rpms/selinux-policy/F-8 policy-20070703.patch, 1.177, 1.178 selinux-policy.spec, 1.607, 1.608
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Jan 31 18:53:55 UTC 2008
- Previous message (by thread): rpms/rudesocket/devel rudesocket.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/rudesocket/F-7 rudesocket.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv721
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Thu Jan 22 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-82
- Allow xdm to sys_ptrace
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.177
retrieving revision 1.178
diff -u -r1.177 -r1.178
--- policy-20070703.patch 23 Jan 2008 20:16:45 -0000 1.177
+++ policy-20070703.patch 31 Jan 2008 18:53:49 -0000 1.178
@@ -1553,8 +1553,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.0.8/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2008-01-17 09:03:07.000000000 -0500
-@@ -0,0 +1,58 @@
++++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2008-01-30 11:10:03.000000000 -0500
+@@ -0,0 +1,57 @@
+policy_module(kismet,1.0.0)
+
+########################################
@@ -1582,8 +1582,6 @@
+# kismet local policy
+#
+
-+## internal communication is often done using fifo and unix sockets.
-+#============= kismet_t ==============
+allow kismet_t self:capability { net_admin setuid setgid };
+
+corecmd_exec_bin(kismet_t)
@@ -1595,12 +1593,13 @@
+
+files_read_etc_files(kismet_t)
+
++kernel_load_module(kismet_t)
++
+libs_use_ld_so(kismet_t)
+libs_use_shared_libs(kismet_t)
+
+miscfiles_read_localization(kismet_t)
+
-+
+allow kismet_t kismet_var_run_t:file manage_file_perms;
+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir })
@@ -2950,7 +2949,7 @@
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-01-28 10:57:36.000000000 -0500
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -3009,15 +3008,17 @@
files_read_etc_files($1_javaplugin_t)
files_read_usr_files($1_javaplugin_t)
-@@ -122,6 +126,7 @@
+@@ -122,6 +126,9 @@
fs_getattr_xattr_fs($1_javaplugin_t)
fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
+ fs_getattr_tmpfs($1_javaplugin_t)
++
++ auth_use_nsswitch($1_javaplugin_t)
libs_use_ld_so($1_javaplugin_t)
libs_use_shared_libs($1_javaplugin_t)
-@@ -134,6 +139,10 @@
+@@ -134,6 +141,10 @@
sysnet_read_config($1_javaplugin_t)
@@ -3028,7 +3029,7 @@
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
-@@ -166,6 +175,62 @@
+@@ -166,6 +177,62 @@
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
@@ -3091,7 +3092,7 @@
')
########################################
-@@ -219,3 +284,66 @@
+@@ -219,3 +286,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
@@ -3964,7 +3965,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2008-01-30 09:40:50.000000000 -0500
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
@@ -3973,7 +3974,11 @@
########################################
#
-@@ -20,7 +21,12 @@
+@@ -17,10 +18,16 @@
+
+ optional_policy(`
+ allow wine_t self:process { execstack execmem execheap };
++ domain_mmap_low(wine_t)
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)
@@ -4257,19 +4262,26 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2008-01-17 09:03:07.000000000 -0500
-@@ -4,6 +4,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2008-01-24 14:07:04.000000000 -0500
+@@ -1,8 +1,9 @@
+ /dev -d gen_context(system_u:object_r:device_t,s0)
+ /dev/.* gen_context(system_u:object_r:device_t,s0)
+-
++/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -14,22 +15,33 @@
+@@ -13,27 +14,42 @@
+ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
@@ -4281,8 +4293,8 @@
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
@@ -4291,52 +4303,45 @@
+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,mls_systemhigh)
++/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
+/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-@@ -41,6 +53,11 @@
- /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
-+
-+/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -44,6 +60,7 @@
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-@@ -49,6 +66,9 @@
++/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
- /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
- /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -65,9 +85,11 @@
