rpms/selinux-policy/F-9 policy-20071130.patch, 1.162, 1.163 selinux-policy.spec, 1.677, 1.678
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri May 30 13:30:56 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29375
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Fri May 30 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-61
- Allow policykit_resolve to read users process table
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.162
retrieving revision 1.163
diff -u -r1.162 -r1.163
--- policy-20071130.patch 29 May 2008 19:43:21 -0000 1.162
+++ policy-20071130.patch 30 May 2008 13:30:06 -0000 1.163
@@ -8,106 +8,6 @@
- Label /proc/kallsyms with system_map_t.
- 64-bit capabilities from Stephen Smalley.
- Labeled networking peer object class updates.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
---- nsaserefpolicy/Makefile 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/Makefile 2008-05-28 09:06:12.000000000 -0400
-@@ -235,7 +235,7 @@
- appdir := $(contextpath)
- user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
- user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
--appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
- net_contexts := $(builddir)net_contexts
-
- all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -309,20 +309,22 @@
-
- # parse-rolemap modulename,outputfile
- define parse-rolemap
-- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+ echo "" >> $2
-+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
-
- # perrole-expansion modulename,outputfile
- define perrole-expansion
-- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-- $(call parse-rolemap,$1,$2)
-- $(verbose) echo "')" >> $2
--
-- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-- $(call parse-rolemap-compat,$1,$2)
-- $(verbose) echo "')" >> $2
-+ echo "No longer doing perrole-expansion"
-+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+# $(call parse-rolemap,$1,$2)
-+# $(verbose) echo "')" >> $2
-+
-+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+# $(call parse-rolemap-compat,$1,$2)
-+# $(verbose) echo "')" >> $2
- endef
-
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -521,6 +523,10 @@
- @mkdir -p $(appdir)/users
- $(verbose) $(INSTALL) -m 644 $^ $@
-
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+ @mkdir -p $(appdir)
-+ $(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- @mkdir -p $(appdir)
- $(verbose) $(INSTALL) -m 644 $< $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
---- nsaserefpolicy/Rules.modular 2008-02-26 08:23:12.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.modular 2008-05-28 09:06:15.000000000 -0400
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- @echo "Compliling $(NAME) $(@F) module"
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
-- $(call perrole-expansion,$(basename $(@F)),$@.role)
-- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+# $(call perrole-expansion,$(basename $(@F)),$@.role)
-+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- $(verbose) $(genperm) $(avs) $(secclass) > $@
-- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
-
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -147,7 +147,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- $(verbose) echo "" > $@
-- $(call parse-rolemap,base,$@)
-+# $(call parse-rolemap,base,$@)
-
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic 2008-02-26 08:23:13.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.monolithic 2008-05-28 09:06:15.000000000 -0400
-@@ -96,7 +96,7 @@
- #
- # Load the binary policy
- #
--reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
-+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
- @echo "Loading $(NAME) $(loadpath)"
- $(verbose) $(LOADPOLICY) -q $(loadpath)
- @touch $(tmpdir)/load
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-02-26 08:23:12.000000000 -0500
+++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context 2008-05-28 09:06:12.000000000 -0400
@@ -791,6 +691,62 @@
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
+--- nsaserefpolicy/Makefile 2008-02-26 08:23:09.000000000 -0500
++++ serefpolicy-3.3.1/Makefile 2008-05-28 09:06:12.000000000 -0400
+@@ -235,7 +235,7 @@
+ appdir := $(contextpath)
+ user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+ user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+ net_contexts := $(builddir)net_contexts
+
+ all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+@@ -309,20 +309,22 @@
