rpms/selinux-policy/devel booleans-targeted.conf, 1.35, 1.36 policy-20071130.patch, 1.41, 1.42 selinux-policy.spec, 1.591, 1.592
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jan 28 16:49:27 UTC 2008
- Previous message (by thread): rpms/ktorrent/F-7 .cvsignore, 1.16, 1.17 ktorrent.spec, 1.41, 1.42 sources, 1.16, 1.17
- Next message (by thread): rpms/powerman/devel .cvsignore, 1.3, 1.4 powerman.spec, 1.5, 1.6 sources, 1.3, 1.4 icebox4.dev, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13055
Modified Files:
booleans-targeted.conf policy-20071130.patch
selinux-policy.spec
Log Message:
* Fri Jan 25 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-20
- Allow usertypes to read/write noxattr file systems
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- booleans-targeted.conf 10 Nov 2007 13:20:34 -0000 1.35
+++ booleans-targeted.conf 28 Jan 2008 16:48:49 -0000 1.36
@@ -258,3 +258,7 @@
# Allow postfix locat to write to mail spool
#
allow_postfix_local_write_mail_spool=true
+
+# Allow common users to read/write noexattrfile systems
+#
+user_rw_noexattrfile=true
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42
--- policy-20071130.patch 24 Jan 2008 18:12:25 -0000 1.41
+++ policy-20071130.patch 28 Jan 2008 16:48:49 -0000 1.42
@@ -1347,7 +1347,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-28 11:21:49.000000000 -0500
@@ -41,15 +41,13 @@
allow $2 $1_su_t:process signal;
@@ -1373,7 +1373,18 @@
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
-@@ -119,11 +118,6 @@
+@@ -112,6 +111,10 @@
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ ')
+
++ # Deal with unconfined_terminals.
++ term_use_all_user_ttys($1_su_t)
++ term_use_all_user_ptys($1_su_t)
++
+ optional_policy(`
+ cron_read_pipes($1_su_t)
+ ')
+@@ -119,11 +122,6 @@
optional_policy(`
kerberos_use($1_su_t)
')
@@ -1385,7 +1396,7 @@
')
#######################################
-@@ -172,13 +166,12 @@
+@@ -172,13 +170,12 @@
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
@@ -1402,7 +1413,7 @@
allow $1_su_t self:key { search write };
# Transition from the user domain to this domain.
-@@ -188,7 +181,7 @@
+@@ -188,7 +185,7 @@
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
@@ -1411,7 +1422,7 @@
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
-@@ -203,15 +196,15 @@
+@@ -203,15 +200,15 @@
# needed for pam_rootok
selinux_compute_access_vector($1_su_t)
@@ -1430,7 +1441,7 @@
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
-@@ -226,12 +219,14 @@
+@@ -226,12 +223,14 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
@@ -1446,7 +1457,7 @@
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
-@@ -295,13 +290,7 @@
+@@ -295,13 +294,7 @@
xserver_domtrans_user_xauth($1, $1_su_t)
')
@@ -2730,7 +2741,7 @@
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.5/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/java.if 2008-01-22 12:52:42.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/java.if 2008-01-28 11:17:25.000000000 -0500
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -3167,7 +3178,7 @@
# /bin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-21 18:10:10.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-25 16:49:06.000000000 -0500
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -3563,7 +3574,7 @@
')
########################################
-@@ -464,11 +385,11 @@
+@@ -464,11 +385,10 @@
#
template(`mozilla_write_user_home_files',`
gen_require(`
@@ -3573,12 +3584,11 @@
- allow $2 $1_mozilla_home_t:dir list_dir_perms;
- allow $2 $1_mozilla_home_t:file write;
-+ allow $2 user_mozilla_home_t:dir list_dir_perms;
-+ allow $2 user_mozilla_home_t:file write;
++ write_files_pattern($2, user_mozilla_home_t, user_mozilla_home_t)
')
########################################
-@@ -573,3 +494,27 @@
+@@ -573,3 +493,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -3745,8 +3755,8 @@
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-24 13:03:01.000000000 -0500
-@@ -0,0 +1,336 @@
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-25 12:10:23.000000000 -0500
+@@ -0,0 +1,337 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -3916,6 +3926,7 @@
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+ userdom_use_user_terminals($1, nsplugin_t)
++ userdom_use_user_terminals($1, nsplugin_config_t)
+')
+
+#######################################
@@ -4085,8 +4096,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-24 13:03:48.000000000 -0500
-@@ -0,0 +1,129 @@
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-25 16:48:50.000000000 -0500
+@@ -0,0 +1,135 @@
+policy_module(nsplugin,1.0.0)
+
+########################################
@@ -4107,6 +4118,9 @@
+type nsplugin_rw_t;
+files_type(nsplugin_rw_t)
+
++type nsplugin_tmp_t;
++files_tmp_file(nsplugin_tmp_t)
++
+type user_nsplugin_home_t;