+@@ -65,9 +82,8 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+-/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+-/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+-/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
- /dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
- /dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
- /dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
-+/dev/usb/.+ -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -95,11 +117,21 @@
+@@ -94,12 +110,23 @@
+
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
@@ -4356,6 +4361,23 @@
/dev/pts(/.*)? <<none>>
+@@ -113,14 +140,9 @@
+ /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+
+-/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+-
+-/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
++/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+
+-ifdef(`distro_debian',`
+-# used by udev init script as temporary mount point
+-/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+-')
++/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+
+ ifdef(`distro_gentoo',`
+ # used by init scripts to initally populate udev /dev
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2008-01-17 09:03:07.000000000 -0500
@@ -5180,7 +5202,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-01-24 15:47:50.000000000 -0500
@@ -271,45 +271,6 @@
########################################
@@ -5329,7 +5351,7 @@
## List all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -3533,3 +3550,42 @@
+@@ -3533,3 +3550,62 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
@@ -5372,6 +5394,26 @@
+ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
++
++########################################
++## <summary>
++## Read and write files on hugetlbfs files
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_rw_hugetlbfs_files',`
++ gen_require(`
++ type hugetlbfs_t;
++
++ ')
++
++ rw_files_pattern($1,hugetlbfs_t,hugetlbfs_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-22 13:21:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2008-01-17 09:03:07.000000000 -0500
@@ -5426,7 +5468,7 @@
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2008-01-17 13:25:01.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2008-01-30 11:09:40.000000000 -0500
@@ -352,6 +352,24 @@
########################################
@@ -6300,7 +6342,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2008-01-31 13:44:19.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(apache,1.7.1)
@@ -6473,7 +6515,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -344,12 +383,8 @@
+@@ -344,29 +383,40 @@
seutil_dontaudit_search_config(httpd_t)
@@ -6486,7 +6528,8 @@
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-@@ -358,8 +393,16 @@
+
+-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
@@ -6498,12 +6541,12 @@
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
-+ auth_domtrans_upd_passwd(httpd_t)
- ')
+- auth_domtrans_chk_passwd(httpd_t)
+-')
++ auth_domtrans_chk_pwd(httpd_t)
')
-@@ -367,6 +410,16 @@
+ tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -6520,7 +6563,7 @@
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +440,10 @@
+@@ -387,6 +437,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -6531,7 +6574,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +461,21 @@
+@@ -404,11 +458,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -6553,7 +6596,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +497,12 @@
+@@ -430,6 +494,12 @@
')
optional_policy(`
@@ -6566,7 +6609,7 @@
calamaris_read_www_files(httpd_t)
')
-@@ -442,8 +515,14 @@
+@@ -442,8 +512,14 @@
')
optional_policy(`
@@ -6582,7 +6625,7 @@
')
optional_policy(`
-@@ -457,11 +536,11 @@
+@@ -457,11 +533,11 @@
optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -6595,7 +6638,7 @@
')
optional_policy(`
-@@ -481,6 +560,7 @@
+@@ -481,6 +557,7 @@
')
optional_policy(`
@@ -6603,7 +6646,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -516,6 +596,13 @@
+@@ -516,6 +593,13 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -6617,7 +6660,7 @@
########################################
#
# Apache PHP script local policy
-@@ -553,6 +640,7 @@
+@@ -553,6 +637,7 @@
optional_policy(`
mysql_stream_connect(httpd_php_t)
@@ -6625,7 +6668,7 @@
')
optional_policy(`
-@@ -567,7 +655,6 @@
