rpms/selinux-policy/F-9 policy-20071130.patch, 1.144, 1.145 selinux-policy.spec, 1.666, 1.667
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue May 13 17:14:47 UTC 2008
- Previous message (by thread): rpms/selinux-policy/F-8 booleans-targeted.conf, 1.36, 1.37 policy-20070703.patch, 1.206, 1.207 selinux-policy.spec, 1.629, 1.630
- Next message (by thread): rpms/kdelibs/devel kdelibs.spec, 1.316, 1.317 kdelibs-3.97.0-alsa-default-device.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13354
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue May 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-51
- Dontaudit dhcpc_t reading of domains state
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.144
retrieving revision 1.145
diff -u -r1.144 -r1.145
--- policy-20071130.patch 12 May 2008 18:49:36 -0000 1.144
+++ policy-20071130.patch 13 May 2008 17:13:51 -0000 1.145
@@ -4736,7 +4736,7 @@
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-02-26 08:23:12.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-05-08 11:06:31.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-05-13 09:40:47.988406000 -0400
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -5082,11 +5082,15 @@
')
optional_policy(`
-@@ -350,19 +277,31 @@
+@@ -350,19 +277,35 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
+ cups_stream_connect($1_mozilla_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat($1_mozilla_t)
')
optional_policy(`
@@ -5094,14 +5098,14 @@
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_connectto_user_bus($1,$1_mozilla_t)
- ')
-
- optional_policy(`
-+ gnome_exec_gconf($1_mozilla_t)
-+ gnome_manage_user_gnome_config($1,$1_mozilla_t)
+ ')
+
+ optional_policy(`
++ gnome_exec_gconf($1_mozilla_t)
++ gnome_manage_user_gnome_config($1,$1_mozilla_t)
+ ')
+
+ optional_policy(`
+ gnome_domtrans_user_gconf($1,$1_mozilla_t)
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
')
@@ -5116,7 +5120,7 @@
')
optional_policy(`
-@@ -370,37 +309,18 @@
+@@ -370,37 +313,18 @@
')
optional_policy(`
@@ -5157,7 +5161,7 @@
')
########################################
-@@ -430,11 +350,11 @@
+@@ -430,11 +354,11 @@
#
template(`mozilla_read_user_home_files',`
gen_require(`
@@ -5172,7 +5176,7 @@
')
########################################
-@@ -464,11 +384,10 @@
+@@ -464,11 +388,10 @@
#
template(`mozilla_write_user_home_files',`
gen_require(`
@@ -5186,7 +5190,7 @@
')
########################################
-@@ -573,3 +492,27 @@
+@@ -573,3 +496,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -7032,7 +7036,7 @@
network_port(xen, tcp,8002,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.3.1/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-05-12 14:40:26.360076000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-05-12 14:40:26.000000000 -0400
@@ -1,7 +1,7 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
@@ -7159,7 +7163,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-02-26 08:23:12.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-05-12 14:40:19.056145000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-05-12 14:40:19.000000000 -0400
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -7586,7 +7590,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.3.1/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-05-12 14:40:14.531022000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-05-12 14:40:14.000000000 -0400
@@ -32,6 +32,12 @@
type apm_bios_t;
dev_node(apm_bios_t)
@@ -8546,8 +8550,24 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.3.1/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.te 2008-05-08 11:06:31.000000000 -0400
-@@ -231,6 +231,8 @@
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.te 2008-05-13 11:14:31.626609000 -0400
+@@ -45,6 +45,15 @@
+ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+
+ #
++# cgroup fs
++#
++
++type cgroup_t;
++fs_type(cgroup_t)
++allow cgroup_t self:filesystem associate;
++genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
++
++#
+ # DebugFS
+ #
+
+@@ -231,6 +240,8 @@
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
@@ -8556,7 +8576,7 @@
selinux_load_policy(kernel_t)
-@@ -253,12 +255,16 @@
+@@ -253,12 +264,16 @@
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
@@ -8573,7 +8593,7 @@
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
-@@ -363,7 +369,7 @@
+@@ -363,7 +378,7 @@
allow kern_unconfined proc_type:{ dir file lnk_file } *;
