rpms/selinux-policy/F-8 modules-targeted.conf, 1.74, 1.75 policy-20070703.patch, 1.195, 1.196 selinux-policy.spec, 1.621, 1.622
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Mar 20 20:29:29 UTC 2008
- Previous message (by thread): rpms/xorg-x11-drv-mouse/devel .cvsignore, 1.12, 1.13 sources, 1.12, 1.13 xorg-x11-drv-mouse.spec, 1.25, 1.26 mouse-1.2.3-sleep-less.patch, 1.1, NONE
- Next message (by thread): rpms/xorg-x11-drv-mutouch/devel .cvsignore, 1.7, 1.8 sources, 1.7, 1.8 xorg-x11-drv-mutouch.spec, 1.17, 1.18
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21073
Modified Files:
modules-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Tue Mar 18 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-95
- Allow rythmbox to talk to avahi
- Add prewikka policy
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/modules-targeted.conf,v
retrieving revision 1.74
retrieving revision 1.75
diff -u -r1.74 -r1.75
--- modules-targeted.conf 15 Feb 2008 21:41:20 -0000 1.74
+++ modules-targeted.conf 20 Mar 2008 20:28:45 -0000 1.75
@@ -1571,3 +1571,9 @@
#
prelude = module
+# Layer: apps
+# Module: openoffice
+#
+# openoffice executable
+#
+openoffice = base
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.195
retrieving revision 1.196
diff -u -r1.195 -r1.196
--- policy-20070703.patch 17 Mar 2008 19:49:30 -0000 1.195
+++ policy-20070703.patch 20 Mar 2008 20:28:45 -0000 1.196
@@ -3043,7 +3043,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-03-06 11:18:15.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-03-18 17:02:11.000000000 -0400
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -3052,7 +3052,7 @@
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,13 @@
+@@ -20,5 +21,10 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -3064,9 +3064,6 @@
+/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
-+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
-+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-22 13:21:40.000000000 -0400
@@ -3885,6 +3882,247 @@
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.0.8/policy/modules/apps/openoffice.fc
+--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/openoffice.fc 2008-03-18 17:02:25.000000000 -0400
+@@ -0,0 +1,3 @@
++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
++/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.0.8/policy/modules/apps/openoffice.if
+--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/openoffice.if 2008-03-18 17:02:25.000000000 -0400
+@@ -0,0 +1,212 @@
++## <summary>Openoffice</summary>
++
++#######################################
++## <summary>
++## The per role template for the openoffice module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for openoffice plugins that are executed by a browser.
++## </p>
++## <p>
++## This template is invoked automatically for each user, and
++## generally does not need to be invoked directly
++## by policy writers.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++#
++template(`openoffice_plugin_per_role_template',`
++ gen_require(`
++ type openoffice_exec_t;
++ ')
++
++ ########################################
++ #
++ # Declarations
++ #
++
++ type $1_openofficeplugin_t;
++ application_domain($1_openofficeplugin_t,openoffice_exec_t)
++ role $3 types $1_openofficeplugin_t;
++
++ type $1_openofficeplugin_tmp_t;
++ files_tmp_file($1_openofficeplugin_tmp_t)
++
++ type $1_openofficeplugin_tmpfs_t;
++ files_tmpfs_file($1_openofficeplugin_tmpfs_t)
++
++ ########################################
++ #
++ # Local policy
++ #
++
++ allow $1_openofficeplugin_t self:process { execmem execstack signal_perms getsched ptrace setsched };
++ allow $1_openofficeplugin_t self:fifo_file rw_fifo_file_perms;
++ allow $1_openofficeplugin_t self:tcp_socket create_stream_socket_perms;
++ allow $1_openofficeplugin_t self:udp_socket create_socket_perms;
++
++ allow $1_openofficeplugin_t $1_t:process signull;
++ allow $1_openofficeplugin_t $1_t:unix_stream_socket connectto;
++ allow $1_t $1_openofficeplugin_t:unix_stream_socket connectto;
++ allow $1_openofficeplugin_t $2:unix_stream_socket connectto;
++ allow $1_openofficeplugin_t $2:tcp_socket { read write };
++
++ manage_dirs_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,$1_openofficeplugin_tmp_t)
++ manage_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,$1_openofficeplugin_tmp_t)
++ files_tmp_filetrans($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,{ file dir })
++ allow $1_openofficeplugin_t $1_openofficeplugin_tmp_t:file execute;
++
++ manage_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
++ manage_lnk_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
++ manage_fifo_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
++ manage_sock_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
++ fs_tmpfs_filetrans($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,{ file lnk_file sock_file fifo_file })
++
++ can_exec($1_openofficeplugin_t, openoffice_exec_t)
++
++ domtrans_pattern($2, openoffice_exec_t, $1_openofficeplugin_t)
++ # Unrestricted inheritance from the caller.