+@@ -567,7 +652,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@@ -6633,7 +6676,7 @@
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -581,6 +668,10 @@
+@@ -581,6 +665,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -6644,7 +6687,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -590,8 +681,7 @@
+@@ -590,8 +678,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
# for shell scripts
@@ -6654,7 +6697,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -620,8 +710,6 @@
+@@ -620,8 +707,6 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -6663,7 +6706,7 @@
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -634,6 +722,12 @@
+@@ -634,6 +719,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -6676,7 +6719,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +745,6 @@
+@@ -651,18 +742,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -6695,7 +6738,7 @@
########################################
#
# Apache system script local policy
-@@ -672,7 +754,8 @@
+@@ -672,7 +751,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -6705,7 +6748,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +769,62 @@
+@@ -686,15 +766,62 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -6769,7 +6812,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -707,6 +837,7 @@
+@@ -707,6 +834,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -6777,7 +6820,7 @@
')
########################################
-@@ -728,3 +859,46 @@
+@@ -728,3 +856,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -6918,8 +6961,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.0.8/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/automount.if 2008-01-17 09:03:07.000000000 -0500
-@@ -74,3 +74,21 @@
++++ serefpolicy-3.0.8/policy/modules/services/automount.if 2008-01-30 09:23:53.000000000 -0500
+@@ -74,3 +74,39 @@
dontaudit $1 automount_tmp_t:dir getattr;
')
@@ -6941,6 +6984,24 @@
+
+ dontaudit $1 automount_t:fd use;
+')
++########################################
++## <summary>
++## Do not audit attempts to write automount daemon unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`automount_dontaudit_write_pipes',`
++ gen_require(`
++ type automount_t;
++ ')
++
++ dontaudit $1 automount_t:fifo_file write;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/automount.te 2008-01-17 13:10:56.000000000 -0500
@@ -7026,7 +7087,7 @@
+/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.8/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-01-31 09:00:00.000000000 -0500
@@ -66,7 +66,6 @@
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
@@ -7035,16 +7096,16 @@
allow named_t dnssec_t:file { getattr read };
-@@ -92,6 +91,8 @@
- manage_sock_files_pattern(named_t,named_var_run_t,named_var_run_t)
- files_pid_filetrans(named_t,named_var_run_t,{ file sock_file })
-
-+auth_use_nsswitch(named_t)
-+
- # read zone files
- allow named_t named_zone_t:dir list_dir_perms;
- read_files_pattern(named_t,named_zone_t,named_zone_t)
-@@ -119,6 +120,7 @@
+@@ -101,6 +100,8 @@
+ kernel_read_system_state(named_t)
+ kernel_read_network_state(named_t)
+
++corecmd_search_bin(named_t)
++
+ corenet_all_recvfrom_unlabeled(named_t)
+ corenet_all_recvfrom_netlabel(named_t)
+ corenet_tcp_sendrecv_all_if(named_t)
+@@ -119,15 +120,11 @@
corenet_sendrecv_dns_client_packets(named_t)
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
@@ -7052,7 +7113,48 @@
dev_read_sysfs(named_t)
dev_read_rand(named_t)
-@@ -175,6 +177,10 @@
+
+-fs_getattr_all_fs(named_t)
+-fs_search_auto_mountpoints(named_t)
+-
+-corecmd_search_bin(named_t)
+-
+ dev_read_urand(named_t)
+
+ domain_use_interactive_fds(named_t)
+@@ -135,6 +132,11 @@
+ files_read_etc_files(named_t)
+ files_read_etc_runtime_files(named_t)
+
++fs_getattr_all_fs(named_t)
++fs_search_auto_mountpoints(named_t)
++
++auth_use_nsswitch(named_t)
++
+ libs_use_ld_so(named_t)
+ libs_use_shared_libs(named_t)
+
+@@ -155,19 +157,12 @@
+ ')
+
+ optional_policy(`
+- gen_require(`
+- class dbus send_msg;
+- ')
+-
+- allow named_t self:dbus send_msg;
+-
+ init_dbus_chat_script(named_t)
+
+ sysnet_dbus_chat_dhcpc(named_t)
+
+ dbus_system_bus_client_template(named,named_t)
+ dbus_connect_system_bus(named_t)
+- dbus_send_system_bus(named_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(named_t)
+@@ -175,6 +170,10 @@
')