@@ -8582,7 +8602,7 @@
allow kern_unconfined kernel_t:system *;
-@@ -374,3 +380,4 @@
+@@ -374,3 +389,4 @@
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
kernel_rw_all_sysctls(kern_unconfined)
@@ -8991,14 +9011,21 @@
# amavis local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-05-08 11:06:31.000000000 -0400
-@@ -1,4 +1,4 @@
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-05-13 09:47:47.258486000 -0400
+@@ -1,10 +1,9 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-@@ -16,7 +16,6 @@
+ /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+ /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+ /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+@@ -16,7 +15,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -9006,7 +9033,7 @@
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -33,6 +32,7 @@
+@@ -33,6 +31,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -9014,7 +9041,7 @@
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,11 +48,14 @@
+@@ -48,11 +47,14 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -9029,7 +9056,7 @@
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +69,21 @@
+@@ -66,10 +68,21 @@
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -19053,11 +19080,11 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.fc serefpolicy-3.3.1/policy/modules/services/podsleuth.fc
--- nsaserefpolicy/policy/modules/services/podsleuth.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/podsleuth.fc 2008-05-08 14:15:46.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/podsleuth.fc 2008-05-13 11:07:35.447996000 -0400
@@ -0,0 +1,3 @@
-+
-+/usr/libexec/hal-podsleuth --
-+gen_context(system_u:object_r:podsleuth_exec_t,s0)
++/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
++/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
++/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.if serefpolicy-3.3.1/policy/modules/services/podsleuth.if
--- nsaserefpolicy/policy/modules/services/podsleuth.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/podsleuth.if 2008-05-08 14:16:33.000000000 -0400
@@ -19119,8 +19146,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.te serefpolicy-3.3.1/policy/modules/services/podsleuth.te
--- nsaserefpolicy/policy/modules/services/podsleuth.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/podsleuth.te 2008-05-08 14:15:37.000000000 -0400
-@@ -0,0 +1,56 @@
++++ serefpolicy-3.3.1/policy/modules/services/podsleuth.te 2008-05-13 11:11:34.386857000 -0400
+@@ -0,0 +1,70 @@
+policy_module(podsleuth,1.0.0)
+
+########################################
@@ -19133,50 +19160,64 @@
+application_domain(podsleuth_t, podsleuth_exec_t)
+role system_r types podsleuth_t;
+
++type podsleuth_tmp_t;
++files_tmp_file(podsleuth_tmp_t)
++
++type podsleuth_cache_t;
++files_type(podsleuth_cache_t)
++
+########################################
+#
+# podsleuth local policy
+#
-+allow podsleuth_t self:process { ptrace signal getsched execheap execmem };
++allow podsleuth_t self:capability sys_admin;
+
-+## internal communication is often done using fifo and unix sockets.
++allow podsleuth_t self:process { ptrace signal getsched execheap execmem };
+allow podsleuth_t self:fifo_file rw_file_perms;
+allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(podsleuth_t,podsleuth_tmp_t,podsleuth_tmp_t)
-+files_tmp_filetrans(podsleuth_t,podsleuth_tmp_t,{ file dir })
-+manage_dirs_pattern(podsleuth_t,podsleuth_tmp_t,podsleuth_tmp_t)
++allow podsleuth_t self:sem create_sem_perms;
++allow podsleuth_t self:tcp_socket create_stream_socket_perms;
++allow podsleuth_t self:udp_socket create_socket_perms;
+
+corecmd_exec_bin(podsleuth_t)
-+
+corenet_tcp_connect_http_port(podsleuth_t)
+
+dev_read_urand(podsleuth_t)
+
-+fs_getattr_dos_fs(podsleuth_t)
++kernel_read_system_state(podsleuth_t)
++
++files_read_etc_files(podsleuth_t)
++
+fs_mount_dos_fs(podsleuth_t)
+fs_unmount_dos_fs(podsleuth_t)
++fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
++fs_search_dos(podsleuth_t)
+
-+kernel_read_system_state(podsleuth_t)
++allow podsleuth_t podsleuth_tmp_t:dir mounton;
++manage_files_pattern(podsleuth_t,podsleuth_tmp_t,podsleuth_tmp_t)
++files_tmp_filetrans(podsleuth_t,podsleuth_tmp_t,{ file dir })
++manage_dirs_pattern(podsleuth_t,podsleuth_tmp_t,podsleuth_tmp_t)
+
-+files_read_etc_files(podsleuth_t)
++manage_dirs_pattern(podsleuth_t,podsleuth_cache_t,podsleuth_cache_t)