++ allow $2 $1_openofficeplugin_t:process { noatsecure siginh rlimitinh };
++ allow $1_openofficeplugin_t $2:process signull;
++
++ kernel_read_all_sysctls($1_openofficeplugin_t)
++ kernel_search_vm_sysctl($1_openofficeplugin_t)
++ kernel_read_network_state($1_openofficeplugin_t)
++ kernel_read_system_state($1_openofficeplugin_t)
++
++ # Search bin directory under openofficeplugin for openofficeplugin executable
++ corecmd_exec_bin($1_openofficeplugin_t)
++
++ corenet_all_recvfrom_unlabeled($1_openofficeplugin_t)
++ corenet_all_recvfrom_netlabel($1_openofficeplugin_t)
++ corenet_tcp_sendrecv_generic_if($1_openofficeplugin_t)
++ corenet_udp_sendrecv_generic_if($1_openofficeplugin_t)
++ corenet_tcp_sendrecv_all_nodes($1_openofficeplugin_t)
++ corenet_udp_sendrecv_all_nodes($1_openofficeplugin_t)
++ corenet_tcp_sendrecv_all_ports($1_openofficeplugin_t)
++ corenet_udp_sendrecv_all_ports($1_openofficeplugin_t)
++ corenet_tcp_connect_all_ports($1_openofficeplugin_t)
++ corenet_sendrecv_all_client_packets($1_openofficeplugin_t)
++
++ dev_list_sysfs($1_openofficeplugin_t)
++ dev_read_sound($1_openofficeplugin_t)
++ dev_write_sound($1_openofficeplugin_t)
++ dev_read_urand($1_openofficeplugin_t)
++ dev_read_rand($1_openofficeplugin_t)
++ dev_write_rand($1_openofficeplugin_t)
++
++ files_read_etc_files($1_openofficeplugin_t)
++ files_read_usr_files($1_openofficeplugin_t)
++ files_search_home($1_openofficeplugin_t)
++ files_search_var_lib($1_openofficeplugin_t)
++ files_read_etc_runtime_files($1_openofficeplugin_t)
++ # Read global fonts and font config
++ files_read_etc_files($1_openofficeplugin_t)
++
++ fs_getattr_xattr_fs($1_openofficeplugin_t)
++ fs_dontaudit_rw_tmpfs_files($1_openofficeplugin_t)
++ fs_getattr_tmpfs($1_openofficeplugin_t)
++
++ auth_use_nsswitch($1_openofficeplugin_t)
++
++ libs_use_ld_so($1_openofficeplugin_t)
++ libs_use_shared_libs($1_openofficeplugin_t)
++
++ logging_send_syslog_msg($1_openofficeplugin_t)
++
++ miscfiles_read_localization($1_openofficeplugin_t)
++ # Read global fonts and font config
++ miscfiles_read_fonts($1_openofficeplugin_t)
++
++ userdom_manage_unpriv_users_home_content_files($1_openofficeplugin_t)
++ userdom_dontaudit_use_user_terminals($1,$1_openofficeplugin_t)
++ userdom_dontaudit_setattr_user_home_content_files($1,$1_openofficeplugin_t)
++ userdom_exec_user_home_content_files($1,$1_openofficeplugin_t)
++ userdom_manage_user_tmp_dirs($1,$1_openofficeplugin_t)
++ userdom_manage_user_tmp_files($1,$1_openofficeplugin_t)
++ userdom_manage_user_tmp_sockets($1,$1_openofficeplugin_t)
++ userdom_read_user_tmpfs_files($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_dirs($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_files($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_symlinks($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_pipes($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_sockets($1,$1_openofficeplugin_t)
++ userdom_user_home_dir_filetrans_user_home_content($1,$1_openofficeplugin_t,{ file lnk_file sock_file fifo_file })
++
++ optional_policy(`
++ xserver_user_x_domain_template($1,$1_openofficeplugin,$1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t)
++ ')
++
++')
++
++#######################################
++## <summary>
++## The per role template for the openoffice module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for openoffice applications.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++#
++template(`openoffice_per_role_template',`
++ gen_require(`
++ type openoffice_exec_t;
++ ')
++
++ type $1_openoffice_t;
++ domain_type($1_openoffice_t)
++ domain_entry_file($1_openoffice_t,openoffice_exec_t)
++ role $3 types $1_openoffice_t;