+
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++ echo "" >> $2
++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+- $(call parse-rolemap,$1,$2)
+- $(verbose) echo "')" >> $2
+-
+- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+- $(call parse-rolemap-compat,$1,$2)
+- $(verbose) echo "')" >> $2
++ echo "No longer doing perrole-expansion"
++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++# $(call parse-rolemap,$1,$2)
++# $(verbose) echo "')" >> $2
++
++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++# $(call parse-rolemap-compat,$1,$2)
++# $(verbose) echo "')" >> $2
+ endef
+
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -521,6 +523,10 @@
+ @mkdir -p $(appdir)/users
+ $(verbose) $(INSTALL) -m 644 $^ $@
+
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++ @mkdir -p $(appdir)
++ $(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ @mkdir -p $(appdir)
+ $(verbose) $(INSTALL) -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.3.1/man/man8/ftpd_selinux.8
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2008-02-26 08:23:12.000000000 -0500
+++ serefpolicy-3.3.1/man/man8/ftpd_selinux.8 2008-05-28 09:06:12.000000000 -0400
@@ -2653,6 +2609,116 @@
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-05-28 09:06:13.000000000 -0400
+@@ -55,7 +55,7 @@
+ #
+
+ # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_sudo_t self:process { setexec setrlimit };
+ allow $1_sudo_t self:fd use;
+@@ -68,33 +68,35 @@
+ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++ allow $1_sudo_t self:key manage_key_perms;
++ allow $1_sudo_t $1_t:key search;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t,$2)
++ corecmd_bin_domtrans($1_sudo_t,$2)
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ allow $2 $1_sudo_t:process sigchld;
+
+ kernel_read_kernel_sysctls($1_sudo_t)
+ kernel_read_system_state($1_sudo_t)
+- kernel_search_key($1_sudo_t)
++ kernel_link_key($1_sudo_t)
+
+ dev_read_urand($1_sudo_t)
+
+ fs_search_auto_mountpoints($1_sudo_t)
+ fs_getattr_xattr_fs($1_sudo_t)
+
+- auth_domtrans_chk_passwd($1_sudo_t)
++ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ # sudo stores a token in the pam_pid directory
+ auth_manage_pam_pid($1_sudo_t)
+ auth_use_nsswitch($1_sudo_t)
+
+ corecmd_read_bin_symlinks($1_sudo_t)
+- corecmd_getattr_all_executables($1_sudo_t)
++ corecmd_exec_all_executables($1_sudo_t)
+
+ domain_use_interactive_fds($1_sudo_t)
+ domain_sigchld_interactive_fds($1_sudo_t)
+@@ -106,32 +108,50 @@
+ files_getattr_usr_files($1_sudo_t)
+ # for some PAM modules and for cwd
+ files_dontaudit_search_home($1_sudo_t)
++ files_list_tmp($1_sudo_t)
+
+ init_rw_utmp($1_sudo_t)
+
+ libs_use_ld_so($1_sudo_t)
+ libs_use_shared_libs($1_sudo_t)
+
++ logging_send_audit_msgs($1_sudo_t)
+ logging_send_syslog_msg($1_sudo_t)
+
+ miscfiles_read_localization($1_sudo_t)
+
++ mta_per_role_template($1, $1_sudo_t, $3)
++
+ userdom_manage_user_home_content_files($1,$1_sudo_t)
+ userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files($1_sudo_t)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files($1_sudo_t)
++ ')
+ userdom_manage_user_tmp_files($1,$1_sudo_t)
+ userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
++ userdom_exec_user_home_content_files($1,$1_sudo_t)
+ userdom_use_user_terminals($1,$1_sudo_t)
+ userdom_use_unpriv_users_fds($1_sudo_t)
+ # for some PAM modules and for cwd
++ userdom_search_sysadm_home_content_dirs($1_sudo_t)
+ userdom_dontaudit_search_all_users_home_content($1_sudo_t)
+
+- ifdef(`TODO',`
+- # for when the network connection is killed
+- dontaudit unpriv_userdomain $1_sudo_t:process signal;
++ domain_role_change_exemption($1_sudo_t)
++ userdom_spec_domtrans_all_users($1_sudo_t)
+
+- ifdef(`mta.te', `
+- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+- ')
++ selinux_validate_context($1_sudo_t)
++ selinux_compute_relabel_context($1_sudo_t)
++ selinux_getattr_fs($1_sudo_t)
++ seutil_read_config($1_sudo_t)
++ seutil_search_default_contexts($1_sudo_t)
++
++ term_use_all_user_ttys($1_sudo_t)
++ term_use_all_user_ptys($1_sudo_t)
++ term_relabel_all_user_ttys($1_sudo_t)
++ term_relabel_all_user_ptys($1_sudo_t)
+
+- ') dnl end TODO
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-05-28 09:06:13.000000000 -0400
@@ -2783,116 +2849,6 @@
')
#######################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-05-28 09:06:13.000000000 -0400
-@@ -55,7 +55,7 @@
- #
-
- # Use capabilities.
-- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_sudo_t self:process { setexec setrlimit };
- allow $1_sudo_t self:fd use;
-@@ -68,33 +68,35 @@
- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_sudo_t self:unix_dgram_socket sendto;
- allow $1_sudo_t self:unix_stream_socket connectto;
-- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
-+ allow $1_sudo_t self:key manage_key_perms;
-+ allow $1_sudo_t $1_t:key search;
-
- # Enter this derived domain from the user domain
- domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t,$2)
-+ corecmd_bin_domtrans($1_sudo_t,$2)
- allow $2 $1_sudo_t:fd use;
- allow $2 $1_sudo_t:fifo_file rw_file_perms;
- allow $2 $1_sudo_t:process sigchld;
-
- kernel_read_kernel_sysctls($1_sudo_t)
- kernel_read_system_state($1_sudo_t)
-- kernel_search_key($1_sudo_t)
-+ kernel_link_key($1_sudo_t)
-
- dev_read_urand($1_sudo_t)
-
- fs_search_auto_mountpoints($1_sudo_t)
- fs_getattr_xattr_fs($1_sudo_t)
-
-- auth_domtrans_chk_passwd($1_sudo_t)
-+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
- # sudo stores a token in the pam_pid directory
- auth_manage_pam_pid($1_sudo_t)
- auth_use_nsswitch($1_sudo_t)
-
- corecmd_read_bin_symlinks($1_sudo_t)
-- corecmd_getattr_all_executables($1_sudo_t)
-+ corecmd_exec_all_executables($1_sudo_t)
-
- domain_use_interactive_fds($1_sudo_t)
- domain_sigchld_interactive_fds($1_sudo_t)
-@@ -106,32 +108,50 @@
- files_getattr_usr_files($1_sudo_t)
- # for some PAM modules and for cwd
- files_dontaudit_search_home($1_sudo_t)
-+ files_list_tmp($1_sudo_t)
-
- init_rw_utmp($1_sudo_t)
-
- libs_use_ld_so($1_sudo_t)
- libs_use_shared_libs($1_sudo_t)
-
-+ logging_send_audit_msgs($1_sudo_t)
- logging_send_syslog_msg($1_sudo_t)
-
- miscfiles_read_localization($1_sudo_t)
-
-+ mta_per_role_template($1, $1_sudo_t, $3)
-+
- userdom_manage_user_home_content_files($1,$1_sudo_t)
- userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_files($1_sudo_t)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_files($1_sudo_t)
-+ ')
- userdom_manage_user_tmp_files($1,$1_sudo_t)
- userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
-+ userdom_exec_user_home_content_files($1,$1_sudo_t)
- userdom_use_user_terminals($1,$1_sudo_t)
- userdom_use_unpriv_users_fds($1_sudo_t)
- # for some PAM modules and for cwd
-+ userdom_search_sysadm_home_content_dirs($1_sudo_t)
- userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-
-- ifdef(`TODO',`
-- # for when the network connection is killed
-- dontaudit unpriv_userdomain $1_sudo_t:process signal;
-+ domain_role_change_exemption($1_sudo_t)
-+ userdom_spec_domtrans_all_users($1_sudo_t)
-
-- ifdef(`mta.te', `
-- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-- ')
-+ selinux_validate_context($1_sudo_t)
-+ selinux_compute_relabel_context($1_sudo_t)
-+ selinux_getattr_fs($1_sudo_t)
-+ seutil_read_config($1_sudo_t)
-+ seutil_search_default_contexts($1_sudo_t)
-+
-+ term_use_all_user_ttys($1_sudo_t)
-+ term_use_all_user_ptys($1_sudo_t)
-+ term_relabel_all_user_ttys($1_sudo_t)
-+ term_relabel_all_user_ptys($1_sudo_t)
-
-- ') dnl end TODO
- ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-05-28 15:00:03.000000000 -0400
@@ -3001,7 +2957,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.3.1/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/vbetool.te 2008-05-29 09:00:23.489686000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/vbetool.te 2008-05-29 09:00:23.000000000 -0400
@@ -23,6 +23,9 @@
dev_rwx_zero(vbetool_t)
dev_read_sysfs(vbetool_t)
@@ -4599,13 +4555,13 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.3.1/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/livecd.fc 2008-05-29 10:26:55.239724000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/livecd.fc 2008-05-29 10:26:55.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.3.1/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/livecd.if 2008-05-29 10:43:58.253707000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/livecd.if 2008-05-29 10:43:58.000000000 -0400
@@ -0,0 +1,56 @@
+
+## <summary>policy for livecd</summary>
@@ -4665,7 +4621,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.3.1/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/livecd.te 2008-05-29 10:44:05.853373000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/livecd.te 2008-05-29 10:44:05.000000000 -0400
@@ -0,0 +1,22 @@
+policy_module(livecd, 1.0.0)
+
@@ -7829,7 +7785,7 @@