++manage_files_pattern(podsleuth_t,podsleuth_cache_t,podsleuth_cache_t)
++files_var_filetrans(podsleuth_t,podsleuth_cache_t,{ file dir })
++
++storage_raw_rw_fixed_disk(podsleuth_t)
+
+libs_use_ld_so(podsleuth_t)
+libs_use_shared_libs(podsleuth_t)
+
-+miscfiles_read_localization(podsleuth_t)
-+
+sysnet_dns_name_resolve(podsleuth_t)
+
-+mono_exec(podsleuth_t)
-+
-+hal_dbus_chat(podsleuth_t)
++miscfiles_read_localization(podsleuth_t)
+
+optional_policy(`
-+ dbus_system_bus_client_template(podsleuth,podsleuth_t)
++ dbus_system_bus_client_template(podsleuth,podsleuth_t)
++ optional_policy(`
++ hal_dbus_chat(podsleuth_t)
++ ')
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.3.1/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/polkit.fc 2008-05-08 11:06:32.000000000 -0400
@@ -19404,7 +19445,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-05-12 14:44:06.347665000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-05-12 14:44:06.000000000 -0400
@@ -0,0 +1,196 @@
+policy_module(polkit_auth,1.0.0)
+
@@ -28073,7 +28114,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-05-08 11:06:32.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-05-13 11:38:07.156366000 -0400
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -28104,7 +28145,7 @@
files_read_etc_files(pam_t)
-@@ -122,6 +129,12 @@
+@@ -122,6 +129,13 @@
userdom_use_unpriv_users_fds(pam_t)
@@ -28113,11 +28154,12 @@
+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
+userdom_dontaudit_write_user_home_content_files(user, pam_t)
+userdom_append_unpriv_users_home_content_files(pam_t)
++userdom_dontaudit_read_user_tmp_files(pam_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
-@@ -155,6 +168,8 @@
+@@ -155,6 +169,8 @@
dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t)
@@ -28126,7 +28168,7 @@
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
-@@ -179,6 +194,10 @@
+@@ -179,6 +195,10 @@
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
@@ -28137,7 +28179,7 @@
dev_read_urand(pam_console_t)
mls_file_read_all_levels(pam_console_t)
-@@ -282,6 +301,11 @@
+@@ -282,6 +302,11 @@
')
')
@@ -28149,7 +28191,7 @@
########################################
#
# updpwd local policy
-@@ -297,8 +321,10 @@
+@@ -297,8 +322,10 @@
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
@@ -28161,7 +28203,7 @@
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
-@@ -359,11 +385,6 @@
+@@ -359,11 +386,6 @@
')
optional_policy(`
@@ -28229,6 +28271,17 @@
+optional_policy(`
+ unconfined_domain(fsadm_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.fc serefpolicy-3.3.1/policy/modules/system/getty.fc
+--- nsaserefpolicy/policy/modules/system/getty.fc 2008-02-26 08:23:09.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/getty.fc 2008-05-13 11:24:11.578389000 -0400
+@@ -8,5 +8,5 @@
+
+ /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
+
+-/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
+-/var/spool/voice -- gen_context(system_u:object_r:getty_var_run_t,s0)
++/var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
++/var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.3.1/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2008-02-26 08:23:09.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/getty.te 2008-05-08 11:06:32.000000000 -0400
@@ -28952,7 +29005,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-05-08 11:06:32.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-05-13 11:32:48.185915000 -0400
@@ -48,6 +48,7 @@
fs_getattr_xattr_fs(iptables_t)
@@ -28961,6 +29014,15 @@
mls_file_read_all_levels(iptables_t)
+@@ -71,7 +72,7 @@
+
+ logging_send_syslog_msg(iptables_t)
+ # system-config-network appends to /var/log
+-#logging_append_system_logs(iptables_t)
++logging_append_system_logs(iptables_t)
+
+ miscfiles_read_localization(iptables_t)
+
@@ -113,3 +114,7 @@
optional_policy(`
udev_read_db(iptables_t)
@@ -29451,7 +29513,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-05-12 14:18:58.141922000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-05-13 10:21:00.027897000 -0400
@@ -61,10 +61,29 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -29620,8 +29682,8 @@
+# Init script handling
+domain_use_interactive_fds(audisp_t)
+
-+allow audispd_t self:capability sys_nice;
-+allow audispd_t self:process setsched;
++allow audisp_t self:capability sys_nice;
++allow audisp_t self:process setsched;
+
+## internal communication is often done using fifo and unix sockets.
