rpms/selinux-policy/devel modules-mls.conf, 1.33, 1.34 policy-20080509.patch, 1.23, 1.24 selinux-policy.spec, 1.677, 1.678

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Mon Jun 30 20:53:40 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26323

Modified Files:
	modules-mls.conf policy-20080509.patch selinux-policy.spec 
Log Message:
* Sun Jun 29 2008 Dan Walsh <dwalsh at redhat.com> 3.4.2-9
- Allow gdm to read rpm database
- Allow nsplugin to read mplayer config files



Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- modules-mls.conf	19 May 2008 13:01:59 -0000	1.33
+++ modules-mls.conf	30 Jun 2008 20:52:56 -0000	1.34
@@ -1116,3 +1116,9 @@
 # 
 xguest = module
 
+# Layer: services
+# Module: courier
+#
+# IMAP and POP3 email servers
+# 
+courier = module

policy-20080509.patch:

Index: policy-20080509.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080509.patch,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- policy-20080509.patch	27 Jun 2008 11:58:29 -0000	1.23
+++ policy-20080509.patch	30 Jun 2008 20:52:56 -0000	1.24
@@ -284,18 +284,20 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.4.2/policy/modules/admin/amanda.te
 --- nsaserefpolicy/policy/modules/admin/amanda.te	2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/admin/amanda.te	2008-06-12 23:37:53.000000000 -0400
-@@ -82,8 +82,7 @@
++++ serefpolicy-3.4.2/policy/modules/admin/amanda.te	2008-06-29 08:00:12.000000000 -0400
+@@ -82,8 +82,9 @@
  allow amanda_t amanda_config_t:file { getattr read };
  
  # access to amandas data structure
 -allow amanda_t amanda_data_t:dir { read search write };
 -allow amanda_t amanda_data_t:file manage_file_perms;
++manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
 +manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
++filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
  
  # access to amanda_dumpdates_t
  allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-@@ -220,6 +219,7 @@
+@@ -220,6 +221,7 @@
  auth_use_nsswitch(amanda_recover_t)
  
