rpms/selinux-policy/F-9 modules-mls.conf, 1.33, 1.34 policy-20071130.patch, 1.206, 1.207 selinux-policy.spec, 1.706, 1.707
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Sep 12 14:47:17 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12478
Modified Files:
modules-mls.conf policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Sep 2 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-90
- Add rpcbind to mls policy
- Fix up policy so permissive domains will work
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/modules-mls.conf,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- modules-mls.conf 30 Jun 2008 20:52:16 -0000 1.33
+++ modules-mls.conf 12 Sep 2008 14:46:46 -0000 1.34
@@ -1101,3 +1101,11 @@
# IMAP and POP3 email servers
#
courier = module
+
+# Layer: services
+# Module: rpcbind
+#
+# universal addresses to RPC program number mapper
+#
+rpcbind = module
+
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.206
retrieving revision 1.207
diff -u -r1.206 -r1.207
--- policy-20071130.patch 8 Sep 2008 19:25:46 -0000 1.206
+++ policy-20071130.patch 12 Sep 2008 14:46:46 -0000 1.207
@@ -943,8 +943,48 @@
.EE
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.3.1/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/flask/access_vectors 2008-09-08 11:45:12.000000000 -0400
-@@ -407,141 +407,159 @@
++++ serefpolicy-3.3.1/policy/flask/access_vectors 2008-09-12 10:30:37.000000000 -0400
+@@ -125,6 +125,7 @@
+ reparent
+ search
+ rmdir
++ open
+ }
+
+ class file
+@@ -133,6 +134,7 @@
+ execute_no_trans
+ entrypoint
+ execmod
++ open
+ }
+
+ class lnk_file
+@@ -144,16 +146,23 @@
+ execute_no_trans
+ entrypoint
+ execmod
++ open
+ }
+
+ class blk_file
+ inherits file
++{
++ open
++}
+
+ class sock_file
+ inherits file
+
+ class fifo_file
+ inherits file
++{
++ open
++}
+
+ class fd
+ {
+@@ -407,141 +416,160 @@
#
# SE-X Windows stuff
#
@@ -1058,6 +1098,7 @@
read
- store
+ write
++ append
getattr
setattr
}
@@ -1158,12 +1199,6 @@
+}
+
+class x_event
-+{
-+ send
-+ receive
-+}
-+
-+class x_synthetic_event
{
- pageexec # Paging based non-executable pages
- emutramp # Emulate trampolines
@@ -1173,12 +1208,29 @@
- segmexec # Segmentation based non-executable pages
+ send
+ receive
++}
++
++class x_synthetic_event
++{
++ send
++ receive
}
#
+@@ -747,3 +775,10 @@
+ {
+ recv
+ }
++
++class x_application_data
++{
++ paste
++ paste_after_confirm
++ copy
++}
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classes serefpolicy-3.3.1/policy/flask/security_classes
--- nsaserefpolicy/policy/flask/security_classes 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/flask/security_classes 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/flask/security_classes 2008-09-12 10:30:52.000000000 -0400
@@ -50,21 +50,19 @@
# passwd/chfn/chsh
class passwd # userspace
@@ -1214,7 +1266,7 @@
# extended netlink sockets
class netlink_route_socket
-@@ -112,4 +110,9 @@
+@@ -112,4 +110,10 @@
# Capabilities >= 32
class capability2
@@ -1222,6 +1274,7 @@
+class x_resource # userspace
+class x_event # userspace
+class x_synthetic_event # userspace
++class x_application_data # userspace
+
# FLASK
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.3.1/policy/global_tunables
@@ -9108,19 +9161,246 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-09-08 11:45:12.000000000 -0400
-@@ -851,9 +851,8 @@
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-09-12 10:26:53.000000000 -0400
+@@ -330,6 +330,11 @@
+
+ allow $1 self:capability sys_module;
+ typeattribute $1 can_load_kernmodule;
++
++ # load_module() calls stop_machine() which
++ # calls sched_setscheduler()
++ allow $1 self:capability sys_nice;
++ kernel_setsched($1)
+ ')
+
+ ########################################
+@@ -584,7 +589,7 @@
+ type debugfs_t;
+ ')
+
+- search_dirs_pattern($1,debugfs_t,debugfs_t)
++ search_dirs_pattern($1, debugfs_t, debugfs_t)
+ ')
+
+ ########################################
+@@ -602,9 +607,9 @@
+ type debugfs_t;
+ ')
+
+- read_files_pattern($1,debugfs_t,debugfs_t)
+- read_lnk_files_pattern($1,debugfs_t,debugfs_t)
+- list_dirs_pattern($1,debugfs_t,debugfs_t)
++ read_files_pattern($1, debugfs_t, debugfs_t)
++ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
++ list_dirs_pattern($1, debugfs_t, debugfs_t)
+ ')
+
+ ########################################
+@@ -676,7 +681,7 @@
+ type proc_t;
+ ')
+
+- search_dirs_pattern($1,proc_t,proc_t)