+allow audisp_t self:fifo_file rw_file_perms;
@@ -30339,7 +30401,7 @@
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-05-12 14:48:22.529716000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-05-12 14:48:22.000000000 -0400
@@ -0,0 +1,313 @@
+
+## <summary>policy for qemu</summary>
@@ -31440,7 +31502,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-05-08 11:12:09.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-05-13 09:42:56.872849000 -0400
@@ -20,6 +20,10 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -31461,7 +31523,14 @@
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
-@@ -123,7 +127,7 @@
+@@ -117,13 +121,13 @@
+ corecmd_exec_shell(dhcpc_t)
+
+ domain_use_interactive_fds(dhcpc_t)
+-domain_dontaudit_list_all_domains_state(dhcpc_t)
++domain_dontaudit_read_all_domains_state(dhcpc_t)
+
+ files_read_etc_files(dhcpc_t)
files_read_etc_runtime_files(dhcpc_t)
files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
@@ -32432,7 +32501,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-08 11:06:33.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-13 10:16:43.899539000 -0400
@@ -29,9 +29,14 @@
')
@@ -33003,7 +33072,7 @@
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
-@@ -692,183 +672,198 @@
+@@ -692,183 +672,201 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -33188,6 +33257,9 @@
+
+ optional_policy(`
+ vpnc_dbus_chat($1_usertype)
++ ')
++ optional_policy(`
++ hal_dbus_chat($1_usertype)
')
')
@@ -33283,7 +33355,7 @@
')
optional_policy(`
-@@ -895,6 +890,8 @@
+@@ -895,6 +893,8 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -33292,7 +33364,7 @@
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -923,70 +920,69 @@
+@@ -923,70 +923,69 @@
allow $1_t self:context contains;
@@ -33396,7 +33468,7 @@
')
')
-@@ -1020,9 +1016,6 @@
+@@ -1020,9 +1019,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -33406,7 +33478,7 @@
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1031,16 +1024,29 @@
+@@ -1031,16 +1027,29 @@
#
# privileged home directory writers
@@ -33443,7 +33515,7 @@
')
#######################################
-@@ -1068,6 +1074,13 @@
+@@ -1068,6 +1077,13 @@
userdom_restricted_user_template($1)
@@ -33457,7 +33529,7 @@
userdom_xwindows_client_template($1)
##############################
-@@ -1076,14 +1089,16 @@
+@@ -1076,14 +1092,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -33479,7 +33551,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1106,29 @@
+@@ -1091,32 +1109,29 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -33523,7 +33595,7 @@
')
')
-@@ -1127,10 +1139,10 @@
+@@ -1127,10 +1142,10 @@
## </summary>
## <desc>
## <p>
@@ -33538,7 +33610,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1164,7 +1176,6 @@
+@@ -1164,7 +1179,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
@@ -33546,7 +33618,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1182,23 +1193,16 @@
+@@ -1182,32 +1196,45 @@
')
')
@@ -33565,18 +33637,16 @@
+ corenet_tcp_bind_all_unreserved_ports($1_t)
')
++ # Run pppd in pppd_t by default for user
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ hal_dbus_chat($1_usertype)
- ')
-
- # Run pppd in pppd_t by default for user
-@@ -1207,7 +1211,31 @@
++ ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
+- # Run pppd in pppd_t by default for user
optional_policy(`
-- setroubleshoot_stream_connect($1_t)
+- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ games_rw_data($1_usertype)
+ ')
+
@@ -33598,14 +33668,15 @@
+
+ optional_policy(`
+ mono_per_role_template($1, $1_t, $1_r)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ gpg_per_role_template($1, $1_usertype, $1_r)
')
')
-@@ -1284,8 +1312,6 @@
+@@ -1284,8 +1311,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -33614,7 +33685,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1307,8 +1333,6 @@
+@@ -1307,8 +1332,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -33623,7 +33694,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1363,13 +1387,6 @@
+@@ -1363,13 +1386,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -33637,7 +33708,7 @@
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1439,7 @@
+@@ -1422,6 +1438,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -33645,7 +33716,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1805,14 @@
+@@ -1787,10 +1804,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -33661,7 +33732,7 @@
')
########################################