  fstools_domtrans(amanda_t)
@@ -700,6 +702,34 @@
 -	dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
 -	dontaudit mrtg_t root_t:lnk_file getattr;
 -')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.4.2/policy/modules/admin/netutils.if
+--- nsaserefpolicy/policy/modules/admin/netutils.if	2008-06-12 23:25:08.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/admin/netutils.if	2008-06-30 13:16:57.000000000 -0400
+@@ -124,6 +124,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Send generic signals to netutils.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`netutils_signal',`
++	gen_require(`
++		type netutils_t;
++	')
++
++	allow $1 netutils_t:process signal;
++')
++
++########################################
++## <summary>
+ ##	Execute ping in the ping domain, and
+ ##	allow the specified role the ping domain.
+ ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2008-06-12 23:25:08.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/admin/netutils.te	2008-06-12 23:37:53.000000000 -0400
@@ -4543,8 +4573,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.4.2/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.4.2/policy/modules/apps/nsplugin.te	2008-06-12 23:37:51.000000000 -0400
-@@ -0,0 +1,215 @@
++++ serefpolicy-3.4.2/policy/modules/apps/nsplugin.te	2008-06-29 08:22:17.000000000 -0400
+@@ -0,0 +1,217 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@@ -4577,189 +4607,191 @@
 +userdom_user_home_content(user,nsplugin_home_t)
 +typealias nsplugin_home_t alias user_nsplugin_home_t;
 +
-+	type nsplugin_t;
-+	type nsplugin_config_t;
-+	application_domain(nsplugin_t, nsplugin_exec_t)
-+	application_domain(nsplugin_config_t, nsplugin_config_exec_t)
++type nsplugin_t;
++type nsplugin_config_t;
++application_domain(nsplugin_t, nsplugin_exec_t)
++application_domain(nsplugin_config_t, nsplugin_config_exec_t)
 +
-+	########################################
-+	#
-+	# nsplugin local policy
-+	#
-+	allow nsplugin_t self:fifo_file rw_file_perms;
-+	allow nsplugin_t self:process { ptrace getsched setsched signal_perms };
++########################################
++#
++# nsplugin local policy
++#
++allow nsplugin_t self:fifo_file rw_file_perms;
++allow nsplugin_t self:process { ptrace getsched setsched signal_perms };
 +
-+	allow nsplugin_t self:sem create_sem_perms;
-+	allow nsplugin_t self:shm create_shm_perms;
-+	allow nsplugin_t self:msgq create_msgq_perms;
-+	allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+
-+	tunable_policy(`allow_nsplugin_execmem',`
-+		allow nsplugin_t self:process { execstack execmem };
-+		allow nsplugin_config_t self:process { execstack execmem };
-+	')
++allow nsplugin_t self:sem create_sem_perms;
++allow nsplugin_t self:shm create_shm_perms;
++allow nsplugin_t self:msgq create_msgq_perms;
++allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
++
++tunable_policy(`allow_nsplugin_execmem',`
++	allow nsplugin_t self:process { execstack execmem };
++	allow nsplugin_config_t self:process { execstack execmem };
++')
 +	
-+	manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+	exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+	manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+	manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+	userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
-+	unprivuser_dontaudit_write_home_content_files(nsplugin_t)
-+
-+	corecmd_exec_bin(nsplugin_t)
-+	corecmd_exec_shell(nsplugin_t)
-+
-+	corenet_all_recvfrom_unlabeled(nsplugin_t)
-+	corenet_all_recvfrom_netlabel(nsplugin_t)
-+	corenet_tcp_connect_flash_port(nsplugin_t)
-+	corenet_tcp_connect_pulseaudio_port(nsplugin_t)
-+	corenet_tcp_connect_http_port(nsplugin_t)
-+	corenet_tcp_sendrecv_generic_if(nsplugin_t)
-+	corenet_tcp_sendrecv_all_nodes(nsplugin_t)
-+
-+	domain_dontaudit_read_all_domains_state(nsplugin_t)
-+
-+	dev_read_rand(nsplugin_t)
-+	dev_read_sound(nsplugin_t)
-+	dev_write_sound(nsplugin_t)
-+	dev_read_video_dev(nsplugin_t)
-+	dev_write_video_dev(nsplugin_t)
-+
-+	kernel_read_kernel_sysctls(nsplugin_t)
-+	kernel_read_system_state(nsplugin_t)
-+
-+	files_read_usr_files(nsplugin_t)
-+	files_read_etc_files(nsplugin_t)
-+
-+	fs_list_inotifyfs(nsplugin_t)
-+	fs_manage_tmpfs_files(nsplugin_t)
-+	fs_getattr_tmpfs(nsplugin_t)
-+	fs_getattr_xattr_fs(nsplugin_t)
-+
-+	term_dontaudit_getattr_all_user_ptys(nsplugin_t)
-+	term_dontaudit_getattr_all_user_ttys(nsplugin_t)
-+
-+	auth_use_nsswitch(nsplugin_t)
-+
-+	libs_use_ld_so(nsplugin_t)
-+	libs_use_shared_libs(nsplugin_t)
-+	libs_exec_ld_so(nsplugin_t)
-+
-+	miscfiles_read_localization(nsplugin_t)
-+	miscfiles_read_fonts(nsplugin_t)
-+
-+	unprivuser_manage_tmp_dirs(nsplugin_t)
-+	unprivuser_manage_tmp_files(nsplugin_t)
-+	unprivuser_manage_tmp_sockets(nsplugin_t)
-+	userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file })