++ search_dirs_pattern($1, proc_t, proc_t)
+ ')
+
+ ########################################
+@@ -694,7 +699,7 @@
+ type proc_t;
+ ')
+
+- list_dirs_pattern($1,proc_t,proc_t)
++ list_dirs_pattern($1, proc_t, proc_t)
+ ')
+
+ ########################################
+@@ -731,7 +736,7 @@
+ type proc_t;
+ ')
+
+- getattr_files_pattern($1,proc_t,proc_t)
++ getattr_files_pattern($1, proc_t, proc_t)
+ ')
+
+ ########################################
+@@ -749,7 +754,7 @@
+ type proc_t;
+ ')
+
+- read_lnk_files_pattern($1,proc_t,proc_t)
++ read_lnk_files_pattern($1, proc_t, proc_t)
+ ')
+
+ ########################################
+@@ -768,10 +773,10 @@
+ type proc_t;
+ ')
+
+- read_files_pattern($1,proc_t,proc_t)
+- read_lnk_files_pattern($1,proc_t,proc_t)
++ read_files_pattern($1, proc_t, proc_t)
++ read_lnk_files_pattern($1, proc_t, proc_t)
+
+- list_dirs_pattern($1,proc_t,proc_t)
++ list_dirs_pattern($1, proc_t, proc_t)
+ ')
+
+ ########################################
+@@ -794,7 +799,7 @@
+ type proc_t;
+ ')
+
+- write_files_pattern($1,proc_t,proc_t)
++ write_files_pattern($1, proc_t, proc_t)
+ ')
+
+ ########################################
+@@ -851,9 +856,8 @@
type proc_t, proc_afs_t;
')
- read_files_pattern($1,proc_t,proc_afs_t)
-
- list_dirs_pattern($1,proc_t,proc_t)
-+ rw_files_pattern($1,proc_afs_t,proc_afs_t)
+- list_dirs_pattern($1,proc_t,proc_t)
++ list_dirs_pattern($1, proc_t, proc_t)
++ rw_files_pattern($1, proc_afs_t, proc_afs_t)
+ ')
+
+ #######################################
+@@ -872,9 +876,9 @@
+ type proc_t, proc_mdstat_t;
+ ')
+
+- read_files_pattern($1,proc_t,proc_mdstat_t)
++ read_files_pattern($1, proc_t, proc_mdstat_t)
+
+- list_dirs_pattern($1,proc_t,proc_t)
++ list_dirs_pattern($1, proc_t, proc_t)
')
#######################################
-@@ -1194,6 +1193,7 @@
+@@ -892,9 +896,9 @@
+ type proc_t, proc_mdstat_t;
+ ')
+
+- rw_files_pattern($1,proc_t,proc_mdstat_t)
++ rw_files_pattern($1, proc_t, proc_mdstat_t)
+
+- list_dirs_pattern($1,proc_t,proc_t)
++ list_dirs_pattern($1, proc_t, proc_t)
+ ')
+
+ ########################################
+@@ -912,9 +916,9 @@
+ type proc_t, proc_kcore_t;
+ ')
+
+- getattr_files_pattern($1,proc_t,proc_kcore_t)
++ getattr_files_pattern($1, proc_t, proc_kcore_t)
+
+- list_dirs_pattern($1,proc_t,proc_t)
++ list_dirs_pattern($1, proc_t, proc_t)
+ ')
+
+ ########################################
+@@ -953,7 +957,7 @@
+ type proc_kmsg_t, proc_t;
+ ')
+
+- read_files_pattern($1,proc_t,proc_kmsg_t)
++ read_files_pattern($1, proc_t, proc_kmsg_t)
+
+ typeattribute $1 can_receive_kernel_messages;
+ ')
+@@ -974,7 +978,7 @@
+ type proc_kmsg_t, proc_t;
+ ')
+
+- getattr_files_pattern($1,proc_t,proc_kmsg_t)
++ getattr_files_pattern($1, proc_t, proc_kmsg_t)
+ ')
+
+ ########################################
+@@ -1032,7 +1036,7 @@
+ type proc_net_t;
+ ')
+
+- search_dirs_pattern($1,proc_t,proc_net_t)
++ search_dirs_pattern($1, proc_t, proc_net_t)
+ ')
+
+ ########################################
+@@ -1051,10 +1055,10 @@
+ type proc_t, proc_net_t;
+ ')
+
+- read_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
+- read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
++ read_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
++ read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
+
+- list_dirs_pattern($1,proc_t,proc_net_t)
++ list_dirs_pattern($1, proc_t, proc_net_t)
+ ')
+
+ ########################################
+@@ -1072,9 +1076,9 @@
+ type proc_t, proc_net_t;
+ ')
+
+- read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
++ read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
+
+- list_dirs_pattern($1,proc_t,proc_net_t)
++ list_dirs_pattern($1, proc_t, proc_net_t)
+ ')
+
+ ########################################
+@@ -1093,7 +1097,7 @@
+ type proc_t, proc_xen_t;
+ ')
+
+- search_dirs_pattern($1,proc_t,proc_xen_t)
++ search_dirs_pattern($1, proc_t, proc_xen_t)
+ ')
+
+ ########################################
+@@ -1132,10 +1136,10 @@
+ type proc_t, proc_xen_t;
+ ')
+
+- read_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
+- read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
++ read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
++ read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+
+- list_dirs_pattern($1,proc_t,proc_xen_t)
++ list_dirs_pattern($1, proc_t, proc_xen_t)
+ ')
+
+ ########################################
+@@ -1154,9 +1158,9 @@