-@@ -1886,11 +1908,11 @@
+@@ -1886,11 +1907,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -33675,7 +33746,7 @@
')
########################################
-@@ -1920,11 +1942,11 @@
+@@ -1920,11 +1941,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -33689,7 +33760,7 @@
')
########################################
-@@ -1968,12 +1990,12 @@
+@@ -1968,12 +1989,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -33705,7 +33776,7 @@
')
########################################
-@@ -2003,10 +2025,11 @@
+@@ -2003,10 +2024,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -33719,7 +33790,7 @@
')
########################################
-@@ -2038,11 +2061,47 @@
+@@ -2038,11 +2060,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -33769,7 +33840,7 @@
')
########################################
-@@ -2074,10 +2133,10 @@
+@@ -2074,10 +2132,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -33782,7 +33853,7 @@
')
########################################
-@@ -2107,11 +2166,11 @@
+@@ -2107,11 +2165,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -33796,7 +33867,7 @@
')
########################################
-@@ -2141,11 +2200,11 @@
+@@ -2141,11 +2199,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -33811,7 +33882,7 @@
')
########################################
-@@ -2175,10 +2234,14 @@
+@@ -2175,10 +2233,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -33828,7 +33899,7 @@
')
########################################
-@@ -2208,11 +2271,11 @@
+@@ -2208,11 +2270,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -33842,7 +33913,7 @@
')
########################################
-@@ -2242,11 +2305,11 @@
+@@ -2242,11 +2304,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -33856,7 +33927,7 @@
')
########################################
-@@ -2276,10 +2339,10 @@
+@@ -2276,10 +2338,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -33869,7 +33940,7 @@
')
########################################
-@@ -2311,12 +2374,12 @@
+@@ -2311,12 +2373,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -33885,7 +33956,7 @@
')
########################################
-@@ -2348,10 +2411,10 @@
+@@ -2348,10 +2410,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -33898,7 +33969,7 @@
')
########################################
-@@ -2383,12 +2446,12 @@
+@@ -2383,12 +2445,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -33914,7 +33985,7 @@
')
########################################
-@@ -2420,12 +2483,12 @@
+@@ -2420,12 +2482,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -33930,7 +34001,7 @@
')
########################################
-@@ -2457,12 +2520,12 @@
+@@ -2457,12 +2519,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -33946,7 +34017,7 @@
')
########################################
-@@ -2507,11 +2570,11 @@
+@@ -2507,11 +2569,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -33960,7 +34031,7 @@
')
########################################
-@@ -2556,11 +2619,11 @@
+@@ -2556,11 +2618,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -33974,7 +34045,7 @@
')
########################################
-@@ -2600,11 +2663,11 @@
+@@ -2600,11 +2662,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -33988,7 +34059,7 @@
')
########################################
-@@ -2634,11 +2697,11 @@
+@@ -2634,11 +2696,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -34002,7 +34073,7 @@
')
########################################
-@@ -2668,11 +2731,11 @@
+@@ -2668,11 +2730,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -34016,7 +34087,7 @@
')
########################################
-@@ -2704,10 +2767,10 @@
+@@ -2704,10 +2766,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -34029,7 +34100,7 @@
')
########################################
-@@ -2739,10 +2802,10 @@
+@@ -2739,10 +2801,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -34042,7 +34113,7 @@
')
########################################
-@@ -2772,12 +2835,12 @@
+@@ -2772,12 +2834,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -34058,7 +34129,7 @@
')
########################################
-@@ -2809,10 +2872,10 @@
+@@ -2809,10 +2871,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -34071,7 +34142,7 @@
')
########################################
-@@ -2844,10 +2907,48 @@
+@@ -2844,10 +2906,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -34122,7 +34193,7 @@
')
########################################
