rpms/selinux-policy/F-9 policy-20071130.patch, 1.190, 1.191 selinux-policy.spec, 1.695, 1.696
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jul 14 20:11:06 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2712
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Jul 8 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-78
- Allow unconfined_t to setfcap
- Allow spamassassin to read razor lib files
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.190
retrieving revision 1.191
diff -u -r1.190 -r1.191
--- policy-20071130.patch 7 Jul 2008 17:55:17 -0000 1.190
+++ policy-20071130.patch 14 Jul 2008 20:10:21 -0000 1.191
@@ -793,7 +793,7 @@
+system_r:xdm_t xguest_r:xguest_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.3.1/man/man8/ftpd_selinux.8
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/man/man8/ftpd_selinux.8 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/man/man8/ftpd_selinux.8 2008-07-14 09:45:39.000000000 -0400
@@ -35,10 +35,6 @@
directorories, you need to set the ftp_home_dir boolean.
.TP
@@ -2693,7 +2693,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.3.1/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/rpm.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/rpm.te 2008-07-14 09:03:36.000000000 -0400
@@ -31,6 +31,9 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -2770,7 +2770,7 @@
')
optional_policy(`
-+ gamin_domtrans(rpm_t)
++ gamin_exec(rpm_t)
+ gamin_stream_connect(rpm_t)
+')
+
@@ -3020,7 +3020,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-07-08 15:18:07.000000000 -0400
@@ -26,8 +26,10 @@
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
@@ -3032,7 +3032,7 @@
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -42,6 +44,27 @@
+@@ -42,6 +44,26 @@
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
@@ -3040,8 +3040,7 @@
+userdom_delete_all_users_home_content_files(tmpreaper_t)
+userdom_delete_all_users_home_content_symlinks(tmpreaper_t)
+
-+files_list_isid_type_dirs(tmpreaper_t)
-+files_delete_isid_type_dirs(tmpreaper_t)
++files_manage_isid_type_dirs(tmpreaper_t)
+files_delete_isid_type_files(tmpreaper_t)
+
+optional_policy(`
@@ -9422,8 +9421,8 @@
# amavis local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-07-02 08:47:10.000000000 -0400
-@@ -1,10 +1,8 @@
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-07-11 14:39:42.000000000 -0400
+@@ -1,10 +1,9 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -9433,10 +9432,11 @@
-/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-@@ -16,13 +14,13 @@
+@@ -16,13 +15,13 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -9451,7 +9451,7 @@
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-@@ -33,6 +31,7 @@
+@@ -33,6 +32,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -9459,7 +9459,7 @@
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,11 +47,14 @@
+@@ -48,11 +48,14 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -9474,7 +9474,7 @@
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +68,21 @@
+@@ -66,10 +69,21 @@
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -10109,7 +10109,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-07-11 14:55:24.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10376,23 +10376,23 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +524,14 @@
+@@ -437,8 +524,13 @@
')
optional_policy(`
+- kerberos_use(httpd_t)
+- kerberos_read_kdc_config(httpd_t)
+ dbus_system_bus_client_template(httpd,httpd_t)
+ tunable_policy(`allow_httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+optional_policy(`
- kerberos_use(httpd_t)
-- kerberos_read_kdc_config(httpd_t)
-+ kerberos_read_keytab(httpd_t)
++ kerberos_keytab_template(httpd, httpd_t)
')
optional_policy(`
-@@ -450,19 +543,13 @@
+@@ -450,19 +542,13 @@
')
optional_policy(`
@@ -10413,7 +10413,7 @@
')
optional_policy(`
-@@ -473,12 +560,15 @@
+@@ -473,12 +559,15 @@
')
optional_policy(`
@@ -10433,7 +10433,7 @@
')
optional_policy(`
-@@ -486,6 +576,7 @@
+@@ -486,6 +575,7 @@
')
optional_policy(`
@@ -10441,7 +10441,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +612,22 @@
+@@ -521,6 +611,22 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -10464,7 +10464,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +657,26 @@