+files_poly_member(user_nsplugin_home_t)
+userdom_user_home_content(user,user_nsplugin_home_t)
@@ -4184,6 +4198,10 @@
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir })
++
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -4214,7 +4232,6 @@
+
+nsplugin_domtrans(nsplugin_config_t)
+
-+dev_read_sound(nsplugin_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
@@ -5066,22 +5083,44 @@
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2008-01-18 12:40:46.000000000 -0500
-@@ -22,6 +22,7 @@
++++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2008-01-24 14:06:12.000000000 -0500
+@@ -1,7 +1,7 @@
+
+ /dev -d gen_context(system_u:object_r:device_t,s0)
+ /dev/.* gen_context(system_u:object_r:device_t,s0)
+-
++/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -16,28 +16,40 @@
+ /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0)
++/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
-@@ -29,10 +30,13 @@
+ /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
++/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -5089,6 +5128,56 @@
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+ /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -48,6 +60,7 @@
+ /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+ /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+@@ -69,9 +82,8 @@
+ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+-/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+-/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+-/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ ifdef(`distro_suse', `
+ /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -98,13 +110,23 @@
+
+ /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+
++/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0)
+ /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
+ /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
++/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
++/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0)
+
+ /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
++/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
+ /dev/pts(/.*)? <<none>>
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.5/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.if 2008-01-18 12:40:46.000000000 -0500
@@ -5327,7 +5416,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2008-01-21 17:43:20.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2008-01-28 10:12:03.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
@@ -5430,8 +5519,34 @@
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.5/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.if 2008-01-24 12:36:13.000000000 -0500
-@@ -1171,6 +1171,25 @@
++++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.if 2008-01-24 15:48:29.000000000 -0500
+@@ -310,6 +310,25 @@
+
+ ########################################
+ ## <summary>
++## Read and write files on hugetlbfs files
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_rw_hugetlbfs_files',`
++ gen_require(`
++ type hugetlbfs_t;
++
++ ')
++
++ rw_files_pattern($1,hugetlbfs_t,hugetlbfs_t)
++')
++########################################
++## <summary>
+ ## Mount an automount pseudo filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1171,6 +1190,25 @@
########################################
## <summary>
@@ -5459,7 +5574,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.5/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.te 2008-01-24 15:45:23.000000000 -0500
@@ -25,6 +25,8 @@
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -6825,7 +6940,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.5/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/apcupsd.te 2008-01-18 14:00:42.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/apcupsd.te 2008-01-25 14:08:48.000000000 -0500
@@ -22,6 +22,9 @@
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
@@ -7950,10 +8065,39 @@
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.5/policy/modules/services/consolekit.fc
+--- nsaserefpolicy/policy/modules/services/consolekit.fc 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/services/consolekit.fc 2008-01-28 11:43:14.000000000 -0500
+@@ -1,3 +1,5 @@
+ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
+ /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
++
++/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.5/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2008-01-18 12:56:56.000000000 -0500
-@@ -36,6 +36,7 @@
++++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2008-01-28 11:46:35.000000000 -0500
+@@ -13,6 +13,9 @@
+ type consolekit_var_run_t;
+ files_pid_file(consolekit_var_run_t)
+
++type consolekit_log_t;
++files_pid_file(consolekit_log_t)
++
+ ########################################