-+	unprivuser_read_tmpfs_files(nsplugin_t)
-+	unprivuser_rw_semaphores(nsplugin_t)
-+	unprivuser_delete_tmpfs_files(nsplugin_t)
-+
-+	unprivuser_read_home_content_symlinks(nsplugin_t)
-+	unprivuser_read_home_content_files(nsplugin_t)
-+	unprivuser_read_tmp_files(nsplugin_t)
-+	userdom_write_user_tmp_sockets(user, nsplugin_t)
-+	unprivuser_dontaudit_append_home_content_files(nsplugin_t)
-+	userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
++manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
++unprivuser_dontaudit_write_home_content_files(nsplugin_t)
 +
-+	optional_policy(`
-+		alsa_read_rw_config(nsplugin_t)
-+	')
++corecmd_exec_bin(nsplugin_t)
++corecmd_exec_shell(nsplugin_t)
 +
-+	optional_policy(`
-+		gnome_exec_gconf(nsplugin_t)
-+		gnome_manage_user_gnome_config(user, nsplugin_t)
-+	')
++corenet_all_recvfrom_unlabeled(nsplugin_t)
++corenet_all_recvfrom_netlabel(nsplugin_t)
++corenet_tcp_connect_flash_port(nsplugin_t)
++corenet_tcp_connect_pulseaudio_port(nsplugin_t)
++corenet_tcp_connect_http_port(nsplugin_t)
++corenet_tcp_sendrecv_generic_if(nsplugin_t)
++corenet_tcp_sendrecv_all_nodes(nsplugin_t)
 +
-+	optional_policy(`
-+		mozilla_read_user_home_files(user, nsplugin_t)
-+		mozilla_write_user_home_files(user, nsplugin_t)
-+	')
++domain_dontaudit_read_all_domains_state(nsplugin_t)
 +
-+	optional_policy(`
-+		mplayer_exec(nsplugin_t)
-+	')
++dev_read_rand(nsplugin_t)
++dev_read_sound(nsplugin_t)
++dev_write_sound(nsplugin_t)
++dev_read_video_dev(nsplugin_t)
++dev_write_video_dev(nsplugin_t)
 +
-+	optional_policy(`
-+		unconfined_execmem_signull(nsplugin_t)
-+		unconfined_delete_tmpfs_files(nsplugin_t)
-+	')
++kernel_read_kernel_sysctls(nsplugin_t)
++kernel_read_system_state(nsplugin_t)
 +
-+	optional_policy(`
-+		xserver_stream_connect_xdm_xserver(nsplugin_t)
-+		xserver_xdm_rw_shm(nsplugin_t)
-+		xserver_read_xdm_tmp_files(nsplugin_t)
-+		xserver_read_xdm_pid(nsplugin_t)
-+		xserver_read_user_xauth(user, nsplugin_t)
-+		xserver_use_user_fonts(user, nsplugin_t)
-+		xserver_manage_home_fonts(nsplugin_t)
-+	')
++files_read_usr_files(nsplugin_t)
++files_read_etc_files(nsplugin_t)
++files_read_config_files(nsplugin_t)
 +
-+	########################################
-+	#
-+	# nsplugin_config local policy
-+	#
++fs_list_inotifyfs(nsplugin_t)
++fs_manage_tmpfs_files(nsplugin_t)
++fs_getattr_tmpfs(nsplugin_t)
++fs_getattr_xattr_fs(nsplugin_t)
 +
-+	allow nsplugin_config_t self:capability { sys_nice setuid setgid };
-+	allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
++term_dontaudit_getattr_all_user_ptys(nsplugin_t)
++term_dontaudit_getattr_all_user_ttys(nsplugin_t)
 +
-+	allow nsplugin_config_t self:fifo_file rw_file_perms;
-+	allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
++auth_use_nsswitch(nsplugin_t)
 +
-+	fs_list_inotifyfs(nsplugin_config_t)
++libs_use_ld_so(nsplugin_t)
++libs_use_shared_libs(nsplugin_t)
++libs_exec_ld_so(nsplugin_t)
 +
-+	can_exec(nsplugin_config_t, nsplugin_rw_t)
-+	manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-+	manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-+	manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++miscfiles_read_localization(nsplugin_t)
++miscfiles_read_fonts(nsplugin_t)
 +
-+	manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
-+	manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
-+	manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++unprivuser_manage_tmp_dirs(nsplugin_t)
++unprivuser_manage_tmp_files(nsplugin_t)
++unprivuser_manage_tmp_sockets(nsplugin_t)
++userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file })
++unprivuser_read_tmpfs_files(nsplugin_t)
++unprivuser_rw_semaphores(nsplugin_t)
++unprivuser_delete_tmpfs_files(nsplugin_t)
 +
-+	corecmd_exec_bin(nsplugin_config_t)
-+	corecmd_exec_shell(nsplugin_config_t)
++unprivuser_read_home_content_symlinks(nsplugin_t)
++unprivuser_read_home_content_files(nsplugin_t)
++unprivuser_read_tmp_files(nsplugin_t)
++userdom_write_user_tmp_sockets(user, nsplugin_t)
++unprivuser_dontaudit_append_home_content_files(nsplugin_t)
++userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
 +
-+	kernel_read_system_state(nsplugin_config_t)
++optional_policy(`
++	alsa_read_rw_config(nsplugin_t)
++')
 +
-+	files_read_etc_files(nsplugin_config_t)
-+	files_read_usr_files(nsplugin_config_t)
-+	files_dontaudit_search_home(nsplugin_config_t)
++optional_policy(`
++	gnome_exec_gconf(nsplugin_t)
++	gnome_manage_user_gnome_config(user, nsplugin_t)
++')
 +
-+	auth_use_nsswitch(nsplugin_config_t)
++optional_policy(`
++	mozilla_read_user_home_files(user, nsplugin_t)
++	mozilla_write_user_home_files(user, nsplugin_t)
++')
 +
-+	libs_use_ld_so(nsplugin_config_t)
-+	libs_use_shared_libs(nsplugin_config_t)
++optional_policy(`
++	mplayer_exec(nsplugin_t)
++')
 +
-+	miscfiles_read_localization(nsplugin_config_t)