+ type proc_t, proc_xen_t;
+ ')
+
+- read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
++ read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+
+- list_dirs_pattern($1,proc_t,proc_xen_t)
++ list_dirs_pattern($1, proc_t, proc_xen_t)
+ ')
+
+ ########################################
+@@ -1175,7 +1179,7 @@
+ type proc_t, proc_xen_t;
+ ')
+
+- write_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
++ write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+ ')
+
+ ########################################
+@@ -1194,6 +1198,7 @@
')
dontaudit $1 proc_type:dir list_dir_perms;
@@ -9128,7 +9408,273 @@
')
########################################
-@@ -1764,6 +1764,7 @@
+@@ -1232,7 +1237,7 @@
+ type sysctl_t;
+ ')
+
+- list_dirs_pattern($1,proc_t,sysctl_t)
++ list_dirs_pattern($1, proc_t, sysctl_t)
+ ')
+
+ ########################################
+@@ -1251,9 +1256,9 @@
+ type proc_t, sysctl_t, sysctl_dev_t;
+ ')
+
+- read_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t)
++ read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
+ ')
+
+ ########################################
+@@ -1272,9 +1277,9 @@
+ type proc_t, sysctl_t, sysctl_dev_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t)
++ rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
+ ')
+
+ ########################################
+@@ -1292,7 +1297,7 @@
+ type proc_t, sysctl_t, sysctl_vm_t;
+ ')
+
+- search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
++ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
+ ')
+
+ ########################################
+@@ -1311,9 +1316,9 @@
+ type proc_t, sysctl_t, sysctl_vm_t;
+ ')
+
+- read_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t)
++ read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
+ ')
+
+ ########################################
+@@ -1332,8 +1337,8 @@
+ type proc_t, sysctl_t, sysctl_vm_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t)
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
++ rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
+
+ # hal needs this
+ allow $1 sysctl_vm_t:dir write;
+@@ -1354,7 +1359,7 @@
+ type proc_t, sysctl_t, sysctl_net_t;
+ ')
+
+- search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
++ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+ ########################################
+@@ -1391,9 +1396,9 @@
+ type proc_t, sysctl_t, sysctl_net_t;
+ ')
+
+- read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
++ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+ ########################################
+@@ -1412,9 +1417,9 @@
+ type proc_t, sysctl_t, sysctl_net_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
++ rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+ ########################################
+@@ -1434,9 +1439,9 @@
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+ ')
+
+- read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t)
++ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+ ########################################
+@@ -1456,9 +1461,9 @@
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t)
++ rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+ ')
+
+ ########################################
+@@ -1477,9 +1482,9 @@
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+ ')
+
+- read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t)
++ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+ ')
+
+ ########################################
+@@ -1498,9 +1503,9 @@
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t)
++ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+ ')
+
+ ########################################
+@@ -1519,9 +1524,9 @@
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+ ')
+
+- read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t)
++ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+ ')
+
+ ########################################
+@@ -1540,9 +1545,9 @@
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t)
++ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+ ')
+
+ ########################################
+@@ -1578,9 +1583,9 @@
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+- read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t)
++ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+ ')
+
+ ########################################
+@@ -1617,9 +1622,9 @@
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t)
++ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+ ')
+
+ ########################################
+@@ -1638,9 +1643,9 @@
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+- read_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t)
++ read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+ ')
+
+ ########################################
+@@ -1659,9 +1664,9 @@
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t)
++ rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
+
+- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t)
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+ ')
+
+ ########################################
+@@ -1680,9 +1685,9 @@
+ type proc_t, sysctl_irq_t;
+ ')
+
+- read_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t)
++ read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
+
+- list_dirs_pattern($1,proc_t,sysctl_irq_t)
++ list_dirs_pattern($1, proc_t, sysctl_irq_t)
+ ')
+
+ ########################################
+@@ -1701,9 +1706,9 @@
+ type proc_t, sysctl_irq_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t)
++ rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
+
+- list_dirs_pattern($1,proc_t,sysctl_irq_t)
++ list_dirs_pattern($1, proc_t, sysctl_irq_t)
+ ')
+
+ ########################################
+@@ -1722,9 +1727,9 @@
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+- read_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t)
++ read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
+- list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t)
++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ ')
+
+ ########################################
+@@ -1743,9 +1748,9 @@
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+- rw_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t)
++ rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
+- list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t)
++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ ')
+
+ ########################################
+@@ -1764,6 +1769,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -9136,10 +9682,95 @@
')
########################################
-@@ -2508,3 +2509,33 @@
+@@ -1784,9 +1790,9 @@
+ ')
+
+ # proc_net_t for /proc/net/rpc sysctls
+- read_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type)
++ read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+
+- list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_type)
++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
+ ')
+
+ ########################################
+@@ -1807,7 +1813,7 @@
+ ')
- typeattribute $1 kern_unconfined;
+ # proc_net_t for /proc/net/rpc sysctls
+- rw_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type)
++ rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+
+ allow $1 sysctl_type:dir list_dir_perms;
+ # why is setattr needed?
+@@ -1938,8 +1944,8 @@
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
+- read_files_pattern($1,unlabeled_t,unlabeled_t)
+- read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
++ read_files_pattern($1, unlabeled_t, unlabeled_t)
++ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
')
+
+
+@@ -2493,6 +2499,109 @@
+
+ ########################################
+ ## <summary>
++## Receive packets from an unlabeled peer.
++## </summary>
++## <desc>
++## <p>
++## Receive packets from an unlabeled peer, these packets do not have any
++## peer labeling information present.
++## </p>
++## <p>
++## The corenetwork interface corenet_recvfrom_unlabeled_peer() should
++## be used instead of this one.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_recvfrom_unlabeled_peer',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:peer recv;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to receive packets from an unlabeled peer.
++## </summary>
++## <desc>
++## <p>
++## Do not audit attempts to receive packets from an unlabeled peer,
++## these packets do not have any peer labeling information present.
++## </p>
++## <p>
++## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
++## should be used instead of this one.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ dontaudit $1 unlabeled_t:peer recv;
++')
+
+########################################
+## <summary>
@@ -9170,9 +9801,32 @@
+ allow $1 unlabeled_t:db_blob { setattr relabelfrom };
+')
+
++########################################
++## <summary>
++## Relabel to unlabeled context .