+ #
+ # consolekit local policy
+@@ -24,6 +27,9 @@
+ allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+ allow consolekit_t self:unix_dgram_socket create_socket_perms;
+
++manage_files_pattern(consolekit_t,consolekit_log_t,consolekit_log_t)
++logging_log_filetrans(consolekit_t,consolekit_log_t, file)
++
+ manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
+ files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
+
+@@ -36,6 +42,7 @@
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -7961,7 +8105,7 @@
files_read_etc_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
-@@ -50,8 +51,16 @@
+@@ -50,12 +57,24 @@
libs_use_ld_so(consolekit_t)
libs_use_shared_libs(consolekit_t)
@@ -7975,10 +8119,19 @@
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
++optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
++')
++
optional_policy(`
dbus_system_bus_client_template(consolekit, consolekit_t)
dbus_connect_system_bus(consolekit_t)
-@@ -67,3 +76,13 @@
+-
++ dbus_system_domain(consolekit_t, consolekit_exec_t)
+ hal_dbus_chat(consolekit_t)
+
+ optional_policy(`
+@@ -67,3 +86,14 @@
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
')
@@ -7992,6 +8145,7 @@
+optional_policy(`
+ userdom_read_user_tmp_files(user, consolekit_t)
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.5/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cron.fc 2008-01-18 12:40:46.000000000 -0500
@@ -8011,7 +8165,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/cron.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cron.if 2008-01-28 11:45:43.000000000 -0500
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -9289,7 +9443,7 @@
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-22 12:53:47.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-25 14:07:09.000000000 -0500
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -9298,7 +9452,7 @@
')
##############################
-@@ -84,6 +85,9 @@
+@@ -84,14 +85,20 @@
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
@@ -9306,9 +9460,11 @@
+ allow $1_dbusd_t dbusd_unconfined:dbus send_msg;
+
# For connecting to the bus
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
+- allow $2 $1_dbusd_t:unix_stream_socket connectto;
++ allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
++ allow $2 $1_dbusd_t:unix_dgram_socket getattr;
type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
-@@ -91,7 +95,9 @@
+
# SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
@@ -9319,7 +9475,7 @@
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
-@@ -102,10 +108,9 @@
+@@ -102,10 +109,9 @@
files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
@@ -9332,7 +9488,7 @@
allow $1_dbusd_t $2:process sigkill;
allow $2 $1_dbusd_t:fd use;
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -139,6 +144,7 @@
+@@ -139,6 +145,7 @@
fs_getattr_romfs($1_dbusd_t)
fs_getattr_xattr_fs($1_dbusd_t)
@@ -9340,7 +9496,7 @@
selinux_get_fs_mount($1_dbusd_t)
selinux_validate_context($1_dbusd_t)
-@@ -161,7 +167,9 @@
+@@ -161,7 +168,9 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
@@ -9351,7 +9507,7 @@
ifdef(`hide_broken_symptoms', `
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
-@@ -182,6 +190,7 @@
+@@ -182,6 +191,7 @@
optional_policy(`
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
@@ -9359,7 +9515,7 @@
')
')
-@@ -214,7 +223,7 @@
+@@ -214,7 +224,7 @@
# SE-DBus specific permissions
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@@ -9368,7 +9524,7 @@
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
-@@ -223,6 +232,10 @@
+@@ -223,6 +233,10 @@
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
dbus_read_config($2)
@@ -9379,7 +9535,7 @@
')
#######################################
-@@ -251,6 +264,7 @@
+@@ -251,6 +265,7 @@
template(`dbus_user_bus_client_template',`
gen_require(`
type $1_dbusd_t;
@@ -9387,7 +9543,7 @@
class dbus send_msg;
')
-@@ -263,6 +277,7 @@
+@@ -263,6 +278,7 @@
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
@@ -9395,7 +9551,7 @@
')
########################################
-@@ -292,6 +307,59 @@
+@@ -292,6 +308,59 @@
########################################
## <summary>
@@ -9455,7 +9611,7 @@
## Read dbus configuration.
## </summary>
## <param name="domain">
-@@ -366,3 +434,52 @@
+@@ -366,3 +435,52 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -11935,7 +12091,7 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-24 14:27:32.000000000 -0500
@@ -133,6 +133,12 @@
sendmail_create_log($1_mail_t)
')
@@ -12537,7 +12693,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2008-01-24 15:46:30.000000000 -0500
@@ -1,4 +1,3 @@
-
policy_module(mysql,1.6.0)
@@ -12563,6 +12719,14 @@
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
+@@ -79,6 +82,7 @@
+
+ fs_getattr_all_fs(mysqld_t)
+ fs_search_auto_mountpoints(mysqld_t)