-@@ -2877,12 +2978,12 @@
+@@ -2877,12 +2977,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -34138,7 +34209,7 @@
')
########################################
-@@ -2914,10 +3015,10 @@
+@@ -2914,10 +3014,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -34151,7 +34222,7 @@
')
########################################
-@@ -2949,12 +3050,12 @@
+@@ -2949,12 +3049,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -34167,7 +34238,7 @@
')
########################################
-@@ -2986,11 +3087,11 @@
+@@ -2986,11 +3086,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -34181,7 +34252,7 @@
')
########################################
-@@ -3022,11 +3123,11 @@
+@@ -3022,11 +3122,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -34195,7 +34266,7 @@
')
########################################
-@@ -3058,11 +3159,11 @@
+@@ -3058,11 +3158,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -34209,7 +34280,7 @@
')
########################################
-@@ -3094,11 +3195,11 @@
+@@ -3094,11 +3194,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -34223,7 +34294,7 @@
')
########################################
-@@ -3130,11 +3231,11 @@
+@@ -3130,11 +3230,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -34237,7 +34308,7 @@
')
########################################
-@@ -3179,10 +3280,10 @@
+@@ -3179,10 +3279,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -34250,7 +34321,7 @@
files_search_tmp($2)
')
-@@ -3223,10 +3324,10 @@
+@@ -3223,10 +3323,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -34263,7 +34334,7 @@
')
########################################
-@@ -3254,24 +3355,24 @@
+@@ -3254,24 +3354,24 @@
## </summary>
## </param>
#
@@ -34292,7 +34363,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3290,23 +3391,24 @@
+@@ -3290,22 +3390,94 @@
## </summary>
## </param>
#
@@ -34319,16 +34390,21 @@
## <desc>
## <p>
-## Do not audit attempts to read user
--## untrusted directories.
+## Read/write user tmpfs files.
- ## </p>
- ## <p>
- ## This is a templated interface, and should only
-@@ -3321,7 +3423,78 @@
- ## </param>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -34385,26 +34461,10 @@
+## <desc>
+## <p>
+## Do not audit attempts to read user
-+## untrusted directories.
-+## </p>
-+## <p>
-+## This is a templated interface, and should only
-+## be called from a per-userdomain template.
-+## </p>
-+## </desc>
-+## <param name="userdomain_prefix">
-+## <summary>
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -3962,6 +4135,24 @@
+ ## untrusted directories.
+ ## </p>
+ ## <p>
+@@ -3962,6 +4134,24 @@
########################################
## <summary>
@@ -34429,7 +34489,7 @@
## Manage unpriviledged user SysV shared
## memory segments.
## </summary>
-@@ -4231,11 +4422,11 @@
+@@ -4231,11 +4421,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -34443,7 +34503,7 @@
')
########################################
-@@ -4251,10 +4442,10 @@
+@@ -4251,10 +4441,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -34456,7 +34516,7 @@
')
########################################
-@@ -4270,11 +4461,11 @@
+@@ -4270,11 +4460,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -34470,7 +34530,7 @@
')
########################################
-@@ -4289,16 +4480,16 @@
+@@ -4289,16 +4479,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -34490,7 +34550,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4498,35 @@
+@@ -4307,12 +4497,35 @@
## </summary>
## </param>
#
@@ -34529,7 +34589,7 @@
')
########################################
-@@ -4327,13 +4541,13 @@
+@@ -4327,13 +4540,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -34547,7 +34607,7 @@
')
########################################
-@@ -4531,10 +4745,10 @@
+@@ -4531,10 +4744,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -34560,7 +34620,7 @@
')
########################################
-@@ -4551,10 +4765,10 @@
+@@ -4551,10 +4764,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -34573,7 +34633,7 @@
')
########################################
-@@ -4569,10 +4783,10 @@
+@@ -4569,10 +4782,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -34586,7 +34646,7 @@
')
########################################
-@@ -4588,10 +4802,10 @@
+@@ -4588,10 +4801,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -34599,7 +34659,7 @@
')
########################################
-@@ -4606,10 +4820,10 @@
+@@ -4606,10 +4819,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -34612,7 +34672,7 @@