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_relabelto_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir_file_class_set relabelto;
++')
++
++########################################
++## <summary>
+ ## Unconfined access to kernel module resources.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.3.1/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.te 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.te 2008-09-12 10:29:36.000000000 -0400
@@ -45,6 +45,15 @@
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -9189,7 +9843,41 @@
# DebugFS
#
-@@ -231,6 +240,8 @@
+@@ -54,6 +63,15 @@
+ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
+
+ #
++# infinibandeventfs fs
++#
++
++type infinibandeventfs_t;
++fs_type(infinibandeventfs_t)
++allow infinibandeventfs_t self:filesystem associate;
++genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
++
++#
+ # kvmFS
+ #
+
+@@ -151,6 +169,7 @@
+ #
+ type unlabeled_t;
+ sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
++fs_associate(unlabeled_t)
+
+ # These initial sids are no longer used, and can be removed:
+ sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -212,6 +231,9 @@
+ # connections with invalidated labels:
+ allow kernel_t unlabeled_t:packet send;
+
++# Forwarded network traffic
++allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
++
+ corenet_all_recvfrom_unlabeled(kernel_t)
+ corenet_all_recvfrom_netlabel(kernel_t)
+ # Kernel-generated traffic e.g., ICMP replies:
+@@ -231,6 +253,8 @@
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
@@ -9198,7 +9886,7 @@
selinux_load_policy(kernel_t)
-@@ -253,12 +264,16 @@
+@@ -253,12 +277,16 @@
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
@@ -9215,7 +9903,7 @@
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
-@@ -363,7 +378,7 @@
+@@ -363,7 +391,7 @@
allow kern_unconfined proc_type:{ dir file lnk_file } *;
@@ -9224,7 +9912,7 @@
allow kern_unconfined kernel_t:system *;
-@@ -374,3 +389,4 @@
+@@ -374,3 +402,4 @@
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
kernel_rw_all_sysctls(kern_unconfined)
@@ -16886,6 +17574,20 @@
+ polkit_read_lib(gnomeclock_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.3.1/policy/modules/services/gpm.te
+--- nsaserefpolicy/policy/modules/services/gpm.te 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/gpm.te 2008-09-12 10:36:09.000000000 -0400
+@@ -41,8 +41,8 @@
+ allow gpm_t gpm_var_run_t:file manage_file_perms;
+ files_pid_filetrans(gpm_t,gpm_var_run_t,file)
+
+-allow gpm_t gpmctl_t:sock_file manage_file_perms;
+-allow gpm_t gpmctl_t:fifo_file manage_file_perms;
++allow gpm_t gpmctl_t:sock_file manage_sock_file_perms;
++allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms;
+ dev_filetrans(gpm_t,gpmctl_t,{ sock_file fifo_file })
+
+ kernel_read_kernel_sysctls(gpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-09-08 11:45:12.000000000 -0400
@@ -18360,7 +19062,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-09-11 13:48:31.000000000 -0400
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -18374,7 +19076,7 @@
')
########################################
-@@ -65,8 +64,15 @@
+@@ -65,8 +64,19 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@@ -18384,6 +19086,10 @@
+
+files_search_spool(mailman_mail_t)
+fs_rw_anon_inodefs_files(mailman_mail_t)
++
++manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
++manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
++manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
@@ -26300,7 +27006,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.3.1/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-09-08 11:45:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-09-09 08:43:38.000000000 -0400
@@ -18,12 +18,16 @@
type snmpd_var_lib_t;
files_type(snmpd_var_lib_t)
@@ -26312,7 +27018,8 @@
#
# Local policy
#
- allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+-allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
++allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config sys_ptrace };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+allow snmpd_t self:process { getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
@@ -26326,7 +27033,14 @@
kernel_read_net_sysctls(snmpd_t)
kernel_read_proc_symlinks(snmpd_t)