optional_policy(`
@@ -7063,7 +7165,7 @@
# this seems like fds that arent being
# closed. these should probably be
# dontaudits instead.
-@@ -184,14 +190,6 @@
+@@ -184,14 +183,6 @@
')
optional_policy(`
@@ -7078,14 +7180,25 @@
seutil_sigchld_newrole(named_t)
')
-@@ -232,6 +230,7 @@
+@@ -232,15 +223,16 @@
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
+corenet_tcp_bind_all_nodes(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
- fs_getattr_xattr_fs(ndc_t)
+-fs_getattr_xattr_fs(ndc_t)
+-
+ domain_use_interactive_fds(ndc_t)
+
+ files_read_etc_files(ndc_t)
+ files_search_pids(ndc_t)
+
++fs_getattr_xattr_fs(ndc_t)
++
+ init_use_fds(ndc_t)
+ init_use_script_ptys(ndc_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.0.8/policy/modules/services/bitlbee.fc
--- nsaserefpolicy/policy/modules/services/bitlbee.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.fc 2008-01-17 09:03:07.000000000 -0500
@@ -7206,8 +7319,16 @@
+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.8/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2008-01-17 09:03:07.000000000 -0500
-@@ -44,7 +44,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2008-01-31 11:16:03.000000000 -0500
+@@ -37,14 +37,14 @@
+ # Bluetooth services local policy
+ #
+
+-allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
+ dontaudit bluetooth_t self:capability sys_tty_config;
+ allow bluetooth_t self:process { getsched signal_perms };
+ allow bluetooth_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
@@ -7216,10 +7337,37 @@
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
-@@ -128,6 +128,8 @@
- dbus_system_bus_client_template(bluetooth,bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
- dbus_send_system_bus(bluetooth_t)
+@@ -110,6 +110,8 @@
+ files_read_etc_runtime_files(bluetooth_t)
+ files_read_usr_files(bluetooth_t)
+
++auth_use_nsswitch(bluetooth_t)
++
+ libs_use_ld_so(bluetooth_t)
+ libs_use_shared_libs(bluetooth_t)
+
+@@ -118,20 +120,20 @@
+ miscfiles_read_localization(bluetooth_t)
+ miscfiles_read_fonts(bluetooth_t)
+
+-sysnet_read_config(bluetooth_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+ userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
+ userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
+
+ optional_policy(`
+- dbus_system_bus_client_template(bluetooth,bluetooth_t)
+- dbus_connect_system_bus(bluetooth_t)
+- dbus_send_system_bus(bluetooth_t)
++ cups_dbus_chat(bluetooth_t)
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(bluetooth_t)
++ dbus_system_bus_client_template(bluetooth,bluetooth_t)
++ dbus_connect_system_bus(bluetooth_t)
++ dbus_send_system_bus(bluetooth_t)
+ allow bluetooth_t self:dbus send_msg;
+ dbus_system_domain(bluetooth_t,bluetooth_exec_t)
')
@@ -7919,7 +8067,7 @@
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.0.8/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.if 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/cups.if 2008-01-30 11:15:10.000000000 -0500
@@ -247,3 +247,4 @@
files_search_pids($1)
stream_connect_pattern($1,ptal_var_run_t,ptal_var_run_t,ptal_t)
@@ -8631,7 +8779,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.0.8/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dcc.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dcc.te 2008-01-30 11:52:20.000000000 -0500
@@ -124,7 +124,7 @@
# dcc procmail interface local policy
#
@@ -8641,7 +8789,15 @@
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
-@@ -148,6 +148,10 @@
+@@ -141,6 +141,7 @@
+
+ corenet_all_recvfrom_unlabeled(dcc_client_t)
+ corenet_all_recvfrom_netlabel(dcc_client_t)
++corenet_udp_bind_all_nodes(dcc_client_t)
+ corenet_udp_sendrecv_generic_if(dcc_client_t)
+ corenet_udp_sendrecv_all_nodes(dcc_client_t)
+ corenet_udp_sendrecv_all_ports(dcc_client_t)
+@@ -148,6 +149,10 @@
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
@@ -8652,6 +8808,40 @@
libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)
+@@ -155,11 +160,8 @@
+
+ miscfiles_read_localization(dcc_client_t)
+
+-sysnet_read_config(dcc_client_t)
+-sysnet_dns_name_resolve(dcc_client_t)
+-
+ optional_policy(`
+- nscd_socket_use(dcc_client_t)
++ spamassassin_read_spamd_tmp_files(dcc_client_t)
+ ')
+
+ ########################################
+@@ -335,6 +337,8 @@
+ fs_getattr_all_fs(dccifd_t)
+ fs_search_auto_mountpoints(dccifd_t)
+
++auth_use_nsswitch(dcc_client_t)
++
+ libs_use_ld_so(dccifd_t)
+ libs_use_shared_libs(dccifd_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.8/policy/modules/services/dhcp.te
