rpms/selinux-policy/F-9 policy-20071130.patch, 1.202, 1.203 selinux-policy.spec, 1.704, 1.705
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Sep 3 20:24:25 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4016
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Sep 2 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-88
- Allow sendmail to transition to postfix_postdrop_t
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.202
retrieving revision 1.203
diff -u -r1.202 -r1.203
--- policy-20071130.patch 29 Aug 2008 20:55:32 -0000 1.202
+++ policy-20071130.patch 3 Sep 2008 20:24:23 -0000 1.203
@@ -2451,6 +2451,18 @@
+optional_policy(`
+ unconfined_domain(prelink_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.3.1/policy/modules/admin/readahead.te
+--- nsaserefpolicy/policy/modules/admin/readahead.te 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/readahead.te 2008-09-03 12:58:10.000000000 -0400
+@@ -22,7 +22,7 @@
+ # Local policy
+ #
+
+-allow readahead_t self:capability { dac_override dac_read_search };
++allow readahead_t self:capability { fowner dac_override dac_read_search };
+ dontaudit readahead_t self:capability sys_tty_config;
+ allow readahead_t self:process signal_perms;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.3.1/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/rpm.fc 2008-07-15 14:02:51.000000000 -0400
@@ -6250,8 +6262,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-08-13 13:26:58.000000000 -0400
-@@ -0,0 +1,228 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-09-03 14:36:36.000000000 -0400
+@@ -0,0 +1,230 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -6374,6 +6386,7 @@
+userdom_read_user_tmp_files(user, nsplugin_t)
+userdom_write_user_tmp_sockets(user, nsplugin_t)
+userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t)
++userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t)
+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
+
+optional_policy(`
@@ -6405,6 +6418,7 @@
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_user_xauth(user, nsplugin_t)
++ xserver_read_user_iceauth(user, nsplugin_t)
+ xserver_use_user_fonts(user, nsplugin_t)
+ xserver_manage_home_fonts(nsplugin_t)
+')
@@ -12799,8 +12813,8 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-08-26 20:19:09.000000000 -0400
-@@ -35,38 +35,23 @@
++++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-09-03 13:55:34.000000000 -0400
+@@ -35,38 +35,24 @@
#
template(`cron_per_role_template',`
gen_require(`
@@ -12813,6 +12827,7 @@
# Type of user crontabs once moved to cron spool.
type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t)
++ mta_mailcontent($1_cron_spool_t)
- type $1_crond_t;
- domain_type($1_crond_t)
@@ -12843,7 +12858,7 @@
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -74,116 +59,23 @@
+@@ -74,116 +60,23 @@
# for the domain of the user cron job. It
# performs an entrypoint permission check
# for this purpose.
@@ -12967,7 +12982,7 @@
##############################
#
# $1_crontab_t local policy
-@@ -192,9 +84,13 @@
+@@ -192,9 +85,13 @@
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
allow $1_crontab_t self:process signal_perms;
@@ -12981,7 +12996,7 @@
# crontab shows up in user ps
ps_process_pattern($2,$1_crontab_t)
-@@ -205,9 +101,6 @@
+@@ -205,9 +102,6 @@
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file manage_file_perms;
@@ -12991,7 +13006,7 @@
# create files in /var/spool/cron
manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
-@@ -226,16 +119,20 @@
+@@ -226,16 +120,20 @@
# Run helper programs as the user domain
corecmd_bin_domtrans($1_crontab_t,$2)
corecmd_shell_domtrans($1_crontab_t,$2)
@@ -13012,7 +13027,7 @@
miscfiles_read_localization($1_crontab_t)
-@@ -247,6 +144,7 @@
+@@ -247,6 +145,7 @@
userdom_use_user_terminals($1,$1_crontab_t)
# Read user crontabs
userdom_read_user_home_content_files($1,$1_crontab_t)
@@ -13020,7 +13035,7 @@
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -285,14 +183,12 @@
+@@ -285,14 +184,12 @@
template(`cron_admin_template',`
gen_require(`
attribute cron_spool_type;