kernel_read_system_state(snmpd_t)
-@@ -81,8 +86,7 @@
+@@ -76,13 +81,14 @@
+ domain_use_interactive_fds(snmpd_t)
+ domain_signull_all_domains(snmpd_t)
+ domain_read_all_domains_state(snmpd_t)
++domain_dontaudit_ptrace_all_domains(snmpd_t)
++domain_exec_all_entry_files(snmpd_t)
+
+ files_read_etc_files(snmpd_t)
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
@@ -26336,6 +27050,24 @@
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
+@@ -94,6 +100,8 @@
+ init_read_utmp(snmpd_t)
+ init_dontaudit_write_utmp(snmpd_t)
+
++auth_use_nsswitch(snmpd_t)
++
+ libs_use_ld_so(snmpd_t)
+ libs_use_shared_libs(snmpd_t)
+
+@@ -120,7 +128,7 @@
+ ')
+
+ optional_policy(`
+- auth_use_nsswitch(snmpd_t)
++ consoletype_exec(snmpd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.3.1/policy/modules/services/snort.fc
--- nsaserefpolicy/policy/modules/services/snort.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/snort.fc 2008-09-08 11:45:13.000000000 -0400
@@ -34151,7 +34883,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.3.1/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.fc 2008-09-08 11:45:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.fc 2008-09-12 09:58:16.000000000 -0400
@@ -38,7 +38,7 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
@@ -34161,19 +34893,35 @@
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+@@ -46,3 +46,8 @@
+ # /var/run
+ #
+ /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
++
++#
++# /var/lib
++#
++/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.3.1/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-09-08 11:45:13.000000000 -0400
-@@ -215,8 +215,6 @@
- seutil_domtrans_newrole($1)
- role $2 types newrole_t;
- allow newrole_t $3:chr_file rw_term_perms;
--
-- auth_run_upd_passwd(newrole_t, $2, $3)
- ')
-
- ########################################
-@@ -553,6 +551,59 @@
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-09-12 09:57:55.000000000 -0400
+@@ -430,6 +430,7 @@
+ role system_r;
+ ')
+
++ auth_run_chk_passwd(run_init_t, $2, $3)
+ seutil_domtrans_runinit($1)
+ role $2 types run_init_t;
+ allow run_init_t $3:chr_file rw_term_perms;
+@@ -474,6 +475,7 @@
+ role system_r;
+ ')
+
++ auth_run_chk_passwd(run_init_t, $2, $3)
+ seutil_init_script_domtrans_runinit($1)
+ role $2 types run_init_t;
+ allow run_init_t $3:chr_file rw_term_perms;
+@@ -553,6 +555,59 @@
########################################
## <summary>
@@ -34192,7 +34940,7 @@
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
-+ domtrans_pattern($1,setfiles_exec_t,setfiles_mac_t)
++ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
+')
+
+########################################
@@ -34233,7 +34981,7 @@
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -587,7 +638,7 @@
+@@ -587,7 +642,7 @@
type selinux_config_t;
')
@@ -34242,7 +34990,7 @@
')
########################################
-@@ -606,7 +657,7 @@
+@@ -606,7 +661,7 @@
type selinux_config_t;
')
@@ -34251,15 +34999,15 @@
dontaudit $1 selinux_config_t:file { getattr read };
')
-@@ -698,6 +749,7 @@
+@@ -698,6 +753,7 @@
')
files_search_etc($1)
-+ manage_dirs_pattern($1,selinux_config_t,selinux_config_t)
++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
manage_files_pattern($1,selinux_config_t,selinux_config_t)
read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')
-@@ -807,6 +859,28 @@
+@@ -807,6 +863,28 @@
########################################
## <summary>
@@ -34288,7 +35036,25 @@
## Read and write the file_contexts files.
## </summary>
## <param name="domain">
-@@ -997,6 +1071,26 @@
+@@ -817,7 +895,7 @@
+ #
+ interface(`seutil_rw_file_contexts',`
+ gen_require(`
+- type selinux_config_t, file_context_t;
++ type selinux_config_t, file_context_t, default_context_t;
+ ')
+
+ files_search_etc($1)
+@@ -838,7 +916,7 @@
+ #
+ interface(`seutil_manage_file_contexts',`
+ gen_require(`
+- type selinux_config_t, file_context_t;
++ type selinux_config_t, file_context_t, default_context_t;
+ ')
+
+ files_search_etc($1)
+@@ -997,6 +1075,26 @@
########################################
## <summary>
@@ -34307,7 +35073,7 @@
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
-+ domtrans_pattern($1,setsebool_exec_t,setsebool_t)
++ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
+')