+--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dhcp.te 2008-01-29 08:02:45.000000000 -0500
+@@ -24,7 +24,7 @@
+ # Local policy
+ #
+
+-allow dhcpd_t self:capability net_raw;
++allow dhcpd_t self:capability { sys_resource net_raw };
+ dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+ allow dhcpd_t self:process signal_perms;
+ allow dhcpd_t self:fifo_file { read write getattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.0.8/policy/modules/services/dictd.fc
--- nsaserefpolicy/policy/modules/services/dictd.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dictd.fc 2008-01-17 09:03:07.000000000 -0500
@@ -10082,7 +10272,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2008-01-29 09:37:33.000000000 -0500
@@ -55,6 +55,8 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -10092,10 +10282,11 @@
optional_policy(`
nscd_socket_use(mailman_cgi_t)
-@@ -67,6 +69,14 @@
+@@ -67,6 +69,15 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
++allow mailman_mail_t self:process signal;
+allow mailman_mail_t initrc_t:process signal;
+allow mailman_mail_t self:capability { setuid setgid };
+
@@ -10107,7 +10298,7 @@
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
-@@ -96,6 +106,7 @@
+@@ -96,6 +107,7 @@
kernel_read_proc_symlinks(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
@@ -10392,7 +10583,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-01-31 11:46:14.000000000 -0500
@@ -1,11 +1,13 @@
-policy_module(mta,1.7.1)
@@ -10416,8 +10607,12 @@
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -40,27 +43,40 @@
- allow system_mail_t self:capability { dac_override };
+@@ -37,30 +40,43 @@
+ #
+
+ # newalias required this, not sure if it is needed in 'if' file
+-allow system_mail_t self:capability { dac_override };
++allow system_mail_t self:capability { dac_override fowner };
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
@@ -10768,7 +10963,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2008-01-24 15:47:33.000000000 -0500
@@ -25,6 +25,9 @@
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
@@ -10789,6 +10984,14 @@
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
+@@ -79,6 +83,7 @@
+
+ fs_getattr_all_fs(mysqld_t)
+ fs_search_auto_mountpoints(mysqld_t)
++fs_rw_hugetlbfs_files(mysqld_t)
+
+ domain_use_interactive_fds(mysqld_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.0.8/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nagios.fc 2008-01-17 09:03:07.000000000 -0500
@@ -12199,7 +12402,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.0.8/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postgresql.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/postgresql.te 2008-01-24 15:47:19.000000000 -0500
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
@@ -12218,7 +12421,15 @@
manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
-@@ -118,6 +120,8 @@
+@@ -101,6 +103,7 @@
+
+ fs_getattr_all_fs(postgresql_t)
+ fs_search_auto_mountpoints(postgresql_t)
++fs_rw_hugetlbfs_files(postgresql_t)
+
+ term_use_controlling_term(postgresql_t)
+
+@@ -118,6 +121,8 @@
init_read_utmp(postgresql_t)
@@ -12227,7 +12438,7 @@
libs_use_ld_so(postgresql_t)
libs_use_shared_libs(postgresql_t)
-@@ -127,9 +131,6 @@
+@@ -127,9 +132,6 @@
seutil_dontaudit_search_config(postgresql_t)
@@ -12237,7 +12448,7 @@
userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
userdom_dontaudit_use_sysadm_ttys(postgresql_t)
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
-@@ -158,10 +159,6 @@
+@@ -158,10 +160,6 @@
')
optional_policy(`
@@ -12248,10 +12459,29 @@
seutil_sigchld_newrole(postgresql_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.0.8/policy/modules/services/postgrey.fc
+--- nsaserefpolicy/policy/modules/services/postgrey.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postgrey.fc 2008-01-30 11:29:05.000000000 -0500
+@@ -7,3 +7,5 @@
+
+ /var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
+ /var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
++
++/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.0.8/policy/modules/services/postgrey.te
--- nsaserefpolicy/policy/modules/services/postgrey.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postgrey.te 2008-01-18 15:22:00.000000000 -0500
-@@ -24,7 +24,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/postgrey.te 2008-01-30 11:30:51.000000000 -0500
+@@ -13,6 +13,9 @@
+ type postgrey_etc_t;
+ files_config_file(postgrey_etc_t)
+
++type postgrey_spool_t;
++files_type(postgrey_spool_t)
++
+ type postgrey_var_lib_t;