@@ -13036,7 +13051,7 @@
# Manipulate other users crontab.
selinux_get_fs_mount($1_crontab_t)
selinux_validate_context($1_crontab_t)
-@@ -438,7 +334,26 @@
+@@ -438,7 +335,26 @@
########################################
## <summary>
@@ -13064,7 +13079,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -446,7 +361,7 @@
+@@ -446,7 +362,7 @@
## </summary>
## </param>
#
@@ -13073,7 +13088,7 @@
gen_require(`
type crond_t;
')
-@@ -558,11 +473,14 @@
+@@ -558,11 +474,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -13089,7 +13104,7 @@
')
########################################
-@@ -583,3 +501,62 @@
+@@ -583,3 +502,62 @@
dontaudit $1 system_crond_tmp_t:file append;
')
@@ -13154,7 +13169,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.3.1/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.te 2008-07-24 07:27:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.te 2008-09-03 13:55:10.000000000 -0400
@@ -12,14 +12,6 @@
## <desc>
@@ -13256,8 +13271,11 @@
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -163,9 +170,6 @@
+@@ -161,11 +168,9 @@
+ userdom_list_all_users_home_dirs(crond_t)
+
mta_send_mail(crond_t)
++mta_mailcontent(cron_spool_t)
ifdef(`distro_debian',`
- # pam_limits is used
@@ -13266,7 +13284,7 @@
optional_policy(`
# Debian logcheck has the home dir set to its cache
logwatch_search_cache_dir(crond_t)
-@@ -180,21 +184,45 @@
+@@ -180,21 +185,45 @@
')
')
@@ -13313,7 +13331,7 @@
')
optional_policy(`
-@@ -236,6 +264,9 @@
+@@ -236,6 +265,9 @@
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
@@ -13323,7 +13341,7 @@
allow system_crond_t system_cron_spool_t:file read_file_perms;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
-@@ -267,9 +298,13 @@
+@@ -267,9 +299,13 @@
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
@@ -13338,7 +13356,7 @@
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
-@@ -323,7 +358,8 @@
+@@ -323,7 +359,8 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -13348,7 +13366,7 @@
auth_use_nsswitch(system_crond_t)
-@@ -333,6 +369,7 @@
+@@ -333,6 +370,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
@@ -13356,7 +13374,7 @@
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-@@ -348,18 +385,6 @@
+@@ -348,18 +386,6 @@
')
')
@@ -13375,7 +13393,7 @@
optional_policy(`
# Needed for certwatch
apache_exec_modules(system_crond_t)
-@@ -383,6 +408,14 @@
+@@ -383,11 +409,20 @@
')
optional_policy(`
@@ -13390,7 +13408,13 @@
mrtg_append_create_logs(system_crond_t)
')
-@@ -415,8 +448,7 @@
+ optional_policy(`
+ mta_send_mail(system_crond_t)
++ mta_mailcontent(system_cron_spool_t)
+ ')
+
+ optional_policy(`
+@@ -415,8 +450,7 @@
')
optional_policy(`
@@ -13400,7 +13424,7 @@
')
optional_policy(`
-@@ -424,15 +456,12 @@
+@@ -424,15 +458,12 @@
')
optional_policy(`
@@ -13423,7 +13447,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.3.1/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-07-30 11:32:46.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-09-02 16:34:56.000000000 -0400
@@ -8,24 +8,28 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13467,7 +13491,15 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -50,3 +54,13 @@
+@@ -43,10 +47,20 @@
+ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+ /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+
+ /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -16828,16 +16860,17 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-07-15 14:02:52.000000000 -0400
-@@ -8,6 +8,7 @@
++++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-09-03 14:04:19.000000000 -0400
+@@ -8,6 +8,8 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
++/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
-@@ -16,10 +17,13 @@
+@@ -16,10 +18,13 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0)
@@ -16901,7 +16934,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-08-12 11:59:06.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-09-03 14:03:50.000000000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -17068,10 +17101,12 @@
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
allow hald_mac_t hald_t:unix_stream_socket connectto;
-@@ -338,9 +385,16 @@
+@@ -338,9 +385,18 @@
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t)
++write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
++
+dev_read_raw_memory(hald_mac_t)
dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
@@ -17085,7 +17120,25 @@
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
-@@ -391,3 +445,8 @@
+@@ -363,6 +419,8 @@
+ manage_files_pattern(hald_sonypic_t,hald_var_lib_t,hald_var_lib_t)
+ files_search_var_lib(hald_sonypic_t)
+