+
+########################################
@@ -34315,7 +35081,7 @@
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1008,7 +1102,7 @@
+@@ -1008,7 +1106,7 @@
## </param>
## <param name="role">
## <summary>
@@ -34324,7 +35090,7 @@
## </summary>
## </param>
## <param name="terminal">
-@@ -1030,6 +1124,39 @@
+@@ -1030,6 +1128,39 @@
########################################
## <summary>
@@ -34364,7 +35130,7 @@
## Full management of the semanage
## module store.
## </summary>
-@@ -1141,3 +1268,260 @@
+@@ -1141,3 +1272,260 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -34408,12 +35174,12 @@
+
+ type $1_setsebool_t;
+ domain_type($1_setsebool_t)
-+ domain_entry_file($1_setsebool_t,setsebool_exec_t)
++ domain_entry_file($1_setsebool_t, setsebool_exec_t)
+ role $3 types $1_setsebool_t;
+
+ files_search_usr($2)
+ corecmd_search_bin($2)
-+ domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t)
++ domtrans_pattern($2, setsebool_exec_t, $1_setsebool_t)
+ seutil_semanage_policy($1_setsebool_t)
+
+ # Need to define per type booleans
@@ -34608,7 +35374,7 @@
+ fs_rw_tmpfs_chr_files($1)
+')
+
-+ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
+ fs_rw_tmpfs_chr_files($1)
+ fs_rw_tmpfs_blk_files($1)
+ fs_relabel_tmpfs_blk_file($1)
@@ -34627,8 +35393,18 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-09-08 11:45:13.000000000 -0400
-@@ -75,7 +75,6 @@
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-09-12 09:54:59.000000000 -0400
+@@ -23,6 +23,9 @@
+ type selinux_config_t;
+ files_type(selinux_config_t)
+
++type selinux_var_lib_t;
++files_type(selinux_var_lib_t)
++
+ type checkpolicy_t, can_write_binary_policy;
+ type checkpolicy_exec_t;
+ application_domain(checkpolicy_t, checkpolicy_exec_t)
+@@ -75,7 +78,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
@@ -34636,7 +35412,7 @@
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -92,6 +91,10 @@
+@@ -92,6 +94,10 @@
domain_interactive_fd(semanage_t)
role system_r types semanage_t;
@@ -34647,7 +35423,7 @@
type semanage_store_t;
files_type(semanage_store_t)
-@@ -109,6 +112,11 @@
+@@ -109,6 +115,11 @@
init_system_domain(setfiles_t,setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
@@ -34659,7 +35435,7 @@
########################################
#
# Checkpolicy local policy
-@@ -168,6 +176,7 @@
+@@ -168,6 +179,7 @@
files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
@@ -34667,7 +35443,7 @@
mls_file_read_all_levels(load_policy_t)
-@@ -195,15 +204,6 @@
+@@ -195,15 +207,6 @@
')
')
@@ -34683,7 +35459,7 @@
########################################
#
# Newrole local policy
-@@ -221,7 +221,7 @@
+@@ -221,7 +224,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -34692,7 +35468,7 @@
read_files_pattern(newrole_t,default_context_t,default_context_t)
read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
-@@ -277,6 +277,7 @@
+@@ -277,6 +280,7 @@
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@@ -34700,16 +35476,17 @@
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
-@@ -347,6 +348,8 @@
+@@ -347,6 +351,9 @@
seutil_libselinux_linked(restorecond_t)
+userdom_read_all_users_home_dirs_symlinks(restorecond_t)
++userdom_read_all_users_home_content_symlinks(restorecond_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -365,7 +368,7 @@
+@@ -365,7 +372,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -34718,7 +35495,7 @@
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -396,7 +399,6 @@
+@@ -396,7 +403,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -34726,7 +35503,7 @@
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -435,67 +437,28 @@
+@@ -435,64 +441,22 @@
# semodule local policy
#
@@ -34747,9 +35524,13 @@
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+
-domain_use_interactive_fds(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
@@ -34762,7 +35543,6 @@
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
-+seutil_semanage_policy(semanage_t)
selinux_set_boolean(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
@@ -34777,11 +35557,11 @@
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
+-
+-miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
--miscfiles_read_localization(semanage_t)
--
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -34796,6 +35576,10 @@
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
+@@ -501,12 +465,30 @@
+ files_read_var_lib_symlinks(semanage_t)
+ ')
+
+userdom_search_sysadm_home_dirs(semanage_t)
+
+optional_policy(`
@@ -34804,10 +35588,14 @@
+ consoletype_exec(semanage_t)
+')
+
- ifdef(`distro_debian',`
- files_read_var_lib_files(semanage_t)
- files_read_var_lib_symlinks(semanage_t)
-@@ -507,6 +470,11 @@
++ifdef(`distro_debian',`
++ files_read_var_lib_files(semanage_t)
++ files_read_var_lib_symlinks(semanage_t)
++')
++
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(semanage_t)
')
')
@@ -34819,7 +35607,7 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -514,121 +482,35 @@
+@@ -514,121 +496,42 @@
# Handle pp files created in homedir and /tmp
userdom_read_sysadm_home_content_files(semanage_t)
userdom_read_sysadm_tmp_files(semanage_t)
@@ -34936,31 +35724,36 @@
- unconfined_domain(setfiles_t)
- ')
-')
--
--ifdef(`hide_broken_symptoms',`
-- optional_policy(`
-- udev_dontaudit_rw_dgram_sockets(setfiles_t)
-- ')
+########################################
+#
+# Setfiles local policy
+#
+-ifdef(`hide_broken_symptoms',`
+- optional_policy(`
+- udev_dontaudit_rw_dgram_sockets(setfiles_t)
+- ')
++seutil_setfiles(setfiles_t)
++# During boot in Rawhide
++term_use_generic_ptys(setfiles_t)
+
- # cjp: cover up stray file descriptors.
