rpms/selinux-policy/F-9 policy-20071130.patch, 1.196, 1.197 selinux-policy.spec, 1.699, 1.700
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Jul 31 11:22:04 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4591
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Wed Jul 30 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-82
- Change mail_spool to be a files_mountpoint
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.196
retrieving revision 1.197
diff -u -r1.196 -r1.197
--- policy-20071130.patch 29 Jul 2008 20:55:03 -0000 1.196
+++ policy-20071130.patch 31 Jul 2008 11:21:33 -0000 1.197
@@ -3102,7 +3102,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-07-28 08:40:30.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-07-31 07:05:47.000000000 -0400
@@ -26,8 +26,12 @@
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
@@ -3116,7 +3116,7 @@
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -42,6 +46,26 @@
+@@ -42,6 +46,29 @@
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
@@ -3127,6 +3127,9 @@
+files_manage_isid_type_dirs(tmpreaper_t)
+files_delete_isid_type_files(tmpreaper_t)
+
++files_delete_usr_dirs(tmpreaper_t)
++files_delete_usr_files(tmpreaper_t)
++
+optional_policy(`
+ amavis_manage_spool_files(tmpreaper_t)
+')
@@ -8189,7 +8192,7 @@
# /emul
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-07-28 08:38:24.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-07-31 07:05:40.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -8378,7 +8381,55 @@
')
########################################
-@@ -3510,6 +3620,24 @@
+@@ -3492,6 +3602,47 @@
+
+ ########################################
+ ## <summary>
++## Delete generic directories in /usr in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_usr_dirs',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ delete_dirs_pattern($1, usr_t, usr_t)
++')
++
++########################################
++## <summary>
++## Delete generic files in /usr in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_usr_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ delete_files_pattern($1, usr_t, usr_t)
++ delete_lnk_files_pattern($1, usr_t, usr_t)
++ delete_fifo_files_pattern($1, usr_t, usr_t)
++ delete_sock_files_pattern($1, usr_t, usr_t)
++ delete_blk_files_pattern($1, usr_t, usr_t)
++ delete_chr_files_pattern($1, usr_t, usr_t)
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete files in the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -3510,6 +3661,24 @@
########################################
## <summary>
@@ -8403,7 +8454,7 @@
## Relabel a file to the type used in /usr.
## </summary>
## <param name="domain">
-@@ -4712,12 +4840,14 @@
+@@ -4712,12 +4881,14 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -8419,7 +8470,7 @@
')
')
-@@ -4756,3 +4886,53 @@
+@@ -4756,3 +4927,53 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -12002,18 +12053,19 @@
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.3.1/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/clamav.fc 2008-07-15 14:02:52.000000000 -0400
-@@ -5,16 +5,20 @@
++++ serefpolicy-3.3.1/policy/modules/services/clamav.fc 2008-07-30 15:20:35.000000000 -0400
+@@ -5,16 +5,18 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
- /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
- /var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
- /var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
-+/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+-/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+-/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+-/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
++/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
++/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
@@ -13173,7 +13225,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.3.1/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-07-29 15:03:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-07-30 11:32:46.000000000 -0400
@@ -8,24 +8,28 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13217,12 +13269,13 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -50,3 +54,12 @@
+@@ -50,3 +54,13 @@
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Brother/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/rc.d/init.d/cups -- gen_context(system_u:object_r:cups_script_exec_t,s0)
@@ -15465,7 +15518,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.3.1/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2008-07-30 16:18:10.000000000 -0400
@@ -15,6 +15,15 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -18227,7 +18280,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-07-28 08:35:21.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-07-30 09:59:41.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -18237,7 +18290,16 @@
attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
-@@ -27,6 +29,7 @@
+@@ -20,13 +22,14 @@
+ files_config_file(etc_mail_t)
+
+ type mqueue_spool_t;
+-files_type(mqueue_spool_t)
++files_mountpoint(mqueue_spool_t)
+
+ type mail_spool_t;
+-files_type(mail_spool_t)
++files_mountpoint(mail_spool_t)
type sendmail_exec_t;
application_executable_file(sendmail_exec_t)
@@ -22240,7 +22302,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.3.1/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/procmail.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/procmail.te 2008-07-30 16:18:25.000000000 -0400
@@ -14,6 +14,10 @@
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
@@ -22274,7 +22336,7 @@
files_read_etc_files(procmail_t)
files_read_etc_runtime_files(procmail_t)
-@@ -102,6 +114,10 @@
+@@ -102,6 +114,15 @@
')
optional_policy(`
@@ -22282,10 +22344,15 @@
+')
+
+optional_policy(`
++ dovecot_domtrans_deliver(procmail_t)
++')
++
++
++optional_policy(`
munin_dontaudit_search_lib(procmail_t)
')
-@@ -116,11 +132,13 @@
+@@ -116,11 +137,13 @@
optional_policy(`
pyzor_domtrans(procmail_t)
@@ -22299,7 +22366,7 @@
sendmail_rw_tcp_sockets(procmail_t)
sendmail_rw_unix_stream_sockets(procmail_t)
')
-@@ -129,7 +147,11 @@
+@@ -129,7 +152,11 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
@@ -31996,7 +32063,7 @@
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.3.1/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-07-30 10:04:13.000000000 -0400
@@ -489,3 +489,65 @@
manage_lnk_files_pattern($1,locale_t,locale_t)
')
@@ -34885,7 +34952,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-07-29 11:04:46.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-07-30 10:07:48.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -34902,7 +34969,7 @@
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -45,66 +50,80 @@
+@@ -45,66 +50,82 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@@ -35028,10 +35095,12 @@
+
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_certs($1_usertype)
++ miscfiles_read_public_files($1_usertype)
++ miscfiles_read_man_pages($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -115,6 +134,10 @@
+@@ -115,6 +136,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -35042,7 +35111,7 @@
')
#######################################
-@@ -141,33 +164,13 @@
+@@ -141,33 +166,13 @@
#
template(`userdom_ro_home_template',`
gen_require(`
@@ -35081,7 +35150,7 @@
##############################
#
-@@ -175,13 +178,14 @@
+@@ -175,13 +180,14 @@
#
# read-only home directory
@@ -35103,7 +35172,7 @@
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
-@@ -190,9 +194,6 @@
+@@ -190,9 +196,6 @@
fs_read_nfs_symlinks($1_t)
fs_read_nfs_named_sockets($1_t)
fs_read_nfs_named_pipes($1_t)
@@ -35113,7 +35182,7 @@
')
tunable_policy(`use_samba_home_dirs',`
-@@ -201,9 +202,6 @@
+@@ -201,9 +204,6 @@
fs_read_cifs_symlinks($1_t)
fs_read_cifs_named_sockets($1_t)
fs_read_cifs_named_pipes($1_t)
@@ -35123,7 +35192,7 @@
')
')
-@@ -231,30 +229,14 @@
+@@ -231,30 +231,14 @@
#
template(`userdom_manage_home_template',`
gen_require(`
@@ -35160,7 +35229,7 @@
##############################
#
-@@ -262,43 +244,44 @@
+@@ -262,43 +246,44 @@
#
# full control of the home directory
@@ -35235,7 +35304,7 @@
')
')
-@@ -316,14 +299,20 @@
+@@ -316,14 +301,20 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
@@ -35261,7 +35330,7 @@
')
')
-@@ -341,11 +330,10 @@
+@@ -341,11 +332,10 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -35277,7 +35346,7 @@
')
#######################################
-@@ -369,18 +357,18 @@
+@@ -369,18 +359,18 @@
#
template(`userdom_manage_tmp_template',`
gen_require(`
@@ -35306,7 +35375,7 @@
')
#######################################
-@@ -396,7 +384,13 @@
+@@ -396,7 +386,13 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
@@ -35321,7 +35390,7 @@
')
#######################################
-@@ -445,12 +439,12 @@
+@@ -445,12 +441,12 @@
type $1_tmpfs_t, $1_file_type;
files_tmpfs_file($1_tmpfs_t)
@@ -35340,7 +35409,7 @@
')
#######################################
-@@ -510,10 +504,6 @@
+@@ -510,10 +506,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@@ -35351,17 +35420,17 @@
corecmd_exec_bin($1_t)
')
-@@ -531,27 +521,20 @@
+@@ -531,27 +523,20 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
- gen_require(`
- type $1_t;
- ')
-
+-
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
--
+
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_all_if($1_t)
@@ -35391,7 +35460,7 @@
')
#######################################
-@@ -568,30 +551,33 @@
+@@ -568,30 +553,33 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -35441,7 +35510,7 @@
')