+ files_type(postgrey_var_lib_t)
+
+@@ -24,15 +27,20 @@
# Local policy
#
@@ -12260,7 +12490,20 @@
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
-@@ -68,6 +68,8 @@
++allow postgrey_t self:fifo_file create_fifo_file_perms;
+
+ allow postgrey_t postgrey_etc_t:dir list_dir_perms;
+ read_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t)
+ read_lnk_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t)
+
++manage_dirs_pattern(postgrey_master_t,postgrey_spool_t,postgrey_spool_t)
++manage_files_pattern(postgrey_master_t,postgrey_spool_t,postgrey_spool_t)
++manage_fifo_files_pattern(postgrey_master_t,postgrey_spool_t,postgrey_spool_t)
++
+ manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t)
+ files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
+
+@@ -68,6 +76,8 @@
fs_getattr_all_fs(postgrey_t)
fs_search_auto_mountpoints(postgrey_t)
@@ -12269,7 +12512,7 @@
libs_use_ld_so(postgrey_t)
libs_use_shared_libs(postgrey_t)
-@@ -75,13 +77,12 @@
+@@ -75,13 +85,12 @@
miscfiles_read_localization(postgrey_t)
@@ -12386,7 +12629,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2008-01-18 16:11:49.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2008-01-31 12:57:41.000000000 -0500
@@ -14,6 +14,10 @@
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
@@ -12587,7 +12830,7 @@
corecmd_exec_shell(radiusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.0.8/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/razor.if 2008-01-18 16:14:03.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/razor.if 2008-01-31 12:58:30.000000000 -0500
@@ -218,3 +218,41 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -12628,8 +12871,8 @@
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search_dir_perms;
+ manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
++ read_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.0.8/policy/modules/services/remotelogin.if
--- nsaserefpolicy/policy/modules/services/remotelogin.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/remotelogin.if 2008-01-17 09:03:07.000000000 -0500
@@ -12884,7 +13127,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2008-01-30 09:24:12.000000000 -0500
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -12901,7 +13144,7 @@
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
-@@ -73,12 +77,21 @@
+@@ -73,12 +77,22 @@
# cjp: this should really have its own type
files_manage_mounttab(rpcd_t)
@@ -12920,10 +13163,11 @@
+# automount -> mount -> rpcd
+optional_policy(`
+ automount_dontaudit_use_fds(rpcd_t)
++ automount_dontaudit_write_pipes(rpcd_t)
')
########################################
-@@ -91,9 +104,15 @@
+@@ -91,9 +105,15 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -12939,7 +13183,7 @@
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +142,7 @@
+@@ -123,6 +143,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -12947,7 +13191,7 @@
')
tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +163,9 @@
+@@ -143,6 +164,9 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -12957,7 +13201,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -158,6 +181,9 @@
+@@ -158,6 +182,9 @@
miscfiles_read_certs(gssd_t)
@@ -13324,7 +13568,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-01-31 11:27:27.000000000 -0500
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -13431,7 +13675,7 @@
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,8 +321,6 @@
+@@ -321,12 +321,12 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -13440,7 +13684,13 @@
userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
-@@ -347,6 +345,17 @@
+
++term_use_ptmx(smbd_t)
++
+ ifdef(`hide_broken_symptoms', `
+ files_dontaudit_getattr_default_dirs(smbd_t)
+ files_dontaudit_getattr_boot_dirs(smbd_t)
+@@ -347,6 +347,17 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -13458,7 +13708,7 @@
')
optional_policy(`
-@@ -398,7 +407,7 @@
+@@ -398,7 +409,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -13467,7 +13717,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -410,8 +419,7 @@
+@@ -410,8 +421,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -13477,7 +13727,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -421,6 +429,8 @@
+@@ -421,6 +431,8 @@
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -13486,7 +13736,7 @@
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -446,6 +456,7 @@
+@@ -446,6 +458,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -13494,7 +13744,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -462,17 +473,11 @@