type power_device_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.3.1/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.if 2008-05-29 15:38:40.259396000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.if 2008-05-29 15:38:40.000000000 -0400
@@ -525,7 +525,7 @@
')
@@ -19046,7 +19002,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.3.1/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/oddjob.if 2008-05-29 12:10:13.582724000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/oddjob.if 2008-05-29 12:10:13.000000000 -0400
@@ -44,6 +44,7 @@
')
@@ -19092,7 +19048,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.3.1/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/oddjob.te 2008-05-29 13:24:00.419266000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/oddjob.te 2008-05-29 13:24:00.000000000 -0400
@@ -10,14 +10,21 @@
type oddjob_exec_t;
domain_type(oddjob_t)
@@ -19557,7 +19513,7 @@
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-05-29 15:40:58.041343000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-05-29 15:40:58.000000000 -0400
@@ -0,0 +1,208 @@
+
+## <summary>policy for polkit_auth</summary>
@@ -19769,8 +19725,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-05-29 15:41:37.897816000 -0400
-@@ -0,0 +1,213 @@
++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-05-30 09:28:55.242962000 -0400
+@@ -0,0 +1,214 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
@@ -19971,6 +19927,7 @@
+miscfiles_read_localization(polkit_resolve_t)
+
+logging_send_syslog_msg(polkit_resolve_t)
++userdom_read_all_users_state(polkit_resolve_t)
+
+optional_policy(`
+ dbus_system_bus_client_template(polkit_resolve, polkit_resolve_t)
@@ -20097,6 +20054,100 @@
## Execute postfix user mail programs
## in their respective domains.
## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-05-28 09:06:14.000000000 -0400
+@@ -3,3 +3,5 @@
+ /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+
+ /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
++
++/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if 2008-05-28 09:06:14.000000000 -0400
+@@ -1 +1,68 @@
+ ## <summary>Postfix policy server</summary>
++
++########################################
++## <summary>
++## Execute postfixpolicyd server in the postfixpolicyd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`postfixpolicyd_script_domtrans',`
++ gen_require(`
++ type postfix_policyd_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an postfixpolicyd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the postfixpolicyd domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`postfixpolicyd_admin',`
++ gen_require(`
++ type postfix_policyd_t;
++ type postfix_policyd_script_exec_t;
++ type postfix_policyd_conf_t;
++ type postfix_policyd_var_run_t;
++ ')
++
++ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
++
++ # Allow postfix_policyd_t to restart the apache service
++ postfixpolicyd_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 postfix_policyd_script_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_etc($1)
++ manage_all_pattern($1,postfix_policyd_conf_t)
++
++ files_list_pids($1)
++ manage_all_pattern($1,postfix_policyd_var_run_t)
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te 2008-05-28 09:06:14.000000000 -0400
+@@ -16,6 +16,9 @@
+ type postfix_policyd_var_run_t;
+ files_pid_file(postfix_policyd_var_run_t)
+
++type postfix_policyd_script_exec_t;
++init_script_type(postfix_policyd_script_exec_t)
++
+ ########################################
+ #
+ # Local Policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-05-28 09:06:14.000000000 -0400
@@ -20336,100 +20387,6 @@
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-05-28 09:06:14.000000000 -0400
-@@ -3,3 +3,5 @@
- /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
-
- /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
-+
-+/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if 2008-05-28 09:06:14.000000000 -0400
-@@ -1 +1,68 @@
- ## <summary>Postfix policy server</summary>
-+
-+########################################
-+## <summary>
-+## Execute postfixpolicyd server in the postfixpolicyd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+#
-+interface(`postfixpolicyd_script_domtrans',`
-+ gen_require(`
-+ type postfix_policyd_script_exec_t;
-+ ')
-+
-+ init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an postfixpolicyd environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the postfixpolicyd domain.