-+	miscfiles_read_fonts(nsplugin_config_t)
++optional_policy(`
++	unconfined_execmem_signull(nsplugin_t)
++	unconfined_delete_tmpfs_files(nsplugin_t)
++')
 +
-+	userdom_search_all_users_home_content(nsplugin_config_t)
++optional_policy(`
++	xserver_stream_connect_xdm_xserver(nsplugin_t)
++	xserver_xdm_rw_shm(nsplugin_t)
++	xserver_read_xdm_tmp_files(nsplugin_t)
++	xserver_read_xdm_pid(nsplugin_t)
++	xserver_read_user_xauth(user, nsplugin_t)
++	xserver_use_user_fonts(user, nsplugin_t)
++	xserver_manage_home_fonts(nsplugin_t)
++')
 +
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_manage_nfs_dirs(nsplugin_t)
-+		fs_manage_nfs_files(nsplugin_t)
-+		fs_manage_nfs_dirs(nsplugin_config_t)
-+		fs_manage_nfs_files(nsplugin_config_t)
-+	')
++########################################
++#
++# nsplugin_config local policy
++#
 +
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_manage_cifs_dirs(nsplugin_t)
-+		fs_manage_cifs_files(nsplugin_t)
-+		fs_manage_cifs_dirs(nsplugin_config_t)
-+		fs_manage_cifs_files(nsplugin_config_t)
-+	')
++allow nsplugin_config_t self:capability { sys_nice setuid setgid };
++allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
 +
-+	domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
++allow nsplugin_config_t self:fifo_file rw_file_perms;
++allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 +
-+	optional_policy(`
-+		xserver_read_home_fonts(nsplugin_config_t)
-+	')
++fs_list_inotifyfs(nsplugin_config_t)
 +
-+	optional_policy(`
-+		mozilla_read_user_home_files(user, nsplugin_config_t)
-+	')
++can_exec(nsplugin_config_t, nsplugin_rw_t)
++manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++
++manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++
++corecmd_exec_bin(nsplugin_config_t)
++corecmd_exec_shell(nsplugin_config_t)
++
++kernel_read_system_state(nsplugin_config_t)
++
++files_read_etc_files(nsplugin_config_t)
++files_read_usr_files(nsplugin_config_t)
++files_dontaudit_search_home(nsplugin_config_t)
++files_list_tmp(nsplugin_config_t)
++
++auth_use_nsswitch(nsplugin_config_t)
++
++libs_use_ld_so(nsplugin_config_t)
++libs_use_shared_libs(nsplugin_config_t)
++
++miscfiles_read_localization(nsplugin_config_t)
++miscfiles_read_fonts(nsplugin_config_t)
++
++userdom_search_all_users_home_content(nsplugin_config_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++	fs_manage_nfs_dirs(nsplugin_t)
++	fs_manage_nfs_files(nsplugin_t)
++	fs_manage_nfs_dirs(nsplugin_config_t)
++	fs_manage_nfs_files(nsplugin_config_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++	fs_manage_cifs_dirs(nsplugin_t)
++	fs_manage_cifs_files(nsplugin_t)
++	fs_manage_cifs_dirs(nsplugin_config_t)
++	fs_manage_cifs_files(nsplugin_config_t)
++')
++
++domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
++
++optional_policy(`
++	xserver_read_home_fonts(nsplugin_config_t)
++')
++
++optional_policy(`
++	mozilla_read_user_home_files(user, nsplugin_config_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.4.2/policy/modules/apps/openoffice.fc
 --- nsaserefpolicy/policy/modules/apps/openoffice.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.4.2/policy/modules/apps/openoffice.fc	2008-06-12 23:37:51.000000000 -0400
@@ -9278,7 +9310,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.4.2/policy/modules/services/aide.if
 --- nsaserefpolicy/policy/modules/services/aide.if	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/aide.if	2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/aide.if	2008-06-30 16:04:01.000000000 -0400
 @@ -70,9 +70,11 @@
  	allow $1 aide_t:process { ptrace signal_perms };
  	ps_process_pattern($1, aide_t)
@@ -12440,7 +12472,7 @@
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.4.2/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/cron.if	2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/cron.if	2008-06-30 08:30:16.000000000 -0400
 @@ -35,38 +35,23 @@
  #
  template(`cron_per_role_template',`
@@ -13655,10 +13687,20 @@
 +
 +sysadm_dontaudit_read_home_content_files(cups_pdf_t)
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.4.2/policy/modules/services/cvs.fc
+--- nsaserefpolicy/policy/modules/services/cvs.fc	2008-06-12 23:25:05.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/cvs.fc	2008-06-30 16:00:10.000000000 -0400
+@@ -5,3 +5,6 @@
+ 
+ /var/cvs(/.*)?		gen_context(system_u:object_r:cvs_data_t,s0)
+ 
++#CVSWeb file context
++/usr/share/cvsweb/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/var/www/cgi-bin/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.4.2/policy/modules/services/cvs.if
 --- nsaserefpolicy/policy/modules/services/cvs.if	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/cvs.if	2008-06-12 23:37:52.000000000 -0400
-@@ -36,3 +36,72 @@
++++ serefpolicy-3.4.2/policy/modules/services/cvs.if	2008-06-30 16:04:16.000000000 -0400
+@@ -36,3 +36,70 @@
  