++fs_rw_hugetlbfs_files(mysqld_t)
+
+ domain_use_interactive_fds(mysqld_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2008-01-18 12:40:46.000000000 -0500
@@ -12847,7 +13011,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2008-01-22 09:23:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2008-01-24 13:26:30.000000000 -0500
@@ -13,6 +13,9 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -12923,7 +13087,7 @@
')
optional_policy(`
-@@ -155,6 +168,7 @@
+@@ -155,19 +168,20 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
@@ -12931,18 +13095,23 @@
')
optional_policy(`
-@@ -166,11 +180,6 @@
+- seutil_sigchld_newrole(NetworkManager_t)
++ # Dispatcher starting and stoping ntp
++ ntp_script_domtrans(NetworkManager_t)
+ ')
+
+ optional_policy(`
+- udev_read_db(NetworkManager_t)
++ seutil_sigchld_newrole(NetworkManager_t)
')
optional_policy(`
- # Read gnome-keyring
- unconfined_read_home_content_files(NetworkManager_t)
--')
--
--optional_policy(`
- vpn_domtrans(NetworkManager_t)
- vpn_signal(NetworkManager_t)
++ udev_read_db(NetworkManager_t)
')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.5/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nis.fc 2008-01-18 12:40:46.000000000 -0500
@@ -13344,7 +13513,7 @@
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.5/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/ntp.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/ntp.if 2008-01-24 13:25:46.000000000 -0500
@@ -53,3 +53,76 @@
corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
@@ -13770,10 +13939,11 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.5/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/polkit.fc 2008-01-18 12:40:46.000000000 -0500
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.2.5/policy/modules/services/polkit.fc 2008-01-28 10:53:34.000000000 -0500
+@@ -0,0 +1,7 @@
+
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
++/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
+
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
@@ -13843,8 +14013,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2008-01-18 12:40:46.000000000 -0500
-@@ -0,0 +1,63 @@
++++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2008-01-28 11:29:32.000000000 -0500
+@@ -0,0 +1,110 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
@@ -13852,6 +14022,11 @@
+# Declarations
+#
+
++type polkit_t;
++type polkit_exec_t;
++domain_type(polkit_t)
++init_daemon_domain(polkit_t, polkit_exec_t)
++
+type polkit_auth_t;
+type polkit_auth_exec_t;
+domain_type(polkit_auth_t)
@@ -13865,6 +14040,47 @@
+
+########################################
+#
++# polkit local policy
++#
++
++allow polkit_t self:process getattr;
++
++allow polkit_t self:unix_dgram_socket create_socket_perms;
++allow polkit_t self:fifo_file rw_file_perms;
++allow polkit_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(polkit_t, polkit_exec_t)
++corecmd_search_bin(polkit_t)
++
++domain_use_interactive_fds(polkit_t)
++
++files_read_etc_files(polkit_t)
++files_read_usr_files(polkit_t)
++
++auth_use_nsswitch(polkit_t)
++
++libs_use_ld_so(polkit_t)
++libs_use_shared_libs(polkit_t)
++
++miscfiles_read_localization(polkit_t)
++
++logging_send_syslog_msg(polkit_t)
++
++manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t)
++
++# pid file
++manage_dirs_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t)
++manage_files_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t)
++files_pid_filetrans(polkit_t,polkit_var_run_t, { file dir })
++
++optional_policy(`
++ dbus_system_bus_client_template(polkit, polkit_t)
++ consolekit_dbus_chat(polkit_t)
++ dbus_system_domain(polkit_t, polkit_exec_t)
++')
++
++########################################
++#
+# polkit_auth local policy
+#
+
@@ -13901,6 +14117,7 @@
+optional_policy(`
+ dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
+ consolekit_dbus_chat(polkit_auth_t)
++ dbus_system_domain(polkit_exec_t, polkit_t)
+')
+
+optional_policy(`
@@ -13926,8 +14143,20 @@
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-21 09:39:32.000000000 -0500
-@@ -416,7 +416,7 @@
++++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-24 13:33:34.000000000 -0500
+@@ -206,9 +206,8 @@
+ type postfix_etc_t;
+ ')
+
+- allow $1 postfix_etc_t:dir { getattr read search };
+- allow $1 postfix_etc_t:file { read getattr };
+- allow $1 postfix_etc_t:lnk_file { getattr read };
++ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
++ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ files_search_etc($1)
+ ')
+
+@@ -416,7 +415,7 @@
## </summary>
## </param>
#
@@ -13936,7 +14165,7 @@
gen_require(`
type postfix_private_t;
')
-@@ -427,6 +427,26 @@
+@@ -427,6 +426,26 @@
########################################
## <summary>
@@ -13963,7 +14192,7 @@
