>
+## Read all users home directories symlinks.
@@ -19304,7 +19371,7 @@
')
########################################
-@@ -4772,6 +4913,14 @@
+@@ -4772,6 +4910,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -19319,7 +19386,7 @@
')
########################################
-@@ -5109,7 +5258,7 @@
+@@ -5109,7 +5255,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -19328,7 +19395,7 @@
')
files_search_home($1)
-@@ -5298,6 +5447,49 @@
+@@ -5298,6 +5444,49 @@
########################################
## <summary>
@@ -19378,7 +19445,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5503,6 +5695,42 @@
+@@ -5503,6 +5692,42 @@
########################################
## <summary>
@@ -19421,7 +19488,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5668,6 +5896,42 @@
+@@ -5668,6 +5893,42 @@
########################################
## <summary>
@@ -19464,7 +19531,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5698,3 +5962,277 @@
+@@ -5698,3 +5959,277 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -20499,8 +20566,8 @@
+## <summary>Policy for staff user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-08 05:06:18.000000000 -0500
-@@ -0,0 +1,34 @@
++++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-15 11:59:03.000000000 -0500
+@@ -0,0 +1,38 @@
+policy_module(staff,1.0.1)
+userdom_unpriv_user_template(staff)
+
@@ -20519,6 +20586,10 @@
+seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
+
+optional_policy(`
++ gpg_per_role_template(staff, staff_usertype, staff_r)
++')
++
++optional_policy(`
+ java_per_role_template(staff, staff_t, staff_r)
+')
+
@@ -20527,7 +20598,7 @@
+')
+
+optional_policy(`
-+ gpg_per_role_template(staff, staff_usertype, staff_r)
++ setroubleshoot_stream_connect(staff_t)
+')
+
+optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.584
retrieving revision 1.585
diff -u -r1.584 -r1.585
--- selinux-policy.spec 14 Jan 2008 19:47:11 -0000 1.584
+++ selinux-policy.spec 15 Jan 2008 20:43:04 -0000 1.585
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 12%{?dist}
+Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
%endif
%changelog
+* Tue Jan 15 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-13
+- Allow setroubleshoot to read policy config and send audit messages
+
* Mon Jan 14 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-12
- Allow users to execute all files in homedir, if boolean set
- Allow mount to read samba config
More information about the fedora-extras-commits
mailing list