  	can_exec($1,cvs_exec_t)
  ')
@@ -13706,15 +13748,13 @@
 +#
 +interface(`cvs_admin',`
 +	gen_require(`
-+		type cvs_t;
++		type cvs_t, cvs_tmp_t;
++		type cvs_data_t, cvs_var_run_t;
 +		type cvs_script_exec_t;
-+		type cvs_tmp_t;
-+		type cvs_data_t;
-+		type cvs_var_run_t;
 +	')
 +
-+	allow $1 cvs_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, cvs_t, cvs_t)
++	allow $1 cvs_t:process { ptrace signal_perms };
++	ps_process_pattern($1, cvs_t)
 +	        
 +	# Allow cvs_t to restart the apache service
 +	cvs_script_domtrans($1)
@@ -13733,7 +13773,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.4.2/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/cvs.te	2008-06-12 23:37:51.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/cvs.te	2008-06-30 16:00:42.000000000 -0400
 @@ -28,6 +28,9 @@
  type cvs_var_run_t;
  files_pid_file(cvs_var_run_t)
@@ -13761,15 +13801,23 @@
  mta_send_mail(cvs_t)
  
  # cjp: typeattribute doesnt work in conditionals yet
-@@ -102,11 +104,3 @@
- 	kerberos_read_config(cvs_t)
+@@ -103,10 +105,13 @@
  	kerberos_dontaudit_write_config(cvs_t)
  ')
--
+ 
 -optional_policy(`
 -	nis_use_ypbind(cvs_t)
 -')
--
++########################################
++# CVSWeb policy
++
++apache_content_template(cvs)
++
++read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
++manage_dirs_pattern(httpd_cvs_script_t_t,cvs_tmp_t,cvs_tmp_t)
++manage_files_pattern(httpd_cvs_script_t,cvs_tmp_t,cvs_tmp_t)
++files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
+ 
 -optional_policy(`
 -	nscd_socket_use(cvs_t)
 -')
@@ -15531,7 +15579,7 @@
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.4.2/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/exim.te	2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/exim.te	2008-06-30 13:59:08.000000000 -0400
 @@ -21,9 +21,20 @@
  ## </desc>
  gen_tunable(exim_manage_user_files,false)
@@ -15621,7 +15669,7 @@
  files_read_etc_files(exim_t)
  