-+## </summary>
-+## </param>
-+## <param name="terminal">
-+## <summary>
-+## The type of the user terminal.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`postfixpolicyd_admin',`
-+ gen_require(`
-+ type postfix_policyd_t;
-+ type postfix_policyd_script_exec_t;
-+ type postfix_policyd_conf_t;
-+ type postfix_policyd_var_run_t;
-+ ')
-+
-+ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
-+
-+ # Allow postfix_policyd_t to restart the apache service
-+ postfixpolicyd_script_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 postfix_policyd_script_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_etc($1)
-+ manage_all_pattern($1,postfix_policyd_conf_t)
-+
-+ files_list_pids($1)
-+ manage_all_pattern($1,postfix_policyd_var_run_t)
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te 2008-05-28 09:06:14.000000000 -0400
-@@ -16,6 +16,9 @@
- type postfix_policyd_var_run_t;
- files_pid_file(postfix_policyd_var_run_t)
-
-+type postfix_policyd_script_exec_t;
-+init_script_type(postfix_policyd_script_exec_t)
-+
- ########################################
- #
- # Local Policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-05-28 09:06:14.000000000 -0400
@@ -21371,7 +21328,7 @@
+/etc/rc.d/init.d/pyzord -- gen_context(system_u:object_r:pyzord_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.3.1/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/pyzor.if 2008-05-29 10:07:23.557143000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/pyzor.if 2008-05-29 10:07:23.000000000 -0400
@@ -25,16 +25,15 @@
#
template(`pyzor_per_role_template',`
@@ -21476,7 +21433,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.3.1/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/pyzor.te 2008-05-29 10:07:55.351410000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/pyzor.te 2008-05-29 10:07:55.000000000 -0400
@@ -17,7 +17,7 @@
init_daemon_domain(pyzord_t,pyzord_exec_t)
@@ -22127,6 +22084,123 @@
########################################
#
# Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-05-28 09:06:14.000000000 -0400
+@@ -5,3 +5,5 @@
+ /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
++
++/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if
+--- nsaserefpolicy/policy/modules/services/rpcbind.if 2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-05-28 09:06:14.000000000 -0400
+@@ -95,3 +95,70 @@
+ manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_search_var_lib($1)
+ ')
++
++########################################
++## <summary>
++## Execute rpcbind server in the rpcbind domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`rpcbind_script_domtrans',`
++ gen_require(`
++ type rpcbind_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,rpcbind_script_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an rpcbind environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the rpcbind domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rpcbind_admin',`
++ gen_require(`
++ type rpcbind_t;
++ type rpcbind_script_exec_t;
++ type rpcbind_var_lib_t;
++ type rpcbind_var_run_t;
++ ')
++
++ allow $1 rpcbind_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, rpcbind_t, rpcbind_t)
++
++ # Allow rpcbind_t to restart the apache service
++ rpcbind_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 rpcbind_script_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_var_lib($1)
++ manage_all_pattern($1,rpcbind_var_lib_t)
++
++ files_list_pids($1)
++ manage_all_pattern($1,rpcbind_var_run_t)
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-05-28 09:06:14.000000000 -0400
+@@ -16,16 +16,21 @@
+ type rpcbind_var_lib_t;
+ files_type(rpcbind_var_lib_t)
+
++type rpcbind_script_exec_t;
++init_script_type(rpcbind_script_exec_t)
++
+ ########################################
+ #
+ # rpcbind local policy
+ #
+
+-allow rpcbind_t self:capability setuid;
++allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
+ allow rpcbind_t self:fifo_file rw_file_perms;
+ allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+ allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow rpcbind_t self:udp_socket create_socket_perms;
++# BROKEN ...
++dontaudit rpcbind_t self:udp_socket listen;
+ allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+
+ manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
+@@ -37,6 +42,7 @@
+ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+
++kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2008-05-28 09:06:14.000000000 -0400
@@ -22271,123 +22345,6 @@
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc
---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-05-28 09:06:14.000000000 -0400
-@@ -5,3 +5,5 @@
- /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+
-+/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if
---- nsaserefpolicy/policy/modules/services/rpcbind.if 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-05-28 09:06:14.000000000 -0400
-@@ -95,3 +95,70 @@
- manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
- files_search_var_lib($1)
- ')
-+
-+########################################
-+## <summary>
-+## Execute rpcbind server in the rpcbind domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+#
-+interface(`rpcbind_script_domtrans',`
-+ gen_require(`
-+ type rpcbind_script_exec_t;
-+ ')
-+
-+ init_script_domtrans_spec($1,rpcbind_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an rpcbind environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the rpcbind domain.