#######################################
-@@ -622,13 +608,7 @@
+@@ -622,13 +610,7 @@
## <summary>
## The template for allowing the user to change roles.
## </summary>
@@ -35456,7 +35525,7 @@
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
-@@ -692,187 +672,201 @@
+@@ -692,187 +674,201 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -35610,36 +35679,36 @@
optional_policy(`
- dbus_system_bus_client_template($1,$1_t)
+ dbus_system_bus_client_template($1,$1_usertype)
++
++ optional_policy(`
++ avahi_dbus_chat($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ avahi_dbus_chat($1_usertype)
++ bluetooth_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1,$1_t)
- evolution_alarm_dbus_chat($1,$1_t)
-+ bluetooth_dbus_chat($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ evolution_dbus_chat($1,$1_usertype)
++ evolution_alarm_dbus_chat($1,$1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ evolution_dbus_chat($1,$1_usertype)
-+ evolution_alarm_dbus_chat($1,$1_usertype)
++ networkmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ vpnc_dbus_chat($1_usertype)
+ ')
+ optional_policy(`
@@ -35742,7 +35811,7 @@
')
')
-@@ -895,6 +889,8 @@
+@@ -895,6 +891,8 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -35751,7 +35820,7 @@
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -923,70 +919,73 @@
+@@ -923,70 +921,72 @@
allow $1_t self:context contains;
@@ -35812,7 +35881,6 @@
+ logging_dontaudit_getattr_all_logs($1_usertype)
- miscfiles_read_man_pages($1_t)
-+ miscfiles_read_man_pages($1_usertype)
# for running TeX programs
- miscfiles_read_tetex_data($1_t)
- miscfiles_exec_tetex_data($1_t)
@@ -35858,7 +35926,7 @@
')
')
-@@ -1020,9 +1019,6 @@
+@@ -1020,9 +1020,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -35868,7 +35936,7 @@
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1031,16 +1027,29 @@
+@@ -1031,16 +1028,29 @@
#
# privileged home directory writers
@@ -35905,7 +35973,7 @@
')
#######################################
-@@ -1068,6 +1077,13 @@
+@@ -1068,6 +1078,13 @@
userdom_restricted_user_template($1)
@@ -35919,7 +35987,7 @@
userdom_xwindows_client_template($1)
##############################
-@@ -1076,14 +1092,16 @@
+@@ -1076,14 +1093,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -35941,7 +36009,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1109,29 @@
+@@ -1091,32 +1110,29 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -35985,7 +36053,7 @@
')
')
-@@ -1127,10 +1142,10 @@
+@@ -1127,10 +1143,10 @@
## </summary>
## <desc>
## <p>
@@ -36000,7 +36068,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1164,7 +1179,6 @@
+@@ -1164,7 +1180,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
@@ -36008,7 +36076,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1182,32 +1196,45 @@
+@@ -1182,32 +1197,45 @@
')
')
@@ -36066,7 +36134,7 @@
')
')
-@@ -1284,8 +1311,6 @@
+@@ -1284,8 +1312,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -36075,7 +36143,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1307,8 +1332,6 @@
+@@ -1307,8 +1333,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -36084,7 +36152,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1363,13 +1386,6 @@
+@@ -1363,13 +1387,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -36098,7 +36166,7 @@
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1438,7 @@
+@@ -1422,6 +1439,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36106,7 +36174,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1804,14 @@
+@@ -1787,10 +1805,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -36122,7 +36190,7 @@
')
########################################
-@@ -1886,11 +1907,11 @@
+@@ -1886,11 +1908,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -36136,7 +36204,7 @@
')
########################################
-@@ -1920,11 +1941,11 @@
+@@ -1920,11 +1942,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -36150,7 +36218,7 @@