  auth_use_nsswitch(exim_t)
-@@ -99,23 +125,90 @@
+@@ -99,23 +125,95 @@
  logging_send_syslog_msg(exim_t)
  
  miscfiles_read_localization(exim_t)
@@ -15671,7 +15719,7 @@
 +	tunable_policy(`exim_can_connect_db',`
 +		mysql_stream_connect(exim_t)
 +	')
- ')
++')
 +
 +optional_policy(`
 +	tunable_policy(`exim_can_connect_db',`
@@ -15686,13 +15734,18 @@
 +
 +optional_policy(`
 +	procmail_domtrans(exim_t)
-+')
+ ')
 +
 +optional_policy(`
 +	sasl_connect(exim_t)
 +')
 +
 +optional_policy(`
++	cron_read_pipes(exim_t)
++	cron_rw_system_job_pipes(exim_t)
++')
++
++optional_policy(`
 +	cyrus_stream_connect(exim_t)
 +')
 +
@@ -17602,18 +17655,23 @@
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.4.2/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/mta.fc	2008-06-12 23:37:52.000000000 -0400
-@@ -11,8 +11,10 @@
++++ serefpolicy-3.4.2/policy/modules/services/mta.fc	2008-06-30 13:24:59.000000000 -0400
+@@ -11,6 +11,7 @@
  /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  
  /usr/sbin/rmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 +/bin/mail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  /usr/sbin/sendmail\.postfix --	gen_context(system_u:object_r:sendmail_exec_t,s0)
  /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- 
- /var/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
  
+@@ -21,7 +22,3 @@
+ /var/spool/imap(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
+ /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+ /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
+-
+-#ifdef(`postfix.te', `', `
+-#/var/spool/postfix(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
+-#')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.4.2/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2008-06-12 23:25:05.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/services/mta.if	2008-06-12 23:37:52.000000000 -0400
@@ -17809,7 +17867,7 @@
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/mta.te	2008-06-24 05:41:16.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/mta.te	2008-06-30 08:33:53.000000000 -0400
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -17944,11 +18002,12 @@
  optional_policy(`
  	# why is mail delivered to a directory of type arpwatch_data_t?
  	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +214,4 @@
+@@ -154,3 +214,5 @@
  		cron_read_system_job_tmp_files(mta_user_agent)
  	')
  ')
 +
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.4.2/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2008-06-12 23:25:05.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/services/munin.fc	2008-06-12 23:37:52.000000000 -0400
@@ -20071,8 +20130,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.4.2/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.4.2/policy/modules/services/polkit.te	2008-06-12 23:37:52.000000000 -0400
-@@ -0,0 +1,219 @@
++++ serefpolicy-3.4.2/policy/modules/services/polkit.te	2008-06-30 10:21:36.000000000 -0400
+@@ -0,0 +1,221 @@
 +policy_module(polkit_auth,1.0.0)
 +
 +########################################
@@ -20229,6 +20288,8 @@
 +
 +polkit_domtrans_auth(polkit_grant_t)
 +
++manage_files_pattern(polkit_grant_t,polkit_var_run_t,polkit_var_run_t)
++
 +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
 +userdom_read_all_users_state(polkit_grant_t)
 +
@@ -21284,7 +21345,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/prelude.te	2008-06-24 06:34:11.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/prelude.te	2008-06-30 15:20:18.000000000 -0400
 @@ -19,12 +19,31 @@
  type prelude_var_lib_t;
  files_type(prelude_var_lib_t)
@@ -21343,11 +21404,15 @@
  
