rpms/selinux-policy/F-9 modules-mls.conf, 1.32, 1.33 policy-20071130.patch, 1.181, 1.182 selinux-policy.spec, 1.688, 1.689
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jun 30 20:53:02 UTC 2008
- Previous message (by thread): rpms/policycoreutils/devel policycoreutils-po.patch, 1.34, 1.35 policycoreutils-rhat.patch, 1.369, 1.370 policycoreutils.spec, 1.532, 1.533
- Next message (by thread): rpms/selinux-policy/devel modules-mls.conf, 1.33, 1.34 policy-20080509.patch, 1.23, 1.24 selinux-policy.spec, 1.677, 1.678
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26221
Modified Files:
modules-mls.conf policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Jun 29 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-73
- Allow exim to use system_cron pipes
- Allow gdm to read rpm database
- Allow nsplugin to read mplayer config files
- Allow login programs to write to /var/run/pam directory (Encrypted directories)
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/modules-mls.conf,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- modules-mls.conf 14 Apr 2008 20:01:48 -0000 1.32
+++ modules-mls.conf 30 Jun 2008 20:52:16 -0000 1.33
@@ -1094,3 +1094,10 @@
# Root role used to manage audit system
#
auditadm = module
+
+# Layer: services
+# Module: courier
+#
+# IMAP and POP3 email servers
+#
+courier = module
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.181
retrieving revision 1.182
diff -u -r1.181 -r1.182
--- policy-20071130.patch 27 Jun 2008 11:15:46 -0000 1.181
+++ policy-20071130.patch 30 Jun 2008 20:52:16 -0000 1.182
@@ -1456,18 +1456,20 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.3.1/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-06-12 23:38:02.000000000 -0400
-@@ -82,8 +82,7 @@
++++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-06-29 08:00:54.000000000 -0400
+@@ -82,8 +82,9 @@
allow amanda_t amanda_config_t:file { getattr read };
# access to amandas data structure
-allow amanda_t amanda_data_t:dir { read search write };
-allow amanda_t amanda_data_t:file manage_file_perms;
++manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
++filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-@@ -94,7 +93,7 @@
+@@ -94,7 +95,7 @@
# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
@@ -1476,7 +1478,7 @@
manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
-@@ -220,6 +219,7 @@
+@@ -220,6 +221,7 @@
auth_use_nsswitch(amanda_recover_t)
fstools_domtrans(amanda_t)
@@ -2135,6 +2137,34 @@
- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
- dontaudit mrtg_t root_t:lnk_file getattr;
-')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.3.1/policy/modules/admin/netutils.if
+--- nsaserefpolicy/policy/modules/admin/netutils.if 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/netutils.if 2008-06-30 13:17:25.000000000 -0400
+@@ -124,6 +124,24 @@
+
+ ########################################
+ ## <summary>
++## Send generic signals to netutils.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`netutils_signal',`
++ gen_require(`
++ type netutils_t;
++ ')
++
++ allow $1 netutils_t:process signal;
++')
++
++########################################
++## <summary>
+ ## Execute ping in the ping domain, and
+ ## allow the specified role the ping domain.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.3.1/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/netutils.te 2008-06-12 23:38:03.000000000 -0400
@@ -6031,8 +6061,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,210 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-06-29 08:22:11.000000000 -0400
+@@ -0,0 +1,211 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -6116,6 +6146,7 @@
+
+files_read_usr_files(nsplugin_t)
+files_read_etc_files(nsplugin_t)
++files_read_config_files(nsplugin_t)
+
+fs_list_inotifyfs(nsplugin_t)
+fs_manage_tmpfs_files(nsplugin_t)
@@ -12263,19 +12294,20 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.3.1/policy/modules/services/courier.fc
--- nsaserefpolicy/policy/modules/services/courier.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-06-30 13:23:49.000000000 -0400
@@ -1,4 +1,5 @@
/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/etc/authlib(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-@@ -6,11 +7,18 @@
+@@ -6,11 +7,19 @@
/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/libexec/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
++/usr/lib(64)?/courier/sendmail -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/lib(64)?/courier/bin(/.*)? gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/lib(64)?/courier/sbin(/.*)? gen_context(system_u:object_r:courier_exec_t,s0)