+@@ -550,18 +656,26 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -10494,7 +10494,7 @@
')
########################################
-@@ -585,6 +700,8 @@
+@@ -585,6 +699,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -10503,7 +10503,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +710,7 @@
+@@ -593,9 +709,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -10514,7 +10514,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +743,7 @@
+@@ -628,6 +742,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -10522,7 +10522,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +754,12 @@
+@@ -638,6 +753,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -10535,7 +10535,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +777,6 @@
+@@ -655,10 +776,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -10546,7 +10546,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +786,8 @@
+@@ -668,7 +785,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -10556,7 +10556,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +801,44 @@
+@@ -682,15 +800,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -10602,7 +10602,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -703,6 +851,10 @@
+@@ -703,6 +850,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -10613,7 +10613,7 @@
')
########################################
-@@ -724,3 +876,60 @@
+@@ -724,3 +875,60 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -11163,7 +11163,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.3.1/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/automount.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/automount.te 2008-07-11 14:52:12.000000000 -0400
@@ -20,6 +20,9 @@
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
@@ -11233,7 +11233,14 @@
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_sysadm_home_dirs(automount_t)
-@@ -162,11 +166,12 @@
+@@ -156,17 +160,18 @@
+ ')
+
+ optional_policy(`
+- kerberos_read_keytab(automount_t)
++ kerberos_keytab_template(automount, automount_t)
+ kerberos_read_config(automount_t)
+ kerberos_dontaudit_write_config(automount_t)
')
optional_policy(`
@@ -11765,7 +11772,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.3.1/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/bluetooth.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/bluetooth.te 2008-07-09 15:26:01.000000000 -0400
@@ -32,19 +32,22 @@
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
@@ -11808,12 +11815,14 @@
libs_use_ld_so(bluetooth_t)
libs_use_shared_libs(bluetooth_t)
-@@ -118,19 +124,18 @@
+@@ -117,20 +123,20 @@
+
miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
-
--sysnet_read_config(bluetooth_t)
-
+-sysnet_read_config(bluetooth_t)
++miscfiles_read_hwdata(bluetooth_t)
+
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
@@ -13749,7 +13758,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.3.1/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-07-11 14:54:07.000000000 -0400
@@ -28,6 +28,9 @@
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
@@ -13777,7 +13786,14 @@
mta_send_mail(cvs_t)
# cjp: typeattribute doesnt work in conditionals yet
-@@ -103,10 +105,12 @@
+@@ -97,16 +99,17 @@
+ ')
+
+ optional_policy(`
+- kerberos_use(cvs_t)
+- kerberos_read_keytab(cvs_t)
++ kerberos_keytab_template(cvs, cvs_t)
+ kerberos_read_config(cvs_t)
kerberos_dontaudit_write_config(cvs_t)
')
@@ -15804,7 +15820,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-07-14 09:03:20.000000000 -0400
@@ -18,6 +18,9 @@
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
@@ -15867,7 +15883,7 @@
')
optional_policy(`
-+ gamin_domtrans(fail2ban_t)
++ gamin_exec(fail2ban_t)
+ gamin_stream_connect(fail2ban_t)
+')
+
@@ -16085,7 +16101,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.3.1/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/ftp.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/ftp.te 2008-07-11 14:54:45.000000000 -0400
@@ -75,6 +75,9 @@
type xferlog_t;
logging_log_file(xferlog_t)
@@ -16138,12 +16154,12 @@
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -253,7 +265,10 @@
+@@ -253,7 +265,9 @@
')