  dev_read_rand(prelude_audisp_t)
  dev_read_urand(prelude_audisp_t)
-@@ -126,6 +150,80 @@
+@@ -123,9 +147,84 @@
+ libs_use_shared_libs(prelude_audisp_t)
+ 
+ logging_send_syslog_msg(prelude_audisp_t)
++logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t)
  
  miscfiles_read_localization(prelude_audisp_t)
  
-+logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t)
++sysnet_dns_name_resolve(prelude_audisp_t)
 +
 +########################################
 +#
@@ -21424,7 +21489,7 @@
  ########################################
  #
  # prewikka_cgi Declarations
-@@ -135,6 +233,10 @@
+@@ -135,6 +234,10 @@
  	apache_content_template(prewikka)
  	files_read_etc_files(httpd_prewikka_script_t)
  
@@ -23779,7 +23844,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.4.2/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/sendmail.te	2008-06-12 23:37:51.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/sendmail.te	2008-06-30 08:31:37.000000000 -0400
 @@ -20,13 +20,17 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -27522,7 +27587,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.2/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/xserver.te	2008-06-14 07:13:56.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/xserver.te	2008-06-29 08:15:37.000000000 -0400
 @@ -8,6 +8,14 @@
  
  ## <desc>
@@ -27803,7 +27868,7 @@
  	# Talk to the console mouse server.
  	gpm_stream_connect(xdm_t)
  	gpm_setattr_gpmctl(xdm_t)
-@@ -382,16 +472,26 @@
+@@ -382,16 +472,32 @@
  ')
  
  optional_policy(`
@@ -27811,6 +27876,12 @@
 +	polkit_read_lib(xdm_t)
 +')
 +
++# On crash gdm execs gdb to dump stack
++optional_policy(`
++	rpm_read_db(xdm_t)
++	rpm_dontaudit_manage_db(xdm_t)
++')
++
 +optional_policy(`
  	seutil_sigchld_newrole(xdm_t)
  ')
@@ -27831,7 +27902,7 @@
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -427,7 +527,7 @@
+@@ -427,7 +533,7 @@
  allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
  
@@ -27840,7 +27911,7 @@
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -439,6 +539,15 @@
+@@ -439,6 +545,15 @@
  can_exec(xdm_xserver_t, xkb_var_lib_t)
  files_search_var_lib(xdm_xserver_t)
  
@@ -27856,7 +27927,7 @@
  # VNC v4 module in X server
  corenet_tcp_bind_vnc_port(xdm_xserver_t)
  
-@@ -450,10 +559,19 @@
+@@ -450,10 +565,19 @@
  # xdm_xserver_t may no longer have any reason
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
@@ -27877,7 +27948,7 @@
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_xserver_t)
  	fs_manage_nfs_files(xdm_xserver_t)
-@@ -468,7 +586,18 @@
+@@ -468,7 +592,18 @@
  
  optional_policy(`
  	dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
@@ -27897,7 +27968,7 @@
  ')
  
  optional_policy(`
-@@ -481,16 +610,32 @@
+@@ -481,16 +616,32 @@
  ')
  
  optional_policy(`
@@ -27938,7 +28009,7 @@
  ')
  