++
++ domain_interactive_fd($1_openoffice_t)
++
++ userdom_unpriv_usertype($1, $1_openoffice_t)
++ userdom_exec_user_home_content_files($1,$1_openoffice_t)
++
++ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
++
++ allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
++ allow $1_openoffice_t $2:tcp_socket { read write };
++
++ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
++
++ dev_read_urand($1_openoffice_t)
++ dev_read_rand($1_openoffice_t)
++
++ fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.0.8/policy/modules/apps/openoffice.te
+--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/openoffice.te 2008-03-18 17:02:25.000000000 -0400
+@@ -0,0 +1,14 @@
++
++policy_module(openoffice,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openoffice_t;
++type openoffice_exec_t;
++application_domain(openoffice_t,openoffice_exec_t)
++
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.if serefpolicy-3.0.8/policy/modules/apps/slocate.if
--- nsaserefpolicy/policy/modules/apps/slocate.if 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/slocate.if 2008-01-17 09:03:07.000000000 -0500
@@ -7949,8 +8187,36 @@
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.0.8/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/clamav.if 2008-03-17 09:23:39.000000000 -0400
-@@ -91,3 +91,22 @@
++++ serefpolicy-3.0.8/policy/modules/services/clamav.if 2008-03-20 09:40:44.000000000 -0400
+@@ -38,6 +38,27 @@
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to append
++## to clamav log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`clamav_append_log',`
++ gen_require(`
++ type clamav_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 clamav_log_t:dir list_dir_perms;
++ append_files_pattern($1,clamav_log_t,clamav_log_t)
++')
++
++########################################
++## <summary>
+ ## Read clamav configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -91,3 +112,22 @@
domtrans_pattern($1,clamscan_exec_t,clamscan_t)
')
@@ -10605,6 +10871,20 @@
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.0.8/policy/modules/services/inetd.if
+--- nsaserefpolicy/policy/modules/services/inetd.if 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/inetd.if 2008-03-18 14:30:37.000000000 -0400
+@@ -115,6 +115,10 @@
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+ allow $1 inetd_t:udp_socket rw_socket_perms;
++
++ optional_policy(`
++ stunnel_service_domain($1,$2)
++ ')
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2008-01-17 09:03:07.000000000 -0500
@@ -11195,6 +11475,17 @@
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.0.8/policy/modules/services/mta.fc
+--- nsaserefpolicy/policy/modules/services/mta.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.fc 2008-03-19 08:31:28.000000000 -0400
+@@ -11,6 +11,7 @@
+ /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2008-02-11 18:09:47.000000000 -0500
@@ -11407,7 +11698,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-03-06 11:57:46.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-03-20 09:45:22.000000000 -0400
@@ -1,11 +1,13 @@
-policy_module(mta,1.7.1)
@@ -11431,7 +11722,7 @@
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -37,30 +40,43 @@
+@@ -37,30 +40,45 @@
#
# newalias required this, not sure if it is needed in 'if' file
@@ -11444,6 +11735,8 @@
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
++logging_append_all_logs(system_mail_t)
++
+dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
@@ -11476,7 +11769,7 @@
')
optional_policy(`
-@@ -73,6 +89,7 @@
+@@ -73,6 +91,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -11484,7 +11777,7 @@
cron_dontaudit_write_pipes(system_mail_t)
')