++write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
++
+ files_read_usr_files(hald_sonypic_t)
+
+ libs_use_ld_so(hald_sonypic_t)
+@@ -383,6 +441,8 @@
+ manage_files_pattern(hald_keymap_t,hald_var_lib_t,hald_var_lib_t)
+ files_search_var_lib(hald_keymap_t)
+
++write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
++
+ dev_rw_input_dev(hald_keymap_t)
+
+ files_read_usr_files(hald_keymap_t)
+@@ -391,3 +451,8 @@
libs_use_shared_libs(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -17094,6 +17147,18 @@
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.3.1/policy/modules/services/inetd.fc
+--- nsaserefpolicy/policy/modules/services/inetd.fc 2008-06-12 23:38:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/inetd.fc 2008-09-03 15:04:23.000000000 -0400
+@@ -1,6 +1,8 @@
+
+ /usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+ /usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
++/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
++
+ /usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+ /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+ /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.3.1/policy/modules/services/inetd.if
--- nsaserefpolicy/policy/modules/services/inetd.if 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/inetd.if 2008-07-15 14:02:52.000000000 -0400
@@ -21168,7 +21233,7 @@
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.3.1/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/postfix.if 2008-09-02 15:23:02.000000000 -0400
@@ -206,9 +206,8 @@
type postfix_etc_t;
')
@@ -21243,6 +21308,29 @@
## Execute postfix user mail programs
## in their respective domains.
## </summary>
+@@ -519,3 +557,22 @@
+
+ typeattribute $1 postfix_user_domtrans;
+ ')
++
++########################################
++## <summary>
++## Execute the master postdrop in the
++## postfix_postdrop domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_domtrans_postdrop',`
++ gen_require(`
++ type postfix_postdrop_t, postfix_postdrop_exec_t;
++ ')
++
++ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-08-29 15:46:12.000000000 -0400
@@ -25555,7 +25643,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.3.1/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/sendmail.te 2008-08-12 10:20:06.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/sendmail.te 2008-09-02 15:23:14.000000000 -0400
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -25614,7 +25702,7 @@
auth_use_nsswitch(sendmail_t)
-@@ -91,33 +101,50 @@
+@@ -91,33 +101,51 @@
libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
@@ -25656,6 +25744,7 @@
+')
+
+optional_policy(`
++ postfix_domtrans_postdrop(sendmail_t)
+ postfix_domtrans_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
@@ -25667,7 +25756,7 @@
')
optional_policy(`
-@@ -125,24 +152,25 @@
+@@ -125,24 +153,25 @@
')
optional_policy(`
@@ -28422,7 +28511,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-08-12 17:02:07.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-09-03 15:05:26.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -32117,7 +32206,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-08-01 10:49:37.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-09-02 16:10:03.000000000 -0400
@@ -69,8 +69,10 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -32150,10 +32239,12 @@
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -165,6 +170,7 @@
+@@ -164,7 +169,8 @@
+ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -35957,7 +36048,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-08-12 12:21:18.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-09-03 14:36:03.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -38108,14 +38199,13 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4535,35 @@
+@@ -4307,12 +4535,54 @@
## </summary>
## </param>
#
-interface(`userdom_dontaudit_append_staff_home_content_files',`
+interface(`userdom_dontaudit_append_unpriv_home_content_files',`
- gen_require(`
-- type staff_home_t;
++ gen_require(`
+ type user_home_t;
+ ')
+
@@ -38127,10 +38217,30 @@
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_append_cifs_files($1)
- ')
++ ')
+')
++
++########################################
++## <summary>
++## Do not audit attempts to unlink to the
++## users home directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_unlink_unpriv_home_content_files',`
+ gen_require(`
+- type staff_home_t;
++ type user_home_t;
+ ')
- dontaudit $1 staff_home_t:file append;
++ dontaudit $1 user_home_t:file unlink;
++')
++
+########################################
+## <summary>