optional_policy(`
-+ kerberos_use(ftpd_t)
- kerberos_read_keytab(ftpd_t)
+- kerberos_read_keytab(ftpd_t)
++ kerberos_keytab_template(ftpd, ftpd_t)
+ kerberos_manage_host_rcache(ftpd_t)
+ selinux_validate_context(ftpd_t)
')
@@ -16218,7 +16234,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te
--- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-07-14 09:04:02.000000000 -0400
@@ -0,0 +1,41 @@
+policy_module(gamin,1.0.0)
+
@@ -16229,7 +16245,7 @@
+
+type gamin_t;
+type gamin_exec_t;
-+init_daemon_domain(gamin_t, gamin_exec_t)
++#init_daemon_domain(gamin_t, gamin_exec_t)
+application_domain(gamin_t, gamin_exec_t)
+
+########################################
@@ -16945,8 +16961,12 @@
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.3.1/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.fc 2008-07-02 08:47:10.000000000 -0400
-@@ -16,3 +16,9 @@
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.fc 2008-07-11 09:22:08.000000000 -0400
+@@ -13,6 +13,13 @@
+
+ /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+ /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
@@ -16958,7 +16978,7 @@
+/etc/rc.d/init.d/krb5kdc -- gen_context(system_u:object_r:kerberos_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.3.1/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.if 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.if 2008-07-11 14:37:11.000000000 -0400
@@ -43,7 +43,14 @@
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -16986,14 +17006,14 @@
optional_policy(`
tunable_policy(`allow_kerberos',`
pcscd_stream_connect($1)
-@@ -169,6 +172,158 @@
+@@ -169,6 +172,182 @@
')
files_search_etc($1)
- allow $1 krb5kdc_conf_t:file read_file_perms;
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+')
-
++
+########################################
+## <summary>
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
@@ -17040,7 +17060,7 @@
+ corenet_udp_sendrecv_kerberos_master_port($1)
+ corenet_udp_bind_all_nodes($1)
+ ')
- ')
++')
+
+########################################
+## <summary>
@@ -17145,10 +17165,34 @@
+ manage_all_pattern($1,krb5_host_rcache_t)
+')
+
++########################################
++## <summary>
++## Create a derived type for kerberos keytab
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`kerberos_keytab_template',`
+
++ type $1_keytab_t;
++ files_type($1_keytab_t)
++
++ allow $2 $1_keytab_t:file read_file_perms;
+
++ kerberos_read_keytab($2)
++ kerberos_use($2)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.3.1/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-07-03 14:50:17.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-07-11 14:36:19.000000000 -0400
@@ -16,6 +16,7 @@
type kadmind_t;
type kadmind_exec_t;
@@ -17157,7 +17201,17 @@
type kadmind_log_t;
logging_log_file(kadmind_log_t)
-@@ -44,6 +45,7 @@
+@@ -37,6 +38,9 @@
+ type krb5kdc_conf_t;
+ files_type(krb5kdc_conf_t)
+
++type krb5kdc_lock_t;
++files_type(krb5kdc_lock_t)
++
+ # types for KDC principal file(s)
+ type krb5kdc_principal_t;
+ files_type(krb5kdc_principal_t)
+@@ -44,6 +48,7 @@
type krb5kdc_t;
type krb5kdc_exec_t;
init_daemon_domain(krb5kdc_t,krb5kdc_exec_t)
@@ -17165,7 +17219,7 @@
type krb5kdc_log_t;
logging_log_file(krb5kdc_log_t)
-@@ -54,6 +56,12 @@
+@@ -54,6 +59,12 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
@@ -17178,7 +17232,7 @@
########################################
#
# kadmind local policy
-@@ -62,7 +70,7 @@
+@@ -62,7 +73,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
@@ -17187,7 +17241,18 @@
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-@@ -91,6 +99,7 @@
+@@ -77,7 +88,9 @@
+ read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
+ dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
+
+-allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
++allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
++filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
++allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
+
+ can_exec(kadmind_t, kadmind_exec_t)
+
+@@ -91,6 +104,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
@@ -17195,7 +17260,7 @@
corenet_all_recvfrom_unlabeled(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +127,12 @@