')
########################################
-@@ -1968,12 +1989,12 @@
+@@ -1968,12 +1990,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -36166,7 +36234,7 @@
')
########################################
-@@ -2003,10 +2024,11 @@
+@@ -2003,10 +2025,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -36180,7 +36248,7 @@
')
########################################
-@@ -2038,11 +2060,48 @@
+@@ -2038,11 +2061,48 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -36231,7 +36299,7 @@
')
########################################
-@@ -2074,10 +2133,10 @@
+@@ -2074,10 +2134,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -36244,7 +36312,7 @@
')
########################################
-@@ -2107,11 +2166,11 @@
+@@ -2107,11 +2167,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -36258,7 +36326,7 @@
')
########################################
-@@ -2141,11 +2200,11 @@
+@@ -2141,11 +2201,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -36273,7 +36341,7 @@
')
########################################
-@@ -2175,10 +2234,14 @@
+@@ -2175,10 +2235,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -36290,7 +36358,7 @@
')
########################################
-@@ -2208,11 +2271,11 @@
+@@ -2208,11 +2272,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -36304,7 +36372,7 @@
')
########################################
-@@ -2242,11 +2305,11 @@
+@@ -2242,11 +2306,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -36318,7 +36386,7 @@
')
########################################
-@@ -2276,10 +2339,10 @@
+@@ -2276,10 +2340,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -36331,7 +36399,7 @@
')
########################################
-@@ -2311,12 +2374,12 @@
+@@ -2311,12 +2375,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -36347,7 +36415,7 @@
')
########################################
-@@ -2348,10 +2411,10 @@
+@@ -2348,10 +2412,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -36360,7 +36428,7 @@
')
########################################
-@@ -2383,12 +2446,12 @@
+@@ -2383,12 +2447,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -36376,7 +36444,7 @@
')
########################################
-@@ -2420,12 +2483,12 @@
+@@ -2420,12 +2484,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -36392,7 +36460,7 @@
')
########################################
-@@ -2457,12 +2520,12 @@
+@@ -2457,12 +2521,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -36408,7 +36476,7 @@
')
########################################
-@@ -2507,11 +2570,11 @@
+@@ -2507,11 +2571,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -36422,7 +36490,7 @@
')
########################################
-@@ -2556,11 +2619,11 @@
+@@ -2556,11 +2620,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -36436,7 +36504,7 @@
')
########################################
-@@ -2600,11 +2663,11 @@
+@@ -2600,11 +2664,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -36450,7 +36518,7 @@
')
########################################
-@@ -2634,11 +2697,11 @@
+@@ -2634,11 +2698,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -36464,7 +36532,7 @@
')
########################################
-@@ -2668,11 +2731,11 @@
+@@ -2668,11 +2732,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -36478,7 +36546,7 @@
')
########################################
-@@ -2704,10 +2767,10 @@
+@@ -2704,10 +2768,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -36491,7 +36559,7 @@
')
########################################
-@@ -2739,10 +2802,10 @@
+@@ -2739,10 +2803,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -36504,7 +36572,7 @@
')
########################################
-@@ -2772,12 +2835,12 @@
+@@ -2772,12 +2836,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -36520,7 +36588,7 @@
')
########################################
-@@ -2809,20 +2872,20 @@
+@@ -2809,20 +2873,20 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -36545,7 +36613,7 @@