-@@ -81,6 +98,11 @@
+@@ -81,6 +100,11 @@
')
optional_policy(`
@@ -11496,11 +11789,12 @@
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,11 +158,37 @@
+@@ -136,11 +160,38 @@
')
optional_policy(`
+ clamav_stream_connect(system_mail_t)
++ clamav_append_log(system_mail_t)
+')
+
+optional_policy(`
@@ -11535,7 +11829,7 @@
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +202,4 @@
+@@ -154,3 +205,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -13555,8 +13849,8 @@
allow pptp_t self:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.0.8/policy/modules/services/prelude.fc
--- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/prelude.fc 2008-02-15 15:35:36.000000000 -0500
-@@ -0,0 +1,14 @@
++++ serefpolicy-3.0.8/policy/modules/services/prelude.fc 2008-03-18 15:09:48.000000000 -0400
+@@ -0,0 +1,13 @@
+
+/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0)
+
@@ -13569,8 +13863,7 @@
+/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
+/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
+/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
-+
-+
++/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.0.8/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/prelude.if 2008-02-15 15:35:36.000000000 -0500
@@ -13705,8 +13998,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.0.8/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/prelude.te 2008-02-15 15:35:36.000000000 -0500
-@@ -0,0 +1,142 @@
++++ serefpolicy-3.0.8/policy/modules/services/prelude.te 2008-03-18 15:09:38.000000000 -0400
+@@ -0,0 +1,162 @@
+policy_module(prelude,1.0.0)
+
+########################################
@@ -13849,6 +14142,26 @@
+corenet_tcp_connect_prelude_port(audisp_prelude_t)
+
+allow audisp_prelude_t audisp_t:unix_stream_socket rw_socket_perms;
++
++########################################
++#
++# prewikka_cgi Declarations
++#
++
++optional_policy(`
++ apache_content_template(prewikka)
++ files_read_etc_files(httpd_prewikka_script_t)
++
++ optional_policy(`
++ mysql_search_db(httpd_prewikka_script_t)
++ mysql_stream_connect(httpd_prewikka_script_t)
++ ')
++
++ optional_policy(`
++ postgresql_stream_connect(httpd_prewikka_script_t)
++ ')
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.0.8/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/procmail.fc 2008-02-04 13:40:59.000000000 -0500
@@ -15636,7 +15949,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-02-26 09:15:49.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-03-18 14:42:12.000000000 -0400
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -15700,7 +16013,12 @@
libs_use_ld_so(sendmail_t)
libs_use_shared_libs(sendmail_t)
-@@ -94,30 +105,34 @@
+@@ -90,34 +101,39 @@
+ libs_read_lib_files(sendmail_t)
+
+ logging_send_syslog_msg(sendmail_t)
++logging_dontaudit_write_generic_logs(sendmail_t)
+
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
@@ -15741,7 +16059,7 @@
')
optional_policy(`
-@@ -128,6 +143,11 @@
+@@ -128,6 +144,11 @@
optional_policy(`
procmail_domtrans(sendmail_t)
@@ -15753,7 +16071,7 @@
')
optional_policy(`
-@@ -135,24 +155,25 @@
+@@ -135,24 +156,25 @@
')
optional_policy(`
@@ -16630,6 +16948,34 @@
')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.0.8/policy/modules/services/stunnel.if
+--- nsaserefpolicy/policy/modules/services/stunnel.if 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/stunnel.if 2008-03-18 14:30:06.000000000 -0400
+@@ -1 +1,24 @@
+ ## <summary>SSL Tunneling Proxy</summary>
++
++########################################
++## <summary>
++## Define the specified domain as a stunnel inetd service.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type associated with the stunnel inetd service process.