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
-@@ -503,6 +523,25 @@
+@@ -503,6 +522,25 @@
########################################
## <summary>
@@ -14331,7 +14560,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.5/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postgresql.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/postgresql.te 2008-01-24 15:46:50.000000000 -0500
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
@@ -14342,6 +14571,14 @@
########################################
#
# postgresql Local policy
+@@ -100,6 +103,7 @@
+
+ fs_getattr_all_fs(postgresql_t)
+ fs_search_auto_mountpoints(postgresql_t)
++fs_rw_hugetlbfs_files(postgresql_t)
+
+ term_use_controlling_term(postgresql_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.2.5/policy/modules/services/postgrey.fc
--- nsaserefpolicy/policy/modules/services/postgrey.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgrey.fc 2008-01-18 12:40:46.000000000 -0500
@@ -18382,7 +18619,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.5/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/squid.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/squid.te 2008-01-25 09:45:17.000000000 -0500
@@ -31,12 +31,15 @@
type squid_var_run_t;
files_pid_file(squid_var_run_t)
@@ -18400,7 +18637,15 @@
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
-@@ -92,6 +95,7 @@
+@@ -85,6 +88,7 @@
+ corenet_udp_sendrecv_all_ports(squid_t)
+ corenet_tcp_bind_all_nodes(squid_t)
+ corenet_udp_bind_all_nodes(squid_t)
++corenet_tcp_bind_http_port(squid_t)
+ corenet_tcp_bind_http_cache_port(squid_t)
+ corenet_udp_bind_http_cache_port(squid_t)
+ corenet_tcp_bind_ftp_port(squid_t)
+@@ -92,6 +96,7 @@
corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
@@ -18408,7 +18653,7 @@
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
-@@ -109,6 +113,8 @@
+@@ -109,6 +114,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
@@ -18417,7 +18662,7 @@
selinux_dontaudit_getattr_dir(squid_t)
-@@ -148,11 +154,7 @@
+@@ -148,11 +155,7 @@
')
optional_policy(`
@@ -18430,7 +18675,7 @@
')
optional_policy(`
-@@ -167,7 +169,12 @@
+@@ -167,7 +170,12 @@
udev_read_db(squid_t)
')
@@ -19099,7 +19344,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-25 16:50:51.000000000 -0500
@@ -15,6 +15,7 @@
template(`xserver_common_domain_template',`
gen_require(`
@@ -19803,7 +20048,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.5/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2008-01-24 13:41:40.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -19878,11 +20123,13 @@
xserver_common_domain_template(xdm)
init_system_domain(xdm_xserver_t,xserver_exec_t)
-@@ -96,7 +135,7 @@
+@@ -95,8 +134,8 @@
+ # XDM Local policy
#
- allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
++allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
@@ -21249,10 +21496,17 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.2.5/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/ipsec.te 2008-01-18 12:40:46.000000000 -0500
-@@ -302,6 +302,7 @@
++++ serefpolicy-3.2.5/policy/modules/system/ipsec.te 2008-01-25 11:41:57.000000000 -0500
+@@ -297,11 +297,14 @@
+ read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
+ read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
+
++kernel_read_system_state(racoon_t)
+ kernel_read_network_state(racoon_t)
+
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
++corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
+corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -23147,7 +23401,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-23 13:13:29.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-28 10:11:41.000000000 -0500
@@ -6,35 +6,59 @@
# Declarations
#
@@ -23440,7 +23694,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-24 13:04:29.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-25 11:51:09.000000000 -0500
@@ -29,9 +29,14 @@
')
@@ -23450,7 +23704,7 @@
- type $1_t, userdomain;
+ type $1_t, userdomain, $1_usertype;
domain_type($1_t)
-+ ifdef(`targeted_policy',`
++ ifndef(`enable_mls',`
+ # ignore user componant labeling on homedir entry
+ domain_obj_id_change_exemption($1_t)
+ ')
@@ -23557,6 +23811,9 @@
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_exec_ld_so($1_t)
+-
+- miscfiles_read_localization($1_t)
+- miscfiles_read_certs($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_non_security_files($1_usertype)
@@ -23573,9 +23830,6 @@
+ libs_use_shared_libs($1_usertype)
+ libs_exec_ld_so($1_usertype)
-- miscfiles_read_localization($1_t)
-- miscfiles_read_certs($1_t)
--
- sysnet_read_config($1_t)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_certs($1_usertype)
@@ -23928,71 +24182,218 @@
')
#######################################
-@@ -717,6 +695,12 @@
- # Stat lost+found.