+@@ -118,6 +132,12 @@
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
@@ -17208,7 +17273,7 @@
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
-@@ -127,6 +142,7 @@
+@@ -127,6 +147,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -17216,7 +17281,7 @@
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -137,6 +153,7 @@
+@@ -137,6 +158,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
@@ -17224,7 +17289,7 @@
')
optional_policy(`
-@@ -151,7 +168,7 @@
+@@ -151,7 +173,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -17233,7 +17298,22 @@
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
-@@ -215,6 +232,9 @@
+@@ -160,11 +182,13 @@
+ allow krb5kdc_t krb5_conf_t:file read_file_perms;
+ dontaudit krb5kdc_t krb5_conf_t:file write;
+
+-can_exec(krb5kdc_t, krb5kdc_exec_t)
++qcan_exec(krb5kdc_t, krb5kdc_exec_t)
+
+ read_files_pattern(krb5kdc_t,krb5kdc_conf_t,krb5kdc_conf_t)
+ dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+
++allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
++
+ allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
+ logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file)
+
+@@ -215,6 +239,9 @@
files_read_usr_symlinks(krb5kdc_t)
files_read_var_files(krb5kdc_t)
@@ -17243,7 +17323,7 @@
libs_use_ld_so(krb5kdc_t)
libs_use_shared_libs(krb5kdc_t)
-@@ -223,6 +243,7 @@
+@@ -223,6 +250,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -17251,7 +17331,7 @@
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,8 +254,10 @@
+@@ -233,8 +261,10 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
@@ -18479,21 +18559,20 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.3.1/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/nagios.fc 2008-07-02 08:47:10.000000000 -0400
-@@ -4,13 +4,19 @@
++++ serefpolicy-3.3.1/policy/modules/services/nagios.fc 2008-07-14 15:52:32.000000000 -0400
+@@ -4,13 +4,17 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
- /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-
-+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+
++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
@@ -18617,7 +18696,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.3.1/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/nagios.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/nagios.te 2008-07-14 15:54:43.000000000 -0400
@@ -8,11 +8,7 @@
type nagios_t;
@@ -18661,7 +18740,7 @@
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
-@@ -130,42 +134,31 @@
+@@ -130,42 +134,34 @@
#
# Nagios CGI local policy
#
@@ -18685,30 +18764,32 @@
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
++files_search_spool(httpd_nagios_script_t)
++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
+
+-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
--kernel_read_system_state(nagios_cgi_t)
+-corecmd_exec_bin(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
--corecmd_exec_bin(nagios_cgi_t)
-+kernel_read_system_state(httpd_nagios_script_t)
-
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
-+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
++kernel_read_system_state(httpd_nagios_script_t)
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
-+files_read_etc_runtime_files(httpd_nagios_script_t)
-+files_read_kernel_symbol_table(httpd_nagios_script_t)
++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
-libs_use_ld_so(nagios_cgi_t)
-libs_use_shared_libs(nagios_cgi_t)
--
++files_read_etc_runtime_files(httpd_nagios_script_t)
++files_read_kernel_symbol_table(httpd_nagios_script_t)
+
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
@@ -19245,7 +19326,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.3.1/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/nscd.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/nscd.te 2008-07-09 07:41:58.000000000 -0400
@@ -23,19 +23,22 @@
type nscd_log_t;
logging_log_file(nscd_log_t)
@@ -19281,7 +19362,15 @@
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
-@@ -73,6 +78,7 @@
+@@ -60,6 +65,7 @@
+
+ fs_getattr_all_fs(nscd_t)
+ fs_search_auto_mountpoints(nscd_t)
++fs_list_inotifyfs(nscd_t)
+
+ # for when /etc/passwd has just been updated and has the wrong type