/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
@@ -12289,7 +12321,7 @@
/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-@@ -19,3 +27,5 @@
+@@ -19,3 +28,5 @@
/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
@@ -12418,7 +12450,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-06-30 13:57:14.000000000 -0400
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -13598,6 +13630,16 @@
+
+userdom_dontaudit_read_sysadm_home_content_files(cups_pdf_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.3.1/policy/modules/services/cvs.fc
+--- nsaserefpolicy/policy/modules/services/cvs.fc 2008-06-12 23:38:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cvs.fc 2008-06-30 16:00:29.000000000 -0400
+@@ -5,3 +5,6 @@
+
+ /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
++#CVSWeb file context
++/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if
--- nsaserefpolicy/policy/modules/services/cvs.if 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-06-12 23:38:04.000000000 -0400
@@ -13676,7 +13718,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.3.1/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-06-30 16:00:47.000000000 -0400
@@ -28,6 +28,9 @@
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
@@ -13704,18 +13746,25 @@
mta_send_mail(cvs_t)
# cjp: typeattribute doesnt work in conditionals yet
-@@ -102,11 +104,3 @@
- kerberos_read_config(cvs_t)
+@@ -103,10 +105,12 @@
kerberos_dontaudit_write_config(cvs_t)
')
--
+
-optional_policy(`
- nis_use_ypbind(cvs_t)
-')
--
++########################################
++# CVSWeb policy
+
-optional_policy(`
- nscd_socket_use(cvs_t)
-')
++apache_content_template(cvs)
++
++read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
++manage_dirs_pattern(httpd_cvs_script_t_t,cvs_tmp_t,cvs_tmp_t)
++manage_files_pattern(httpd_cvs_script_t,cvs_tmp_t,cvs_tmp_t)
++files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.3.1/policy/modules/services/cyphesis.fc
--- nsaserefpolicy/policy/modules/services/cyphesis.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/cyphesis.fc 2008-06-12 23:38:04.000000000 -0400
@@ -15457,7 +15506,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.3.1/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/exim.te 2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/exim.te 2008-06-30 13:58:55.000000000 -0400
@@ -21,9 +21,20 @@
## </desc>
gen_tunable(exim_manage_user_files,false)
@@ -15562,7 +15611,7 @@
tunable_policy(`exim_read_user_files',`
userdom_read_unpriv_users_home_content_files(exim_t)
-@@ -111,3 +144,71 @@
+@@ -111,3 +144,76 @@
userdom_read_unpriv_users_tmp_files(exim_t)
userdom_write_unpriv_users_tmp_files(exim_t)
')
@@ -15604,6 +15653,11 @@
+')
+
+optional_policy(`
++ cron_read_pipes(exim_t)
++ cron_rw_system_job_pipes(exim_t)
++')
++
++optional_policy(`
+ cyrus_stream_connect(exim_t)
+')
+
@@ -17656,22 +17710,22 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.3.1/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.fc 2008-06-12 23:38:04.000000000 -0400
-@@ -9,8 +9,10 @@
- ')
-
++++ serefpolicy-3.3.1/policy/modules/services/mta.fc 2008-06-30 13:25:01.000000000 -0400
+@@ -11,6 +11,7 @@
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/lib(64)?/courier/sendmail -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-@@ -25,3 +27,4 @@
- #ifdef(`postfix.te', `', `
- #/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
- #')
+@@ -22,6 +23,4 @@
+ /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+ /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+-#ifdef(`postfix.te', `', `
+-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+-#')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.3.1/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2008-06-12 23:38:02.000000000 -0400
@@ -17850,7 +17904,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-24 05:41:39.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-30 13:57:46.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -20141,8 +20195,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,218 @@
++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-06-30 10:22:01.000000000 -0400
+@@ -0,0 +1,220 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
@@ -20299,6 +20353,8 @@
+
+polkit_domtrans_auth(polkit_grant_t)
+
++manage_files_pattern(polkit_grant_t,polkit_var_run_t,polkit_var_run_t)
++
+manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
+userdom_read_all_users_state(polkit_grant_t)
+
@@ -21404,8 +21460,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-24 06:34:17.000000000 -0400