++## </summary>
++## </param>
++## <param name="entrypoint">
++## <summary>
++## The type associated with the process program.
++## </summary>
++## </param>
++#
++interface(`stunnel_service_domain',`
++ gen_require(`
++ type stunnel_t;
++ ')
++
++ domtrans_pattern(stunnel_t,$2,$1)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.0.8/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/stunnel.te 2008-01-17 09:03:07.000000000 -0500
@@ -19535,7 +19881,7 @@
# Sulogin local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.8/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2008-02-15 15:37:52.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2008-03-18 14:40:43.000000000 -0400
@@ -1,12 +1,16 @@
-
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -19577,7 +19923,7 @@
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
-@@ -43,3 +57,9 @@
+@@ -43,3 +57,10 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -19587,9 +19933,10 @@
+
+
+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
++/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-02-29 15:22:06.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-03-18 14:41:41.000000000 -0400
@@ -34,6 +34,51 @@
#
interface(`logging_send_audit_msgs',`
@@ -19706,7 +20053,34 @@
')
########################################
-@@ -597,3 +657,272 @@
+@@ -539,6 +599,26 @@
+
+ ########################################
+ ## <summary>
++## Dontaudit Write generic log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_dontaudit_write_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ files_search_var($1)
++ dontaudit $1 var_log_t:file write;
++')
++
++
++########################################
++## <summary>
+ ## Write generic log files.
+ ## </summary>
+ ## <param name="domain">
+@@ -597,3 +677,272 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
@@ -19981,7 +20355,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-03-11 20:23:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-03-19 15:31:48.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(logging,1.7.3)
@@ -20085,7 +20459,12 @@
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -156,6 +177,16 @@
+@@ -153,9 +174,21 @@
+
+ seutil_dontaudit_read_config(auditd_t)
+
++sysnet_dns_name_resolve(auditd_t)
++
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
@@ -20102,7 +20481,7 @@
optional_policy(`
seutil_sigchld_newrole(auditd_t)
')
-@@ -194,6 +225,7 @@
+@@ -194,6 +227,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
@@ -20110,7 +20489,7 @@
domain_use_interactive_fds(klogd_t)
-@@ -212,6 +244,12 @@
+@@ -212,6 +246,12 @@
userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
@@ -20123,7 +20502,7 @@
optional_policy(`
udev_read_db(klogd_t)
')
-@@ -241,12 +279,16 @@
+@@ -241,12 +281,16 @@
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -20140,7 +20519,7 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -255,6 +297,9 @@
+@@ -255,6 +299,9 @@
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
@@ -20150,7 +20529,7 @@
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
-@@ -300,6 +345,7 @@
+@@ -300,6 +347,7 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
@@ -20158,7 +20537,7 @@
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
-@@ -312,6 +358,8 @@
+@@ -312,6 +360,8 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -20167,7 +20546,7 @@
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
-@@ -341,6 +389,12 @@
+@@ -341,6 +391,12 @@
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
')
@@ -20180,7 +20559,7 @@
optional_policy(`
inn_manage_log(syslogd_t)
')
-@@ -365,3 +419,40 @@
+@@ -365,3 +421,40 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -21997,7 +22376,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2008-02-26 17:33:09.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2008-03-18 09:58:06.000000000 -0400