- files_getattr_lost_found_dirs($1_t)
+@@ -686,183 +664,192 @@
+ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+- allow $1_t unpriv_userdomain:fd use;
++ allow $1_usertype unpriv_userdomain:fd use;
+
+- kernel_read_system_state($1_t)
+- kernel_read_network_state($1_t)
+- kernel_read_net_sysctls($1_t)
++ kernel_read_system_state($1_usertype)
++ kernel_read_network_state($1_usertype)
++ kernel_read_net_sysctls($1_usertype)
+ # Very permissive allowing every domain to see every type:
+- kernel_get_sysvipc_info($1_t)
++ kernel_get_sysvipc_info($1_usertype)
+ # Find CDROM devices:
+- kernel_read_device_sysctls($1_t)
++ kernel_read_device_sysctls($1_usertype)
+
+- corenet_udp_bind_all_nodes($1_t)
+- corenet_udp_bind_generic_port($1_t)
++ corenet_udp_bind_all_nodes($1_usertype)
++ corenet_udp_bind_generic_port($1_usertype)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
++ dev_read_rand($1_usertype)
++ dev_write_sound($1_usertype)
++ dev_read_sound($1_usertype)
++ dev_read_sound_mixer($1_usertype)
++ dev_write_sound_mixer($1_usertype)
+
+- files_exec_etc_files($1_t)
+- files_search_locks($1_t)
++ files_exec_etc_files($1_usertype)
++ files_search_locks($1_usertype)
+ # Check to see if cdrom is mounted
+- files_search_mnt($1_t)
++ files_search_mnt($1_usertype)
+ # cjp: perhaps should cut back on file reads:
+- files_read_var_files($1_t)
+- files_read_var_symlinks($1_t)
+- files_read_generic_spool($1_t)
+- files_read_var_lib_files($1_t)
++ files_read_var_files($1_usertype)
++ files_read_var_symlinks($1_usertype)
++ files_read_generic_spool($1_usertype)
++ files_read_var_lib_files($1_usertype)
+ # Stat lost+found.
+- files_getattr_lost_found_dirs($1_t)
++ files_getattr_lost_found_dirs($1_usertype)
++
++ tunable_policy(`user_rw_noexattrfile',`
++ fs_manage_noxattr_fs_files($1_usertype)
++ fs_manage_noxattr_fs_dirs($1_usertype)
++ ',`
++ fs_read_noxattr_fs_files($1_usertype)
++ ')
++
+ logging_send_syslog_msg($1_usertype)
-+ logging_dontaudit_send_audit_msgs($1_t)
++ logging_dontaudit_send_audit_msgs($1_usertype)
+ # Need to to this just so screensaver will work. Should be moved to screensaver domain
-+ logging_send_audit_msgs($1_t)
-+ selinux_get_enforce_mode($1_t)
-+
++ logging_send_audit_msgs($1_usertype)
++ selinux_get_enforce_mode($1_usertype)
+
# cjp: some of this probably can be removed
- selinux_get_fs_mount($1_t)
- selinux_validate_context($1_t)
-@@ -728,11 +712,11 @@
+- selinux_get_fs_mount($1_t)
+- selinux_validate_context($1_t)
+- selinux_compute_access_vector($1_t)
+- selinux_compute_create_context($1_t)
+- selinux_compute_relabel_context($1_t)
+- selinux_compute_user_contexts($1_t)
++ selinux_get_fs_mount($1_usertype)
++ selinux_validate_context($1_usertype)
++ selinux_compute_access_vector($1_usertype)
++ selinux_compute_create_context($1_usertype)
++ selinux_compute_relabel_context($1_usertype)
++ selinux_compute_user_contexts($1_usertype)
+
# for eject
- storage_getattr_fixed_disk_dev($1_t)
+- storage_getattr_fixed_disk_dev($1_t)
++ storage_getattr_fixed_disk_dev($1_usertype)
- auth_use_nsswitch($1_t)
- auth_read_login_records($1_t)
- auth_search_pam_console_data($1_t)
+- auth_read_login_records($1_t)
+- auth_search_pam_console_data($1_t)
++ auth_read_login_records($1_usertype)
++ auth_search_pam_console_data($1_usertype)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ authlogin_per_role_template($1, $1_t, $1_r)
- init_read_utmp($1_t)
+- init_read_utmp($1_t)
++ init_read_utmp($1_usertype)
-@@ -758,10 +742,6 @@
- dev_read_mouse($1_t)
+- seutil_read_file_contexts($1_t)
+- seutil_read_default_contexts($1_t)
++ seutil_read_file_contexts($1_usertype)
++ seutil_read_default_contexts($1_usertype)
+ seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ seutil_exec_checkpolicy($1_t)
+- seutil_exec_setfiles($1_t)
++ seutil_exec_setfiles($1_usertype)
+ # for when the network connection is killed
+ # this is needed when a login role can change
+ # to this one.