- optional_policy(`
- unconfined_dontaudit_read_pipes(setfiles_t)
- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
- ')
--')
-+seutil_setfiles(setfiles_t)
-
- optional_policy(`
-- hotplug_use_fds(setfiles_t)
++optional_policy(`
+ cron_system_entry(setfiles_t, setfiles_exec_t)
')
-+
+
+seutil_setfiles(setfiles_mac_t)
++allow setfiles_mac_t self:capability2 mac_admin;
++kernel_relabelto_unlabeled(setfiles_mac_t)
+
+ optional_policy(`
+- hotplug_use_fds(setfiles_t)
++ unconfined_domain(setfiles_mac_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-3.3.1/policy/modules/system/setrans.fc
--- nsaserefpolicy/policy/modules/system/setrans.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/setrans.fc 2008-09-08 11:45:13.000000000 -0400
@@ -40922,8 +41715,71 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.3.1/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-09-08 11:45:13.000000000 -0400
-@@ -315,3 +315,13 @@
++++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-09-12 10:31:36.000000000 -0400
+@@ -193,7 +193,7 @@
+ define(`create_dir_perms',`{ getattr create }')
+ define(`rename_dir_perms',`{ getattr rename }')
+ define(`delete_dir_perms',`{ getattr rmdir }')
+-define(`manage_dir_perms',`{ create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
++define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
+ define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
+ define(`relabelto_dir_perms',`{ getattr relabelto }')
+ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+@@ -209,10 +209,10 @@
+ define(`append_file_perms',`{ getattr append lock ioctl }')
+ define(`write_file_perms',`{ getattr write append lock ioctl }')
+ define(`rw_file_perms',`{ getattr read write append ioctl lock }')
+-define(`create_file_perms',`{ getattr create }')
++define(`create_file_perms',`{ getattr create open }')
+ define(`rename_file_perms',`{ getattr rename }')
+ define(`delete_file_perms',`{ getattr unlink }')
+-define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
++define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+ define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
+ define(`relabelto_file_perms',`{ getattr relabelto }')
+ define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
+@@ -223,7 +223,8 @@
+ define(`getattr_lnk_file_perms',`{ getattr }')
+ define(`setattr_lnk_file_perms',`{ setattr }')
+ define(`read_lnk_file_perms',`{ getattr read }')
+-define(`write_lnk_file_perms',`{ getattr write lock ioctl }')
++define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
++define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
+ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+ define(`create_lnk_file_perms',`{ create getattr }')
+ define(`rename_lnk_file_perms',`{ getattr rename }')
+@@ -242,10 +243,10 @@
+ define(`append_fifo_file_perms',`{ getattr append lock ioctl }')
+ define(`write_fifo_file_perms',`{ getattr write append lock ioctl }')
+ define(`rw_fifo_file_perms',`{ getattr read write append ioctl lock }')
+-define(`create_fifo_file_perms',`{ getattr create }')
++define(`create_fifo_file_perms',`{ getattr create open }')
+ define(`rename_fifo_file_perms',`{ getattr rename }')
+ define(`delete_fifo_file_perms',`{ getattr unlink }')
+-define(`manage_fifo_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
++define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+ define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }')
+ define(`relabelto_fifo_file_perms',`{ getattr relabelto }')
+ define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')
+@@ -278,7 +279,7 @@
+ define(`create_blk_file_perms',`{ getattr create }')
+ define(`rename_blk_file_perms',`{ getattr rename }')
+ define(`delete_blk_file_perms',`{ getattr unlink }')
+-define(`manage_blk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
++define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+ define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }')
+ define(`relabelto_blk_file_perms',`{ getattr relabelto }')
+ define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
+@@ -295,7 +296,7 @@
+ define(`create_chr_file_perms',`{ getattr create }')
+ define(`rename_chr_file_perms',`{ getattr rename }')
+ define(`delete_chr_file_perms',`{ getattr unlink }')
+-define(`manage_chr_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
++define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+ define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
+ define(`relabelto_chr_file_perms',`{ getattr relabelto }')
+ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+@@ -315,3 +316,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.706
retrieving revision 1.707
diff -u -r1.706 -r1.707
--- selinux-policy.spec 4 Sep 2008 20:59:27 -0000 1.706
+++ selinux-policy.spec 12 Sep 2008 14:46:47 -0000 1.707
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 89.1%{?dist}
+Release: 90%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,10 @@
%endif
%changelog
+* Tue Sep 2 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-90
+- Add rpcbind to mls policy
+- Fix up policy so permissive domains will work
+
* Tue Sep 2 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-89
- Fix init script paths
More information about the fedora-extras-commits
mailing list