## temporary files.
## </p>
## <p>
-@@ -2842,21 +2905,23 @@
+@@ -2842,21 +2906,23 @@
## </summary>
## </param>
#
@@ -36574,7 +36642,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -2871,66 +2936,137 @@
+@@ -2871,67 +2937,138 @@
## </param>
## <param name="domain">
## <summary>
@@ -36649,6 +36717,7 @@
-## temporary symbolic links.
-## </p>
-## <p>
+-## This is a templated interface, and should only
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -36745,10 +36814,11 @@
+## temporary symbolic links.
+## </p>
+## <p>
- ## This is a templated interface, and should only
++## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
-@@ -2949,12 +3085,12 @@
+ ## </desc>
+@@ -2949,12 +3086,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -36764,7 +36834,7 @@
')
########################################
-@@ -2986,11 +3122,11 @@
+@@ -2986,11 +3123,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -36778,7 +36848,7 @@
')
########################################
-@@ -3022,11 +3158,11 @@
+@@ -3022,11 +3159,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -36792,7 +36862,7 @@
')
########################################
-@@ -3058,11 +3194,11 @@
+@@ -3058,11 +3195,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -36806,7 +36876,7 @@
')
########################################
-@@ -3094,11 +3230,11 @@
+@@ -3094,11 +3231,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -36820,7 +36890,7 @@
')
########################################
-@@ -3130,11 +3266,11 @@
+@@ -3130,11 +3267,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -36834,7 +36904,7 @@
')
########################################
-@@ -3179,10 +3315,10 @@
+@@ -3179,10 +3316,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -36847,7 +36917,7 @@
files_search_tmp($2)
')
-@@ -3223,10 +3359,10 @@
+@@ -3223,10 +3360,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -36860,7 +36930,7 @@
')
########################################
-@@ -3254,6 +3390,42 @@
+@@ -3254,6 +3391,42 @@
## </summary>
## </param>
#
@@ -36903,7 +36973,7 @@
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -3267,6 +3439,42 @@
+@@ -3267,6 +3440,42 @@
########################################
## <summary>
@@ -36946,7 +37016,7 @@
## List users untrusted directories.
## </summary>
## <desc>
-@@ -3962,6 +4170,24 @@
+@@ -3962,6 +4171,24 @@
########################################
## <summary>
@@ -36971,7 +37041,7 @@
## Manage unpriviledged user SysV shared
## memory segments.
## </summary>
-@@ -4231,11 +4457,11 @@
+@@ -4231,11 +4458,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -36985,7 +37055,7 @@
')
########################################
-@@ -4251,10 +4477,10 @@
+@@ -4251,10 +4478,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -36998,7 +37068,7 @@
')
########################################
-@@ -4270,11 +4496,11 @@
+@@ -4270,11 +4497,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -37012,7 +37082,7 @@
')
########################################
-@@ -4289,16 +4515,16 @@
+@@ -4289,16 +4516,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -37032,7 +37102,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4533,35 @@
+@@ -4307,12 +4534,35 @@
## </summary>
## </param>
#
@@ -37071,7 +37141,7 @@
')
########################################
-@@ -4327,13 +4576,13 @@
+@@ -4327,13 +4577,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -37089,7 +37159,7 @@
')
########################################
-@@ -4531,10 +4780,10 @@
+@@ -4531,10 +4781,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -37102,7 +37172,7 @@
')
########################################
-@@ -4551,10 +4800,10 @@
+@@ -4551,10 +4801,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -37115,7 +37185,7 @@
')
########################################
-@@ -4569,10 +4818,10 @@
+@@ -4569,10 +4819,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -37128,7 +37198,7 @@
')
########################################
-@@ -4588,10 +4837,10 @@
+@@ -4588,10 +4838,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -37141,7 +37211,7 @@