@@ -5,36 +5,57 @@
#
# Declarations
@@ -22147,14 +22526,14 @@
optional_policy(`
- modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+-')
+-
+-optional_policy(`
+- mono_domtrans(unconfined_t)
+ mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
-
optional_policy(`
-- mono_domtrans(unconfined_t)
--')
--
--optional_policy(`
- mta_per_role_template(unconfined,unconfined_t,unconfined_r)
+ modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
@@ -22205,16 +22584,16 @@
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-+')
-+
-+optional_policy(`
-+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ unconfined_domain(unconfined_mozilla_t)
-+ allow unconfined_mozilla_t self:process { execstack execmem };
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
++ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
++ unconfined_domain(unconfined_mozilla_t)
++ allow unconfined_mozilla_t self:process { execstack execmem };
++')
++
++optional_policy(`
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+')
+
@@ -22224,37 +22603,40 @@
')
########################################
-@@ -219,14 +236,43 @@
+@@ -219,14 +236,42 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t unconfined_t:process transition;
optional_policy(`
+- dbus_stub(unconfined_execmem_t)
+ gen_require(`
+ type unconfined_dbusd_t;
+ ')
+ unconfined_domain(unconfined_dbusd_t)
-+
- dbus_stub(unconfined_execmem_t)
++')
++optional_policy(`
init_dbus_chat_script(unconfined_execmem_t)
++ dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
-+ dbus_connect_system_bus(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t)
-+
-+ optional_policy(`
-+ avahi_dbus_chat(unconfined_execmem_t)
-+ ')
++')
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
+- optional_policy(`
+- hal_dbus_chat(unconfined_execmem_t)
+- ')
++optional_policy(`
++ avahi_dbus_chat(unconfined_execmem_t)
++')
+
-+ optional_policy(`
-+ xserver_xdm_rw_shm(unconfined_execmem_t)
++optional_policy(`
++ hal_dbus_chat(unconfined_execmem_t)
++')
+
-+ ')
++optional_policy(`
++ xserver_xdm_rw_shm(unconfined_execmem_t)
')
+
+corecmd_exec_all_executables(unconfined_t)
@@ -24750,8 +25132,8 @@
+## <summary>Policy for xguest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.0.8/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2008-01-17 09:03:07.000000000 -0500
-@@ -0,0 +1,57 @@
++++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2008-03-18 17:05:47.000000000 -0400
+@@ -0,0 +1,62 @@
+policy_module(xguest,1.0.1)
+
+## <desc>
@@ -24781,6 +25163,11 @@
+ mozilla_per_role_template(xguest, xguest_t, xguest_r)
+')
+
++optional_policy(`
++ openoffice_per_role_template(xguest, xguest_usertype, xguest_r)
++')
++
++
+# Allow mounting of file systems
+optional_policy(`
+ tunable_policy(`xguest_mount_media',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.621
retrieving revision 1.622
diff -u -r1.621 -r1.622
--- selinux-policy.spec 17 Mar 2008 19:49:48 -0000 1.621
+++ selinux-policy.spec 20 Mar 2008 20:28:45 -0000 1.622
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 94%{?dist}
+Release: 95%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,10 @@
%endif
%changelog
+* Tue Mar 18 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-95
+- Allow rythmbox to talk to avahi
+- Add prewikka policy
+
* Mon Mar 17 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-94
- Correct labeling on /var/run/dmevent.*
- Allow pam_t to read wtmp file
- Previous message (by thread): rpms/xorg-x11-drv-mouse/devel .cvsignore, 1.12, 1.13 sources, 1.12, 1.13 xorg-x11-drv-mouse.spec, 1.25, 1.26 mouse-1.2.3-sleep-less.patch, 1.1, NONE
- Next message (by thread): rpms/xorg-x11-drv-mutouch/devel .cvsignore, 1.7, 1.8 sources, 1.7, 1.8 xorg-x11-drv-mutouch.spec, 1.17, 1.18
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list