-@@ -0,0 +1,248 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-30 15:19:48.000000000 -0400
+@@ -0,0 +1,249 @@
+
+policy_module(prelude, 1.0.0)
+
@@ -21555,10 +21611,11 @@
+libs_use_shared_libs(prelude_audisp_t)
+
+logging_send_syslog_msg(prelude_audisp_t)
++logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t)
+
+miscfiles_read_localization(prelude_audisp_t)
+
-+logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t)
++sysnet_dns_name_resolve(prelude_audisp_t)
+
+########################################
+#
@@ -22368,7 +22425,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.3.1/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/razor.if 2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/razor.if 2008-06-30 13:44:58.000000000 -0400
@@ -137,6 +137,7 @@
template(`razor_per_role_template',`
gen_require(`
@@ -22394,10 +22451,12 @@
##############################
#
-@@ -218,3 +217,42 @@
+@@ -217,4 +216,44 @@
+ ')
domtrans_pattern($1, razor_exec_t, razor_t)
- ')
++ allow $1 razor_t:process signal;
++')
+
+########################################
+## <summary>
@@ -22435,7 +22494,7 @@
+ allow $2 user_home_dir_t:dir search_dir_perms;
+ manage_files_pattern($2,user_razor_home_t,user_razor_home_t)
+ read_lnk_files_pattern($2,user_razor_home_t,user_razor_home_t)
-+')
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.3.1/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2008-06-12 23:38:01.000000000 -0400
@@ -28294,7 +28353,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-06-14 07:17:28.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-06-29 08:15:14.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -28367,7 +28426,7 @@
type iceauth_exec_t;
-application_executable_file(iceauth_exec_t)
+application_domain(iceauth_t,iceauth_exec_t)
-
++
+type input_xevent_t, xevent_type;
+type manage_xevent_t, xevent_type;
+type output_xext_t, xextension_type;
@@ -28383,7 +28442,7 @@
+type x_rootcolormap_t;
+type x_rootscreen_t;
+type x_rootwindow_t;
-+
+
+type xauth_t;
type xauth_exec_t;
-application_executable_file(xauth_exec_t)
@@ -28642,14 +28701,14 @@
optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
++')
++
++optional_policy(`
++ bootloader_domtrans(xdm_t)
')
optional_policy(`
- consolekit_dbus_chat(xdm_t)
-+ bootloader_domtrans(xdm_t)
-+')
-+
-+optional_policy(`
+ consolekit_read_log(xdm_t)
')
@@ -28689,7 +28748,7 @@
loadkeys_exec(xdm_t)
')
-@@ -335,6 +499,11 @@
+@@ -335,6 +499,21 @@
')
optional_policy(`
@@ -28698,10 +28757,20 @@
+')
+
+optional_policy(`
++ resmgr_stream_connect(xdm_t)
++')
++
++# On crash gdm execs gdb to dump stack
++optional_policy(`
++ rpm_read_db(xdm_t)
++ rpm_dontaudit_manage_db(xdm_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +512,8 @@
+@@ -343,8 +522,8 @@
')
optional_policy(`
@@ -28711,7 +28780,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +549,7 @@
+@@ -380,7 +559,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -28720,7 +28789,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +561,15 @@
+@@ -392,6 +571,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -28736,7 +28805,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +582,18 @@
+@@ -404,9 +592,18 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -28755,10 +28824,11 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +607,22 @@
+@@ -420,7 +617,19 @@
')
optional_policy(`
+- resmgr_stream_connect(xdm_t)
+ dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
+
+ optional_policy(`
@@ -28772,13 +28842,10 @@
+
+optional_policy(`
+ mono_rw_shm(xdm_xserver_t)
-+')
-+
-+optional_policy(`
- resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +632,138 @@
+ optional_policy(`
+@@ -429,47 +638,138 @@
')
optional_policy(`
@@ -28803,15 +28870,6 @@
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
+ unconfined_domain(xdm_xserver_t)
-+')
-+
-+
-+tunable_policy(`allow_xserver_execmem', `
-+ allow xdm_xserver_t self:process { execheap execmem execstack };
-+')
-+
-+ifndef(`distro_redhat',`
-+ allow xdm_xserver_t self:process { execheap execmem };
')
-ifdef(`TODO',`
@@ -28835,10 +28893,19 @@
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-+ifdef(`distro_rhel4',`
++
++tunable_policy(`allow_xserver_execmem', `
++ allow xdm_xserver_t self:process { execheap execmem execstack };
++')
++
++ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
')
++ifdef(`distro_rhel4',`
++ allow xdm_xserver_t self:process { execheap execmem };
++')
++
+##############################
#
-# Wants to delete .xsession-errors file
@@ -28889,10 +28956,11 @@
+')
+
+##############################