')
########################################
-@@ -4606,10 +4855,10 @@
+@@ -4606,10 +4856,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -37154,7 +37224,7 @@
')
########################################
-@@ -4625,10 +4874,10 @@
+@@ -4625,10 +4875,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -37167,7 +37237,7 @@
')
########################################
-@@ -4644,12 +4893,29 @@
+@@ -4644,12 +4894,29 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -37201,7 +37271,7 @@
')
########################################
-@@ -4676,10 +4942,10 @@
+@@ -4676,10 +4943,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -37214,7 +37284,7 @@
')
########################################
-@@ -4694,10 +4960,10 @@
+@@ -4694,10 +4961,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -37227,7 +37297,7 @@
')
########################################
-@@ -4712,13 +4978,13 @@
+@@ -4712,13 +4979,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -37245,7 +37315,7 @@
')
########################################
-@@ -4754,11 +5020,49 @@
+@@ -4754,11 +5021,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -37296,7 +37366,7 @@
')
########################################
-@@ -4778,6 +5082,14 @@
+@@ -4778,6 +5083,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -37311,7 +37381,7 @@
')
########################################
-@@ -4815,6 +5127,8 @@
+@@ -4815,6 +5128,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -37320,7 +37390,7 @@
')
########################################
-@@ -4839,7 +5153,7 @@
+@@ -4839,7 +5154,7 @@
########################################
## <summary>
@@ -37329,7 +37399,7 @@
## in all users home directories.
## </summary>
## <param name="domain">
-@@ -4848,18 +5162,57 @@
+@@ -4848,13 +5163,52 @@
## </summary>
## </param>
#
@@ -37342,11 +37412,10 @@
files_list_home($1)
- allow $1 home_type:dir manage_dir_perms;
+ delete_dirs_pattern($1, home_type, home_type)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete all files
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete all directories
+## in all users home directories.
+## </summary>
@@ -37382,15 +37451,10 @@
+ ')
+
+ delete_files_pattern($1,home_type,home_type)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete all files
- ## in all users home directories.
- ## </summary>
- ## <param name="domain">
-@@ -4879,6 +5232,26 @@
+ ')
+
+ ########################################
+@@ -4879,6 +5233,26 @@
########################################
## <summary>
@@ -37417,7 +37481,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5488,7 @@
+@@ -5115,7 +5489,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -37426,7 +37490,7 @@
')
files_search_home($1)
-@@ -5304,6 +5677,63 @@
+@@ -5304,6 +5678,63 @@
########################################
## <summary>
@@ -37490,7 +37554,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +5939,43 @@
+@@ -5509,6 +5940,43 @@
########################################
## <summary>
@@ -37534,7 +37598,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5559,7 +6026,7 @@
+@@ -5559,7 +6027,7 @@
attribute userdomain;
')
@@ -37543,7 +37607,7 @@
kernel_search_proc($1)
')
-@@ -5674,6 +6141,42 @@
+@@ -5674,6 +6142,42 @@
########################################
## <summary>
@@ -37586,7 +37650,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6207,408 @@
+@@ -5704,3 +6208,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.699
retrieving revision 1.700
diff -u -r1.699 -r1.700
--- selinux-policy.spec 29 Jul 2008 20:55:03 -0000 1.699
+++ selinux-policy.spec 31 Jul 2008 11:21:34 -0000 1.700
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 81%{?dist}
+Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,9 @@
%endif
%changelog
+* Wed Jul 30 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-82
+- Change mail_spool to be a files_mountpoint
+
* Tue Jul 29 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-81
- Add boolean httpd_execmem
- Add dontaudit for leaky pam_nssldap
More information about the fedora-extras-commits
mailing list