+ auth_getattr_shadow(nscd_t)
+@@ -73,6 +79,7 @@
corenet_udp_sendrecv_all_nodes(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
@@ -19289,7 +19378,7 @@
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
-@@ -84,6 +90,7 @@
+@@ -84,6 +91,7 @@
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
@@ -19297,7 +19386,7 @@
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
-@@ -93,6 +100,7 @@
+@@ -93,6 +101,7 @@
libs_use_ld_so(nscd_t)
libs_use_shared_libs(nscd_t)
@@ -19305,7 +19394,7 @@
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
-@@ -107,6 +115,10 @@
+@@ -107,6 +116,10 @@
userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
optional_policy(`
@@ -19316,7 +19405,7 @@
udev_read_db(nscd_t)
')
-@@ -114,3 +126,12 @@
+@@ -114,3 +127,12 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -22488,7 +22577,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.3.1/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/razor.if 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/razor.if 2008-07-10 14:46:54.000000000 -0400
@@ -137,6 +137,7 @@
template(`razor_per_role_template',`
gen_require(`
@@ -22514,7 +22603,7 @@
##############################
#
-@@ -217,4 +216,44 @@
+@@ -217,4 +216,63 @@
')
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -22557,8 +22646,27 @@
+ allow $2 user_home_dir_t:dir search_dir_perms;
+ manage_files_pattern($2,user_razor_home_t,user_razor_home_t)
+ read_lnk_files_pattern($2,user_razor_home_t,user_razor_home_t)
- ')
++')
+
++########################################
++## <summary>
++## read razor lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`razor_read_lib_files',`
++ gen_require(`
++ type razor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ list_dirs_pattern($1, razor_var_lib_t, razor_var_lib_t)
++ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.3.1/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/razor.te 2008-07-02 08:47:10.000000000 -0400
@@ -22647,7 +22755,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.3.1/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rlogin.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rlogin.te 2008-07-11 14:53:30.000000000 -0400
@@ -36,6 +36,8 @@
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
@@ -22657,7 +22765,7 @@
# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)
-@@ -82,23 +84,21 @@
+@@ -82,23 +84,20 @@
miscfiles_read_localization(rlogind_t)
@@ -22672,8 +22780,8 @@
+remotelogin_signal(rlogind_t)
optional_policy(`
-+ kerberos_use(rlogind_t)
- kerberos_read_keytab(rlogind_t)
+- kerberos_read_keytab(rlogind_t)
++ kerberos_keytab_template(rlogind, rlogind_t)
+ kerberos_manage_host_rcache(rlogind_t)
')
@@ -22822,7 +22930,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-07-11 14:52:41.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write,false)
@@ -22923,6 +23031,16 @@
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
+@@ -166,8 +193,7 @@
+ ')
+
+ optional_policy(`
+- kerberos_use(gssd_t)
+- kerberos_read_keytab(gssd_t)
++ kerberos_keytab_template(gssd, gssd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc
--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-07-02 08:47:10.000000000 -0400
@@ -23042,7 +23160,7 @@
corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.3.1/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rshd.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rshd.te 2008-07-11 14:54:28.000000000 -0400
@@ -16,7 +16,7 @@
#
# Local policy
@@ -23088,16 +23206,17 @@
miscfiles_read_localization(rshd_t)
-@@ -78,6 +83,8 @@
+@@ -77,7 +82,8 @@
+ ')
optional_policy(`
- kerberos_use(rshd_t)
-+ kerberos_read_keytab(rshd_t)
+- kerberos_use(rshd_t)
++ kerberos_keytab_template(rshd, rshd_t)
+ kerberos_manage_host_rcache(rshd_t)
')
optional_policy(`
-@@ -86,4 +93,5 @@
+@@ -86,4 +92,5 @@
optional_policy(`
unconfined_shell_domtrans(rshd_t)
@@ -23640,7 +23759,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-07-02 13:55:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-07-11 14:55:01.000000000 -0400
@@ -59,6 +59,13 @@
## </desc>
gen_tunable(samba_share_nfs,false)
@@ -23760,7 +23879,7 @@
+')
+
+optional_policy(`
-+ kerberos_read_keytab(smbd_t)