')
########################################
-@@ -4625,10 +4839,10 @@
+@@ -4625,10 +4838,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -34625,7 +34685,7 @@
')
########################################
-@@ -4644,12 +4858,11 @@
+@@ -4644,12 +4857,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -34641,7 +34701,7 @@
')
########################################
-@@ -4676,10 +4889,10 @@
+@@ -4676,10 +4888,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -34654,7 +34714,7 @@
')
########################################
-@@ -4694,10 +4907,10 @@
+@@ -4694,10 +4906,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -34667,7 +34727,7 @@
')
########################################
-@@ -4712,13 +4925,13 @@
+@@ -4712,13 +4924,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -34685,7 +34745,7 @@
')
########################################
-@@ -4754,11 +4967,49 @@
+@@ -4754,11 +4966,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -34736,7 +34796,7 @@
')
########################################
-@@ -4778,6 +5029,14 @@
+@@ -4778,6 +5028,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -34751,7 +34811,7 @@
')
########################################
-@@ -4839,6 +5098,26 @@
+@@ -4839,6 +5097,26 @@
########################################
## <summary>
@@ -34778,7 +34838,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5138,25 @@
+@@ -4859,6 +5137,25 @@
########################################
## <summary>
@@ -34804,7 +34864,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5177,26 @@
+@@ -4879,6 +5176,26 @@
########################################
## <summary>
@@ -34831,7 +34891,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5433,7 @@
+@@ -5115,7 +5432,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -34840,7 +34900,7 @@
')
files_search_home($1)
-@@ -5304,6 +5622,63 @@
+@@ -5304,6 +5621,63 @@
########################################
## <summary>
@@ -34904,7 +34964,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,7 +5884,7 @@
+@@ -5509,7 +5883,7 @@
########################################
## <summary>
@@ -34913,7 +34973,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5517,12 +5892,48 @@
+@@ -5517,17 +5891,53 @@
## </summary>
## </param>
#
@@ -34926,10 +34986,11 @@
- allow $1 user_ttynode:chr_file rw_term_perms;
+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to use unprivileged
+## Write all unprivileged users lnk_files in /tmp
+## </summary>
+## <param name="domain">
@@ -34962,10 +35023,15 @@
+ ')
+
+ allow $1 user_ttynode:chr_file rw_term_perms;
- ')
-
- ########################################
-@@ -5559,7 +5970,7 @@
++')
++
++########################################
++## <summary>
++## Do not audit attempts to use unprivileged
+ ## user ttys.
+ ## </summary>
+ ## <param name="domain">
+@@ -5559,7 +5969,7 @@
attribute userdomain;
')
@@ -34974,7 +35040,7 @@
kernel_search_proc($1)
')
-@@ -5674,6 +6085,42 @@
+@@ -5674,6 +6084,42 @@
########################################
## <summary>
@@ -35017,7 +35083,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6151,408 @@
+@@ -5704,3 +6150,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -35767,7 +35833,7 @@
+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.3.1/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.if 2008-05-12 14:22:31.508030000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/virt.if 2008-05-13 10:30:06.010269000 -0400
@@ -0,0 +1,324 @@
+
+## <summary>policy for virt</summary>
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.666
retrieving revision 1.667
diff -u -r1.666 -r1.667
--- selinux-policy.spec 12 May 2008 18:49:36 -0000 1.666
+++ selinux-policy.spec 13 May 2008 17:13:51 -0000 1.667
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 50%{?dist}
+Release: 51%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,9 @@
%endif
%changelog
+* Tue May 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-51
+- Dontaudit dhcpc_t reading of domains state
+
* Mon May 12 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-50
- Add sys_nice for audispd
- Previous message (by thread): rpms/selinux-policy/F-8 booleans-targeted.conf, 1.36, 1.37 policy-20070703.patch, 1.206, 1.207 selinux-policy.spec, 1.629, 1.630
- Next message (by thread): rpms/kdelibs/devel kdelibs.spec, 1.316, 1.317 kdelibs-3.97.0-alsa-default-device.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list