+## Do not audit attempts to append to the staff
@@ -38147,7 +38257,7 @@
')
########################################
-@@ -4327,13 +4578,13 @@
+@@ -4327,13 +4597,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -38165,7 +38275,7 @@
')
########################################
-@@ -4531,10 +4782,10 @@
+@@ -4531,10 +4801,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -38178,7 +38288,7 @@
')
########################################
-@@ -4551,10 +4802,10 @@
+@@ -4551,10 +4821,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -38191,7 +38301,7 @@
')
########################################
-@@ -4569,10 +4820,10 @@
+@@ -4569,10 +4839,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -38204,7 +38314,7 @@
')
########################################
-@@ -4588,10 +4839,10 @@
+@@ -4588,10 +4858,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -38217,7 +38327,7 @@
')
########################################
-@@ -4606,10 +4857,10 @@
+@@ -4606,10 +4876,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -38230,7 +38340,7 @@
')
########################################
-@@ -4625,10 +4876,10 @@
+@@ -4625,10 +4895,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -38243,7 +38353,7 @@
')
########################################
-@@ -4644,12 +4895,29 @@
+@@ -4644,12 +4914,29 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -38277,7 +38387,7 @@
')
########################################
-@@ -4676,10 +4944,10 @@
+@@ -4676,10 +4963,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -38290,7 +38400,7 @@
')
########################################
-@@ -4694,10 +4962,10 @@
+@@ -4694,10 +4981,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -38303,7 +38413,7 @@
')
########################################
-@@ -4712,13 +4980,13 @@
+@@ -4712,13 +4999,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -38321,20 +38431,103 @@
')
########################################
-@@ -4754,11 +5022,49 @@
+@@ -4754,16 +5041,16 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
+- attribute home_dir_type;
+ attribute user_home_dir_type;
+ ')
+
+ files_list_home($1)
+- allow $1 home_dir_type:dir search_dir_perms;
++ allow $1 user_home_dir_type:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## List all users home directories.
++## Read all users home directories symlinks.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4771,18 +5058,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_list_all_users_home_dirs',`
++interface(`userdom_read_all_users_home_dirs_symlinks',`
+ gen_require(`
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
+- allow $1 home_dir_type:dir list_dir_perms;
++ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search all users home directories.
++## Read all users home directories symlinks.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4790,36 +5077,84 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_search_all_users_home_content',`
++interface(`userdom_read_all_users_home_content_symlinks',`
+ gen_require(`
+- attribute home_dir_type, home_type;
++ type user_home_t;
+ ')
+
+ files_list_home($1)
+- allow $1 { home_dir_type home_type }:dir search_dir_perms;
++ allow $1 user_home_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search all users home directories.
++## List all users home directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_search_all_users_home_content',`
++interface(`userdom_list_all_users_home_dirs',`
+ gen_require(`
+- attribute home_dir_type, home_type;
++ attribute home_dir_type;
+ ')
+
+- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
+-')
++ files_list_home($1)
++ allow $1 home_dir_type:dir list_dir_perms;
+
+-########################################
+-## <summary>
+-## Read all files in all users home directories.
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs($1)
+ ')
+
-+ files_list_home($1)
-+ allow $1 user_home_dir_type:dir search_dir_perms;
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Read all users home directories symlinks.
++## Search all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -38342,87 +38535,46 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_home_dirs_symlinks',`
++interface(`userdom_search_all_users_home_content',`
+ gen_require(`
- attribute home_dir_type;
- ')
-
- files_list_home($1)
-- allow $1 home_dir_type:dir search_dir_perms;
-+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
++ attribute home_dir_type, home_type;
++ ')
++
++ files_list_home($1)
++ allow $1 { home_dir_type home_type }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Read all users home directories symlinks.