++ kerberos_keytab_template(smbd, smbd_t)
+')
+
+optional_policy(`
@@ -24056,7 +24175,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.3.1/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/sasl.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/sasl.te 2008-07-11 14:53:48.000000000 -0400
@@ -23,6 +23,9 @@
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
@@ -24067,6 +24186,15 @@
########################################
#
# Local policy
+@@ -98,7 +101,7 @@
+ ')
+
+ optional_policy(`
+- kerberos_read_keytab(saslauthd_t)
++ kerberos_keytab_template(saslauthd, saslauthd_t)
+ ')
+
+ optional_policy(`
@@ -107,6 +110,10 @@
')
@@ -25743,7 +25871,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-07-02 14:03:27.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-07-10 14:46:20.000000000 -0400
@@ -21,8 +21,10 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -25862,10 +25990,11 @@
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -198,6 +242,10 @@
+@@ -198,6 +242,11 @@
optional_policy(`
razor_domtrans(spamd_t)
++ razor_read_lib_files(spamd_t)
+ tunable_policy(`spamd_enable_home_dirs',`
+ razor_manage_user_home_files(user,spamd_t)
+ ')
@@ -25873,7 +26002,7 @@
')
optional_policy(`
-@@ -212,3 +260,216 @@
+@@ -212,3 +261,216 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -26569,7 +26698,7 @@
files_tmp_file(stunnel_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.3.1/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/telnet.te 2008-07-02 08:47:10.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/telnet.te 2008-07-11 14:53:04.000000000 -0400
@@ -37,6 +37,8 @@
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(telnetd_t,telnetd_devpts_t)
@@ -26587,7 +26716,7 @@
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
-@@ -80,17 +83,26 @@
+@@ -80,17 +83,25 @@
miscfiles_read_localization(telnetd_t)
@@ -26600,8 +26729,9 @@
+
# for identd; cjp: this should probably only be inetd_child rules?
optional_policy(`
- kerberos_use(telnetd_t)
- kerberos_read_keytab(telnetd_t)
+- kerberos_use(telnetd_t)
+- kerberos_read_keytab(telnetd_t)
++ kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_manage_host_rcache(telnetd_t)
')
@@ -29293,8 +29423,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.3.1/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/application.te 2008-07-02 15:01:41.000000000 -0400
-@@ -7,6 +7,10 @@
++++ serefpolicy-3.3.1/policy/modules/system/application.te 2008-07-14 09:29:37.000000000 -0400
+@@ -7,6 +7,12 @@
# Executables to be run by user
attribute application_exec_type;
@@ -29302,6 +29432,8 @@
+userdom_write_unpriv_users_tmp_files(application_domain_type)
+logging_append_all_logs(application_domain_type)
+
++files_dontaudit_search_all_dirs(application_domain_type)
++
optional_policy(`
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
@@ -39027,13 +39159,13 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.3.1/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-07-02 08:47:11.000000000 -0400
++++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-07-08 10:42:49.000000000 -0400
@@ -315,3 +315,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
-+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
++define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.695
retrieving revision 1.696
diff -u -r1.695 -r1.696
--- selinux-policy.spec 7 Jul 2008 17:55:17 -0000 1.695
+++ selinux-policy.spec 14 Jul 2008 20:10:21 -0000 1.696
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 77%{?dist}
+Release: 78%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,9 +385,13 @@
%endif
%changelog
+* Tue Jul 8 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-78
+- Allow unconfined_t to setfcap
+- Allow spamassassin to read razor lib files
+
* Mon Jul 7 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-77
- Allow amanda to read tape
-- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi
+- Allow prewikka cgi to use syslog, allow prelude_ausisp to signal audisp_t
- Add support for netware file systems
* Thu Jul 3 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-76
More information about the fedora-extras-commits
mailing list