+@@ -462,17 +475,11 @@
miscfiles_read_localization(nmbd_t)
@@ -13512,7 +13762,7 @@
seutil_sigchld_newrole(nmbd_t)
')
-@@ -506,6 +511,8 @@
+@@ -506,6 +513,8 @@
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
files_list_var_lib(smbmount_t)
@@ -13521,7 +13771,7 @@
kernel_read_system_state(smbmount_t)
corenet_all_recvfrom_unlabeled(smbmount_t)
-@@ -533,6 +540,7 @@
+@@ -533,6 +542,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -13529,7 +13779,7 @@
corecmd_list_bin(smbmount_t)
-@@ -553,16 +561,11 @@
+@@ -553,16 +563,11 @@
logging_search_logs(smbmount_t)
@@ -13548,7 +13798,7 @@
')
########################################
-@@ -570,24 +573,28 @@
+@@ -570,24 +575,28 @@
# SWAT Local policy
#
@@ -13585,7 +13835,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -597,7 +604,11 @@
+@@ -597,7 +606,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -13598,7 +13848,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -622,23 +633,24 @@
+@@ -622,23 +635,24 @@
dev_read_urand(swat_t)
@@ -13625,7 +13875,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -652,13 +664,16 @@
+@@ -652,13 +666,16 @@
kerberos_use(swat_t)
')
@@ -13648,7 +13898,7 @@
########################################
#
-@@ -672,7 +687,6 @@
+@@ -672,7 +689,6 @@
allow winbind_t self:fifo_file { read write };
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -13656,7 +13906,7 @@
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
-@@ -709,6 +723,8 @@
+@@ -709,6 +725,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -13665,7 +13915,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +749,9 @@
+@@ -733,7 +751,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -13675,7 +13925,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -746,9 +764,6 @@
+@@ -746,9 +766,6 @@
miscfiles_read_localization(winbind_t)
@@ -13685,7 +13935,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +773,6 @@
+@@ -758,10 +775,6 @@
')
optional_policy(`
@@ -13696,7 +13946,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -784,6 +795,8 @@
+@@ -784,6 +797,8 @@
allow winbind_helper_t samba_var_t:dir search;
files_list_var_lib(winbind_helper_t)
@@ -13705,7 +13955,7 @@
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
term_list_ptys(winbind_helper_t)
-@@ -804,6 +817,7 @@
+@@ -804,6 +819,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -13713,7 +13963,7 @@
')
########################################
-@@ -828,3 +842,37 @@
+@@ -828,3 +844,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -14263,7 +14513,7 @@
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2008-01-18 16:13:02.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2008-01-31 12:58:08.000000000 -0500
@@ -286,6 +286,12 @@
userdom_manage_user_home_content_symlinks($1,spamd_t)
')
@@ -14483,7 +14733,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/squid.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/squid.te 2008-01-25 09:45:37.000000000 -0500
@@ -36,7 +36,7 @@
# Local policy
#
@@ -14502,7 +14752,15 @@
# Grant permissions to create, access, and delete cache files.
manage_dirs_pattern(squid_t,squid_cache_t,squid_cache_t)
manage_files_pattern(squid_t,squid_cache_t,squid_cache_t)
-@@ -92,10 +94,12 @@
+@@ -85,6 +87,7 @@
+ corenet_udp_sendrecv_all_ports(squid_t)
+ corenet_tcp_bind_all_nodes(squid_t)
+ corenet_udp_bind_all_nodes(squid_t)
++corenet_tcp_bind_http_port(squid_t)
+ corenet_tcp_bind_http_cache_port(squid_t)
+ corenet_udp_bind_http_cache_port(squid_t)
+ corenet_tcp_bind_ftp_port(squid_t)
+@@ -92,10 +95,12 @@
corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
@@ -14515,7 +14773,7 @@
corenet_sendrecv_http_client_packets(squid_t)
corenet_sendrecv_ftp_client_packets(squid_t)
corenet_sendrecv_gopher_client_packets(squid_t)
-@@ -109,6 +113,8 @@
+@@ -109,6 +114,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
@@ -14524,7 +14782,7 @@
selinux_dontaudit_getattr_dir(squid_t)
-@@ -137,9 +143,6 @@
+@@ -137,9 +144,6 @@
miscfiles_read_certs(squid_t)
miscfiles_read_localization(squid_t)
@@ -14534,7 +14792,7 @@
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_use_unpriv_user_fds(squid_t)
userdom_dontaudit_search_sysadm_home_dirs(squid_t)
-@@ -149,19 +152,7 @@
+@@ -149,19 +153,7 @@
')
optional_policy(`
@@ -14555,7 +14813,7 @@
')
optional_policy(`
-@@ -176,7 +167,12 @@
+@@ -176,7 +168,12 @@
udev_read_db(squid_t)
')
@@ -15602,7 +15860,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-01-24 13:40:36.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -15637,11 +15895,13 @@
