rpms/selinux-policy/devel policy-20080710.patch,1.43,1.44
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Sep 23 14:23:23 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24792
Modified Files:
policy-20080710.patch
Log Message:
* Mon Sep 22 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-6
- Fix transition to nsplugin
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- policy-20080710.patch 22 Sep 2008 20:07:59 -0000 1.43
+++ policy-20080710.patch 23 Sep 2008 14:23:23 -0000 1.44
@@ -564,7 +564,7 @@
files_read_etc_files(kismet_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.8/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-09-03 10:17:00.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/logrotate.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/admin/logrotate.te 2008-09-23 08:33:35.000000000 -0400
@@ -97,6 +97,7 @@
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
@@ -573,6 +573,15 @@
# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
+@@ -167,7 +168,7 @@
+ ')
+
+ optional_policy(`
+- mailman_exec(logrotate_t)
++ mailman_domtrans(logrotate_t)
+ mailman_search_data(logrotate_t)
+ mailman_manage_log(logrotate_t)
+ ')
@@ -189,6 +190,5 @@
')
@@ -615,7 +624,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.8/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/mrtg.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/admin/mrtg.te 2008-09-23 10:04:14.000000000 -0400
@@ -78,6 +78,7 @@
dev_read_urand(mrtg_t)
@@ -624,7 +633,15 @@
files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
-@@ -101,6 +102,8 @@
+@@ -92,6 +93,7 @@
+
+ fs_search_auto_mountpoints(mrtg_t)
+ fs_getattr_xattr_fs(mrtg_t)
++fs_list_inotifyfs(mrtg_t)
+
+ term_dontaudit_use_console(mrtg_t)
+
+@@ -101,6 +103,8 @@
init_read_utmp(mrtg_t)
init_dontaudit_write_utmp(mrtg_t)
@@ -633,7 +650,7 @@
libs_read_lib_files(mrtg_t)
libs_use_ld_so(mrtg_t)
libs_use_shared_libs(mrtg_t)
-@@ -111,12 +114,10 @@
+@@ -111,12 +115,10 @@
selinux_dontaudit_getattr_dir(mrtg_t)
@@ -647,7 +664,7 @@
ifdef(`enable_mls',`
corenet_udp_sendrecv_lo_if(mrtg_t)
-@@ -140,14 +141,6 @@
+@@ -140,14 +142,6 @@
')
optional_policy(`
@@ -662,7 +679,7 @@
seutil_sigchld_newrole(mrtg_t)
')
-@@ -162,10 +155,3 @@
+@@ -162,10 +156,3 @@
optional_policy(`
udev_read_db(mrtg_t)
')
@@ -5119,7 +5136,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.8/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-08-07 11:15:03.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/apps/podsleuth.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/apps/podsleuth.te 2008-09-22 16:03:15.000000000 -0400
@@ -11,24 +11,55 @@
application_domain(podsleuth_t, podsleuth_exec_t)
role system_r types podsleuth_t;
@@ -5136,7 +5153,7 @@
#
-
-allow podsleuth_t self:process { signal getsched execheap execmem };
-+allow podsleuth_t self:capability sys_admin;
++allow podsleuth_t self:capability { sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal getsched execheap execmem };
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
@@ -18214,7 +18231,7 @@
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.8/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/mailman.if 2008-09-19 10:41:48.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/mailman.if 2008-09-23 08:33:22.000000000 -0400
@@ -31,6 +31,12 @@
allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
allow mailman_$1_t self:udp_socket create_socket_perms;
@@ -21197,7 +21214,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postfix.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/postfix.te 2008-09-23 09:58:09.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -21311,7 +21328,18 @@
# for postalias
mailman_manage_data_files(postfix_master_t)
')
-@@ -255,6 +275,10 @@
+@@ -196,6 +216,10 @@
+ ')
+
+ optional_policy(`
++ postgrey_search_spool(postfix_master_t)
++')
++
++optional_policy(`
+ sendmail_signal(postfix_master_t)
+ ')
+
+@@ -255,6 +279,10 @@
corecmd_exec_bin(postfix_cleanup_t)
@@ -21322,7 +21350,7 @@
########################################
#
# Postfix local local policy
-@@ -280,18 +304,25 @@
+@@ -280,18 +308,25 @@
files_read_etc_files(postfix_local_t)
@@ -21348,7 +21376,7 @@
')
optional_policy(`
-@@ -302,8 +333,7 @@
+@@ -302,8 +337,7 @@
#
# Postfix map local policy
#
@@ -21358,7 +21386,7 @@
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -353,8 +383,6 @@
+@@ -353,8 +387,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -21367,7 +21395,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -367,6 +395,11 @@
+@@ -367,6 +399,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -21379,7 +21407,7 @@
########################################
#
# Postfix pickup local policy
-@@ -391,6 +424,7 @@
+@@ -391,6 +428,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -21387,7 +21415,7 @@
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -398,6 +432,12 @@
+@@ -398,6 +436,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -21400,7 +21428,7 @@
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -407,6 +447,14 @@
+@@ -407,6 +451,14 @@
')
optional_policy(`
@@ -21415,7 +21443,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -443,8 +491,11 @@
+@@ -443,8 +495,11 @@
')
optional_policy(`
@@ -21429,7 +21457,7 @@
')
#######################################
-@@ -470,6 +521,15 @@
+@@ -470,6 +525,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -21445,7 +21473,7 @@
########################################
#
# Postfix qmgr local policy
-@@ -553,6 +613,10 @@
+@@ -553,6 +617,10 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -21456,7 +21484,7 @@
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -579,7 +643,7 @@
+@@ -579,7 +647,7 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -21710,8 +21738,8 @@
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.8/policy/modules/services/postgrey.if
--- nsaserefpolicy/policy/modules/services/postgrey.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postgrey.if 2008-09-19 10:23:31.000000000 -0400
-@@ -12,10 +12,80 @@
++++ serefpolicy-3.5.8/policy/modules/services/postgrey.if 2008-09-23 09:13:18.000000000 -0400
+@@ -12,10 +12,98 @@
#
interface(`postgrey_stream_connect',`
gen_require(`
@@ -21728,6 +21756,24 @@
+
+########################################
+## <summary>
++## Search the spool directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`postgrey_search_spool',`
++ gen_require(`
++ type postgrey_spool_t;
++ ')
++
++ allow $1 postgrey_spool_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+## Execute postgrey server in the postgrey domain.
+## </summary>
+## <param name="domain">
@@ -21796,7 +21842,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.8/policy/modules/services/postgrey.te
--- nsaserefpolicy/policy/modules/services/postgrey.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postgrey.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/postgrey.te 2008-09-23 09:17:06.000000000 -0400
@@ -13,26 +13,38 @@
type postgrey_etc_t;
files_config_file(postgrey_etc_t)
@@ -30951,7 +30997,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-09-03 10:17:00.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/logging.te 2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/logging.te 2008-09-23 08:51:04.000000000 -0400
@@ -72,6 +72,12 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -30992,7 +31038,16 @@
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
corecmd_exec_bin(auditd_t)
-@@ -241,6 +257,7 @@
+@@ -230,6 +246,8 @@
+
+ miscfiles_read_localization(audisp_t)
+
++sysnet_dns_name_resolve(audisp_t)
++
+ ########################################
+ #
+ # Audit remote logger local policy
+@@ -241,6 +259,7 @@
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_all_if(audisp_remote_t)
corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
More information about the fedora-extras-commits
mailing list