-+#
-+# iceauth_t Local policy
#
-allow xdm_t user_home_type:file unlink;
++# iceauth_t Local policy
+ #
+-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+
+allow iceauth_t user_iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
@@ -28917,11 +28985,10 @@
+
+########################################
#
--# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-+# Rules for unconfined access to this module
- #
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
++# Rules for unconfined access to this module
++#
+
+allow xserver_unconfined_type x_server_domain:x_server *;
+allow xserver_unconfined_type { x_domain x_rootwindow_t self }:x_drawable *;
@@ -29199,7 +29266,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-06-12 23:38:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-06-30 16:49:50.000000000 -0400
@@ -56,10 +56,6 @@
miscfiles_read_localization($1_chkpwd_t)
@@ -29257,7 +29324,26 @@
# for SSP/ProPolice
dev_read_urand($1)
# for fingerprint readers
-@@ -226,8 +239,40 @@
+@@ -207,14 +220,15 @@
+ mls_process_set_level($1)
+ mls_fd_share_all_levels($1)
+
++ auth_append_login_records($1)
++ auth_exec_pam($1)
+ auth_domtrans_chk_passwd($1)
+ auth_domtrans_upd_passwd($1)
+ auth_dontaudit_read_shadow($1)
+ auth_read_login_records($1)
+- auth_append_login_records($1)
+- auth_rw_lastlog($1)
++ auth_manage_pam_pid($1)
+ auth_rw_faillog($1)
+- auth_exec_pam($1)
++ auth_rw_lastlog($1)
+ auth_use_nsswitch($1)
+
+ init_rw_utmp($1)
+@@ -226,8 +240,40 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -29298,7 +29384,7 @@
')
')
-@@ -333,19 +378,15 @@
+@@ -333,19 +379,15 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -29322,7 +29408,7 @@
')
optional_policy(`
-@@ -356,6 +397,28 @@
+@@ -356,6 +398,28 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -29351,7 +29437,7 @@
')
########################################
-@@ -369,12 +432,12 @@
+@@ -369,12 +433,12 @@
## </param>
## <param name="role">
## <summary>
@@ -29366,7 +29452,7 @@
## </summary>
## </param>
#
-@@ -386,6 +449,7 @@
+@@ -386,6 +450,7 @@
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -29374,7 +29460,7 @@
')
########################################
-@@ -1447,6 +1511,10 @@
+@@ -1447,6 +1512,10 @@
')
optional_policy(`
@@ -29385,7 +29471,7 @@
nis_use_ypbind($1)
')
-@@ -1457,6 +1525,7 @@
+@@ -1457,6 +1526,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -29393,7 +29479,7 @@
')
')
-@@ -1491,3 +1560,59 @@
+@@ -1491,3 +1561,59 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -29659,8 +29745,16 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.3.1/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/hotplug.te 2008-06-12 23:38:02.000000000 -0400
-@@ -179,6 +179,7 @@
++++ serefpolicy-3.3.1/policy/modules/system/hotplug.te 2008-06-30 13:17:55.000000000 -0400
+@@ -120,6 +120,7 @@
+ optional_policy(`
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_domtrans(hotplug_t)
++ netutils_signal(hotplug_t)
+ fs_rw_tmpfs_chr_files(hotplug_t)
+ ')
+ files_getattr_generic_locks(hotplug_t)
+@@ -179,6 +180,7 @@
sysnet_read_dhcpc_pid(hotplug_t)
sysnet_rw_dhcp_config(hotplug_t)
sysnet_domtrans_ifconfig(hotplug_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.688
retrieving revision 1.689
diff -u -r1.688 -r1.689
--- selinux-policy.spec 27 Jun 2008 11:15:46 -0000 1.688
+++ selinux-policy.spec 30 Jun 2008 20:52:17 -0000 1.689
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 72%{?dist}
+Release: 73%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -57,7 +57,7 @@
%package devel
Summary: SELinux policy development
Group: System Environment/Base
-Requires: checkpolicy >= %{CHECKPOLICYVER} m4
+Requires: checkpolicy >= %{CHECKPOLICYVER} m4 make
Requires: selinux-policy = %{version}-%{release} policycoreutils >= %{POLICYCOREUTILSVER}
%description devel
@@ -385,6 +385,12 @@
%endif
%changelog
+* Mon Jun 29 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-73
+- Allow exim to use system_cron pipes
+- Allow gdm to read rpm database
+- Allow nsplugin to read mplayer config files
+- Allow login programs to write to /var/run/pam directory (Encrypted directories)
+
* Wed Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-72
- Fix file context of real player
- Previous message (by thread): rpms/policycoreutils/devel policycoreutils-po.patch, 1.34, 1.35 policycoreutils-rhat.patch, 1.369, 1.370 policycoreutils.spec, 1.532, 1.533
- Next message (by thread): rpms/selinux-policy/devel modules-mls.conf, 1.33, 1.34 policy-20080509.patch, 1.23, 1.24 selinux-policy.spec, 1.677, 1.678
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list