++## Do not audit attempts to search all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_home_content_symlinks',`
++interface(`userdom_dontaudit_search_all_users_home_content',`
+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ files_list_home($1)
-+ allow $1 user_home_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4778,6 +5084,14 @@
-
- files_list_home($1)
- allow $1 home_dir_type:dir list_dir_perms;
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs($1)
++ attribute home_dir_type, home_type;
+ ')
+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_list_cifs($1)
-+ ')
- ')
-
- ########################################
-@@ -4815,6 +5129,8 @@
- ')
-
- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
+ fs_dontaudit_list_nfs($1)
+ fs_dontaudit_list_cifs($1)
- ')
-
- ########################################
-@@ -4839,7 +5155,7 @@
-
- ########################################
- ## <summary>
--## Create, read, write, and delete all directories
-+## delete all directories
- ## in all users home directories.
- ## </summary>
- ## <param name="domain">
-@@ -4848,13 +5164,52 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_manage_all_users_home_content_dirs',`
-+interface(`userdom_delete_all_users_home_content_dirs',`
- gen_require(`
- attribute home_type;
- ')
-
- files_list_home($1)
-- allow $1 home_type:dir manage_dir_perms;
-+ delete_dirs_pattern($1, home_type, home_type)
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete all directories
++## Read all files in all users home directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4839,6 +5174,26 @@
+
+ ########################################
+ ## <summary>
++## delete all directories
+## in all users home directories.
+## </summary>
+## <param name="domain">
@@ -38431,17 +38583,24 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_manage_all_users_home_content_dirs',`
++interface(`userdom_delete_all_users_home_content_dirs',`
+ gen_require(`
+ attribute home_type;
+ ')
+
+ files_list_home($1)
-+ allow $1 home_type:dir manage_dir_perms;
++ delete_dirs_pattern($1, home_type, home_type)
+')
+
+########################################
+## <summary>
+ ## Create, read, write, and delete all directories
+ ## in all users home directories.
+ ## </summary>
+@@ -4859,6 +5214,25 @@
+
+ ########################################
+ ## <summary>
+## Delete all files
+## in all users home directories.
+## </summary>
@@ -38457,10 +38616,14 @@
+ ')
+
+ delete_files_pattern($1,home_type,home_type)
- ')
-
- ########################################
-@@ -4879,6 +5234,26 @@
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete all files
+ ## in all users home directories.
+ ## </summary>
+@@ -4879,6 +5253,26 @@
########################################
## <summary>
@@ -38487,7 +38650,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5490,7 @@
+@@ -5115,7 +5509,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -38496,7 +38659,7 @@
')
files_search_home($1)
-@@ -5304,6 +5679,63 @@
+@@ -5304,6 +5698,63 @@
########################################
## <summary>
@@ -38560,7 +38723,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +5941,43 @@
+@@ -5509,6 +5960,43 @@
########################################
## <summary>
@@ -38604,7 +38767,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5559,7 +6028,7 @@
+@@ -5559,7 +6047,7 @@
attribute userdomain;
')
@@ -38613,7 +38776,7 @@
kernel_search_proc($1)
')
-@@ -5674,6 +6143,42 @@
+@@ -5674,6 +6162,42 @@
########################################
## <summary>
@@ -38656,7 +38819,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6209,408 @@
+@@ -5704,3 +6228,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.704
retrieving revision 1.705
diff -u -r1.704 -r1.705
--- selinux-policy.spec 29 Aug 2008 20:40:28 -0000 1.704
+++ selinux-policy.spec 3 Sep 2008 20:24:24 -0000 1.705
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 87%{?dist}
+Release: 88%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,9 @@
%endif
%changelog
+* Tue Sep 2 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-88
+- Allow sendmail to transition to postfix_postdrop_t
+
* Tue Aug 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-87
- Allow crontab to work for unconfined users
- Allow courier_authdaemon_t to create sock_file in courier_spool directories
More information about the fedora-extras-commits
mailing list