+ seutil_dontaudit_signal_newrole($1_t)
+
+ tunable_policy(`read_default_t',`
+- files_list_default($1_t)
+- files_read_default_files($1_t)
+- files_read_default_symlinks($1_t)
+- files_read_default_sockets($1_t)
+- files_read_default_pipes($1_t)
++ files_list_default($1_usertype)
++ files_read_default_files($1_usertype)
++ files_read_default_symlinks($1_usertype)
++ files_read_default_sockets($1_usertype)
++ files_read_default_pipes($1_usertype)
')
-- tunable_policy(`user_ttyfile_stat',`
-- term_getattr_all_user_ttys($1_t)
+ tunable_policy(`user_direct_mouse',`
+- dev_read_mouse($1_t)
- ')
-
+- tunable_policy(`user_ttyfile_stat',`
+- term_getattr_all_user_ttys($1_t)
++ dev_read_mouse($1_usertype)
+ ')
+
+ optional_policy(`
+- alsa_read_rw_config($1_t)
++ alsa_read_rw_config($1_usertype)
+ ')
+
optional_policy(`
- alsa_read_rw_config($1_t)
+ # Allow graphical boot to check battery lifespan
+- apm_stream_connect($1_t)
++ apm_stream_connect($1_usertype)
')
-@@ -783,20 +763,20 @@
+
+ optional_policy(`
+- canna_stream_connect($1_t)
++ canna_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client_template($1,$1_t)
++ dbus_system_bus_client_template($1,$1_usertype)
+
+ optional_policy(`
+- bluetooth_dbus_chat($1_t)
++ bluetooth_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1,$1_t)
- evolution_alarm_dbus_chat($1,$1_t)
-+ consolekit_dbus_chat($1_t)
++ consolekit_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ evolution_dbus_chat($1,$1_t)
-+ evolution_alarm_dbus_chat($1,$1_t)
++ evolution_dbus_chat($1,$1_usertype)
++ evolution_alarm_dbus_chat($1,$1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_t)
++ networkmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpnc_dbus_chat($1_t)
++ vpnc_dbus_chat($1_usertype)
')
')
-@@ -824,11 +804,18 @@
- mta_rw_spool($1_t)
+ optional_policy(`
+- inetd_use_fds($1_t)
+- inetd_rw_tcp_sockets($1_t)
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
+ ')
+
+ optional_policy(`
+- inn_read_config($1_t)
+- inn_read_news_lib($1_t)
+- inn_read_news_spool($1_t)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
+ ')
+
+ optional_policy(`
+- locate_read_lib_files($1_t)
++ locate_read_lib_files($1_usertype)
+ ')
+
+ # for running depmod as part of the kernel packaging process
+ optional_policy(`
+- modutils_read_module_config($1_t)
++ modutils_read_module_config($1_usertype)
+ ')
+
+ optional_policy(`
+- mta_rw_spool($1_t)
++ mta_rw_spool($1_usertype)
')
-
@@ -24000,21 +24401,27 @@
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
- ')
-+ alsa_read_rw_config($1_t)
-+ ')
-+
++ alsa_read_rw_config($1_usertype)
+ ')
+
+- optional_policy(`
+- # to allow monitoring of pcmcia status
+- pcmcia_read_pid($1_t)
+ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
-+ postgresql_stream_connect($1_t)
++ postgresql_stream_connect($1_usertype)
+ ')
+ ')
+
+ tunable_policy(`user_ttyfile_stat',`
-+ term_getattr_all_user_ttys($1_t)
++ term_getattr_all_user_ttys($1_usertype)
')
optional_policy(`
-@@ -842,13 +829,6 @@
+- pcscd_read_pub_files($1_t)
+- pcscd_stream_connect($1_t)
++ # to allow monitoring of pcmcia status
++ pcmcia_read_pid($1_usertype)
')
optional_policy(`
@@ -24022,13 +24429,34 @@
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
- ')
-- ')
--
-- optional_policy(`
- resmgr_stream_connect($1_t)
++ pcscd_read_pub_files($1_usertype)
++ pcscd_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- resmgr_stream_connect($1_t)
++ resmgr_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- rpc_dontaudit_getattr_exports($1_t)
+- rpc_manage_nfs_rw_content($1_t)
++ rpc_dontaudit_getattr_exports($1_usertype)
++ rpc_manage_nfs_rw_content($1_usertype)
+ ')
+
+ optional_policy(`
+- samba_stream_connect_winbind($1_t)
++ samba_stream_connect_winbind($1_usertype)
')
-@@ -889,6 +869,8 @@
+ optional_policy(`
+- slrnpull_search_spool($1_t)
++ slrnpull_search_spool($1_usertype)
+ ')
+
+ optional_policy(`
+@@ -889,6 +876,8 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -24037,7 +24465,7 @@
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -917,26 +899,26 @@
+@@ -917,26 +906,26 @@
allow $1_t self:context contains;
@@ -24078,7 +24506,7 @@
auth_dontaudit_write_login_records($1_t)
-@@ -944,43 +926,43 @@
+@@ -944,43 +933,43 @@
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
@@ -24140,7 +24568,7 @@
')
')
-@@ -1014,9 +996,6 @@
+@@ -1014,9 +1003,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -24150,7 +24578,7 @@