# Type for the executable used to start the X server, e.g. Xwrapper.
type xserver_exec_t;
corecmd_executable_file(xserver_exec_t)
-@@ -96,7 +109,7 @@
+@@ -95,8 +108,8 @@
+ # XDM Local policy
#
- allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
++allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
@@ -15929,7 +16189,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2008-01-29 09:14:26.000000000 -0500
@@ -14,6 +14,7 @@
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -15938,8 +16198,11 @@
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
-@@ -40,3 +41,6 @@
+@@ -38,5 +39,9 @@
+ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
++/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -15947,7 +16210,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-01-21 14:40:36.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-01-31 13:45:27.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -16106,10 +16369,31 @@
')
optional_policy(`
-@@ -347,6 +408,37 @@
+@@ -347,6 +408,58 @@
########################################
## <summary>
++## Run unix_chkpwd to check a password.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_domtrans_chkpwd',`
++ gen_require(`
++ type system_chkpwd_t, chkpwd_exec_t, shadow_t;
++ ')
++
++ corecmd_search_sbin($1)
++ domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
++ dontaudit $1 shadow_t:file { getattr read };
++ auth_domtrans_upd_passwd($1)
++')
++
++########################################
++## <summary>
+## Execute chkpwd programs in the chkpwd domain.
+## </summary>
+## <param name="domain">
@@ -16144,7 +16428,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +787,24 @@
+@@ -695,6 +808,24 @@
########################################
## <summary>
@@ -16169,7 +16453,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,16 +1428,14 @@
+@@ -1318,16 +1449,14 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -16189,7 +16473,7 @@
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
-@@ -1347,6 +1455,8 @@
+@@ -1347,6 +1476,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -16198,7 +16482,7 @@
')
')
-@@ -1381,3 +1491,181 @@
+@@ -1381,3 +1512,181 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -16382,7 +16666,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-01-31 11:32:52.000000000 -0500
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -16500,7 +16784,7 @@
########################################
#
-@@ -302,3 +322,28 @@
+@@ -302,3 +322,29 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -16525,6 +16809,7 @@
+
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
++term_dontaudit_use_generic_ptys(updpwd_t)
+
+files_manage_etc_files(updpwd_t)
+kernel_read_system_state(updpwd_t)
@@ -17368,7 +17653,16 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.0.8/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/iscsi.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/iscsi.te 2008-01-29 09:44:14.000000000 -0500
+@@ -29,7 +29,7 @@
+ #
+
+ allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
+-allow iscsid_t self:process setsched;
++allow iscsid_t self:process { setrlimit setsched };
+ allow iscsid_t self:fifo_file { read write };
+ allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow iscsid_t self:unix_dgram_socket create_socket_perms;
@@ -68,6 +68,8 @@
files_read_etc_files(iscsid_t)
@@ -18442,12 +18736,14 @@
#################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.8/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/mount.fc 2008-01-17 09:03:07.000000000 -0500
-@@ -1,4 +1,2 @@
++++ serefpolicy-3.0.8/policy/modules/system/mount.fc 2008-01-29 09:05:35.000000000 -0500
+@@ -1,4 +1,4 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
++/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/mount.te 2008-01-17 09:03:07.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.607
retrieving revision 1.608
diff -u -r1.607 -r1.608
--- selinux-policy.spec 23 Jan 2008 20:16:45 -0000 1.607
+++ selinux-policy.spec 31 Jan 2008 18:53:49 -0000 1.608
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 81%{?dist}
+Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
%endif
%changelog
+* Thu Jan 22 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-82
+- Allow xdm to sys_ptrace
+
* Tue Jan 22 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-81
- Allow zebra to listen on port 521
- Previous message (by thread): rpms/rudesocket/devel rudesocket.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/rudesocket/F-7 rudesocket.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list