-+## </summary>
-+## </param>
-+## <param name="terminal">
-+## <summary>
-+## The type of the user terminal.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`rpcbind_admin',`
-+ gen_require(`
-+ type rpcbind_t;
-+ type rpcbind_script_exec_t;
-+ type rpcbind_var_lib_t;
-+ type rpcbind_var_run_t;
-+ ')
-+
-+ allow $1 rpcbind_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, rpcbind_t, rpcbind_t)
-+
-+ # Allow rpcbind_t to restart the apache service
-+ rpcbind_script_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 rpcbind_script_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_var_lib($1)
-+ manage_all_pattern($1,rpcbind_var_lib_t)
-+
-+ files_list_pids($1)
-+ manage_all_pattern($1,rpcbind_var_run_t)
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te
---- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-05-28 09:06:14.000000000 -0400
-@@ -16,16 +16,21 @@
- type rpcbind_var_lib_t;
- files_type(rpcbind_var_lib_t)
-
-+type rpcbind_script_exec_t;
-+init_script_type(rpcbind_script_exec_t)
-+
- ########################################
- #
- # rpcbind local policy
- #
-
--allow rpcbind_t self:capability setuid;
-+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
- allow rpcbind_t self:fifo_file rw_file_perms;
- allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
- allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
- allow rpcbind_t self:udp_socket create_socket_perms;
-+# BROKEN ...
-+dontaudit rpcbind_t self:udp_socket listen;
- allow rpcbind_t self:tcp_socket create_stream_socket_perms;
-
- manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
-@@ -37,6 +42,7 @@
- manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
- files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
-
-+kernel_read_system_state(rpcbind_t)
- kernel_read_network_state(rpcbind_t)
-
- corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.3.1/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/rshd.te 2008-05-28 09:06:14.000000000 -0400
@@ -26056,7 +26013,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.3.1/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.fc 2008-05-29 08:55:38.969163000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.fc 2008-05-29 08:55:38.000000000 -0400
@@ -1,13 +1,13 @@
#
# HOME_DIR
@@ -26127,7 +26084,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-05-29 09:03:53.792808000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-05-29 09:03:53.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -27540,7 +27497,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-05-29 09:08:39.452233000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-05-29 09:08:39.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -31390,7 +31347,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.3.1/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-05-29 10:57:28.514590000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-05-29 10:57:28.000000000 -0400
@@ -215,8 +215,6 @@
seutil_domtrans_newrole($1)
role $2 types newrole_t;
@@ -31853,7 +31810,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-05-29 10:57:43.806793000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-05-29 10:57:43.000000000 -0400
@@ -75,7 +75,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -32319,7 +32276,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-05-29 08:40:24.658917000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-05-29 08:40:24.000000000 -0400
@@ -20,6 +20,10 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -32609,7 +32566,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-29 10:58:17.849128000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-29 10:58:17.000000000 -0400
@@ -1,16 +1,18 @@
# Add programs here which should not be confined by SELinux
# e.g.:
@@ -32982,7 +32939,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-05-29 12:13:16.407844000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-05-29 12:13:16.000000000 -0400
@@ -6,35 +6,71 @@
# Declarations
#
@@ -33332,7 +33289,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-29 12:12:15.948655000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-29 12:12:15.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -37877,3 +37834,47 @@
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
+--- nsaserefpolicy/Rules.modular 2008-02-26 08:23:12.000000000 -0500
++++ serefpolicy-3.3.1/Rules.modular 2008-05-28 09:06:15.000000000 -0400
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+- $(call perrole-expansion,$(basename $(@F)),$@.role)
+- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++# $(call perrole-expansion,$(basename $(@F)),$@.role)
++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -147,7 +147,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+- $(call parse-rolemap,base,$@)
++# $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic 2008-02-26 08:23:13.000000000 -0500
++++ serefpolicy-3.3.1/Rules.monolithic 2008-05-28 09:06:15.000000000 -0400
+@@ -96,7 +96,7 @@
+ #
+ # Load the binary policy
+ #
+-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
+ @echo "Loading $(NAME) $(loadpath)"
+ $(verbose) $(LOADPOLICY) -q $(loadpath)
+ @touch $(tmpdir)/load
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.677
retrieving revision 1.678
diff -u -r1.677 -r1.678
--- selinux-policy.spec 29 May 2008 19:43:21 -0000 1.677
+++ selinux-policy.spec 30 May 2008 13:30:07 -0000 1.678
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 60%{?dist}
+Release: 61%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,9 @@
%endif
%changelog
+* Fri May 30 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-61
+- Allow policykit_resolve to read users process table
+
* Thu May 29 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-60
- Allow policykit_resolve to read polkit_var_lib
- Other policykit fixes
More information about the fedora-extras-commits
mailing list