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1025,16 +1004,29 @@
+@@ -1025,16 +1011,29 @@
#
# privileged home directory writers
@@ -24186,7 +24614,7 @@
')
#######################################
-@@ -1062,6 +1054,13 @@
+@@ -1062,6 +1061,13 @@
userdom_restricted_user_template($1)
@@ -24200,7 +24628,7 @@
userdom_xwindows_client_template($1)
##############################
-@@ -1070,14 +1069,14 @@
+@@ -1070,14 +1076,14 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -24220,7 +24648,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1085,32 +1084,17 @@
+@@ -1085,32 +1091,17 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -24260,7 +24688,7 @@
')
')
-@@ -1121,10 +1105,10 @@
+@@ -1121,10 +1112,10 @@
## </summary>
## <desc>
## <p>
@@ -24275,7 +24703,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1187,12 +1171,11 @@
+@@ -1187,12 +1178,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -24290,7 +24718,7 @@
')
# Run pppd in pppd_t by default for user
-@@ -1201,7 +1184,7 @@
+@@ -1201,7 +1191,7 @@
')
optional_policy(`
@@ -24299,7 +24727,7 @@
')
')
-@@ -1278,8 +1261,6 @@
+@@ -1278,8 +1268,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -24308,6 +24736,20 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
+@@ -1357,13 +1345,6 @@
+ # But presently necessary for installing the file_contexts file.
+ seutil_manage_bin_policy($1_t)
+
+- tunable_policy(`user_rw_noexattrfile',`
+- fs_manage_noxattr_fs_files($1_t)
+- fs_manage_noxattr_fs_dirs($1_t)
+- ',`
+- fs_read_noxattr_fs_files($1_t)
+- ')
+-
+ optional_policy(`
+ userhelper_exec($1_t)
+ ')
@@ -1416,6 +1397,7 @@
dev_relabel_all_dev_nodes($1)
@@ -25033,7 +25475,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4301,17 +4397,32 @@
+@@ -4301,12 +4397,27 @@
## </summary>
## </param>
#
@@ -25046,11 +25488,10 @@
- dontaudit $1 staff_home_t:file append;
+ dontaudit $1 user_home_t:file append_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read files in the staff users home directory.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to append to the staff
+## users home directory.
+## </summary>
@@ -25062,14 +25503,9 @@
+#
+interface(`userdom_dontaudit_append_staff_home_content_files',`
+ userdom_dontaudit_append_unpriv_home_content_files($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read files in the staff users home directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
+ ')
+
+ ########################################
@@ -4321,13 +4432,13 @@
#
interface(`userdom_read_staff_home_content_files',`
@@ -26472,8 +26908,8 @@
+## <summary>Policy for staff user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-18 14:02:43.000000000 -0500
-@@ -0,0 +1,42 @@
++++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-24 16:05:12.000000000 -0500
+@@ -0,0 +1,47 @@
+policy_module(staff,1.0.1)
+userdom_unpriv_user_template(staff)
+
@@ -26484,9 +26920,10 @@
+domain_read_all_domains_state(staff_t)
+domain_getattr_all_domains(staff_t)
+
-+optional_policy(`
-+ xserver_per_role_template(staff, staff_t, staff_r)
-+')
++files_read_kernel_modules(staff_t)
++
++modutils_read_module_config(staff_t)
++modutils_read_module_deps(staff_t)
+
+sudo_per_role_template(staff, staff_t, staff_r)
+seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
@@ -26516,6 +26953,10 @@
+ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
+')
+
++optional_policy(`
++ xserver_per_role_template(staff, staff_t, staff_r)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.5/policy/modules/users/user.fc
--- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/user.fc 2008-01-18 12:40:46.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.591
retrieving revision 1.592
diff -u -r1.591 -r1.592
--- selinux-policy.spec 24 Jan 2008 18:12:25 -0000 1.591
+++ selinux-policy.spec 28 Jan 2008 16:48:49 -0000 1.592
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
%endif
%changelog
+* Fri Jan 25 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-20
+- Allow usertypes to read/write noxattr file systems
+
* Thu Jan 24 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-19
- Fix nsplugin to allow flashplugin to work in enforcing mode
- Previous message (by thread): rpms/ktorrent/F-7 .cvsignore, 1.16, 1.17 ktorrent.spec, 1.41, 1.42 sources, 1.16, 1.17
- Next message (by thread): rpms/powerman/devel .cvsignore, 1.3, 1.4 powerman.spec, 1.5, 1.6 sources, 1.3, 1.4 icebox4.dev, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list