  ########################################
-@@ -544,3 +689,10 @@
+@@ -544,3 +695,10 @@
  #
  allow pam_t xdm_t:fifo_file { getattr ioctl write };
  ') dnl end TODO
@@ -28174,7 +28245,7 @@
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.4.2/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/authlogin.if	2008-06-12 23:37:53.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/authlogin.if	2008-06-30 16:47:52.000000000 -0400
 @@ -56,10 +56,6 @@
  	miscfiles_read_localization($1_chkpwd_t)
  
@@ -28232,7 +28303,15 @@
  	# for SSP/ProPolice
  	dev_read_urand($1)
  	# for fingerprint readers
-@@ -226,8 +239,39 @@
+@@ -216,6 +229,7 @@
+ 	auth_rw_faillog($1)
+ 	auth_exec_pam($1)
+ 	auth_use_nsswitch($1)
++	auth_manage_pam_pid($1)
+ 
+ 	init_rw_utmp($1)
+ 
+@@ -226,8 +240,39 @@
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -28272,7 +28351,7 @@
  	')
  ')
  
-@@ -333,19 +377,15 @@
+@@ -333,19 +378,15 @@
  	dev_read_rand($1)
  	dev_read_urand($1)
  
@@ -28296,7 +28375,7 @@
  	')
  
  	optional_policy(`
-@@ -356,6 +396,28 @@
+@@ -356,6 +397,28 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  	')
@@ -28325,7 +28404,7 @@
  ')
  
  ########################################
-@@ -369,12 +431,12 @@
+@@ -369,12 +432,12 @@
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -28340,7 +28419,7 @@
  ##	</summary>
  ## </param>
  #
-@@ -386,6 +448,7 @@
+@@ -386,6 +449,7 @@
  	auth_domtrans_chk_passwd($1)
  	role $2 types system_chkpwd_t;
  	allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -28348,7 +28427,7 @@
  ')
  
  ########################################
-@@ -1447,6 +1510,10 @@
+@@ -1447,6 +1511,10 @@
  	')
  
  	optional_policy(`
@@ -28359,7 +28438,7 @@
  		nis_use_ypbind($1)
  	')
  
-@@ -1457,6 +1524,7 @@
+@@ -1457,6 +1525,7 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  		samba_read_var_files($1)
@@ -28367,7 +28446,7 @@
  	')
  ')
  
-@@ -1491,3 +1559,59 @@
+@@ -1491,3 +1560,59 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -28630,6 +28709,17 @@
  role system_r types hostname_t;
  
  ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.4.2/policy/modules/system/hotplug.te
+--- nsaserefpolicy/policy/modules/system/hotplug.te	2008-06-12 23:25:07.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/hotplug.te	2008-06-30 13:18:01.000000000 -0400
+@@ -121,6 +121,7 @@
+ 	optional_policy(`
+ 		# for arping used for static IP addresses on PCMCIA ethernet
+ 		netutils_domtrans(hotplug_t)
++		netutils_signal(hotplug_t)
+ 		fs_rw_tmpfs_chr_files(hotplug_t)
+ 	')
+ 	files_getattr_generic_locks(hotplug_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.4.2/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2008-06-12 23:25:07.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/system/init.fc	2008-06-12 23:37:53.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.677
retrieving revision 1.678
diff -u -r1.677 -r1.678
--- selinux-policy.spec	26 Jun 2008 12:12:35 -0000	1.677
+++ selinux-policy.spec	30 Jun 2008 20:52:56 -0000	1.678
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.4.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -375,6 +375,10 @@
 %endif
 
 %changelog
+* Sun Jun 29 2008 Dan Walsh <dwalsh at redhat.com> 3.4.2-9
+- Allow gdm to read rpm database
+- Allow nsplugin to read mplayer config files
+
 * Thu Jun 26 2008 Dan Walsh <dwalsh at redhat.com> 3.4.2-8
 - Allow vpnc to run ifconfig

More information about the fedora-extras-commits mailing list