rpms/selinux-policy/devel policy-20090105.patch, 1.76, 1.77 selinux-policy.spec, 1.817, 1.818
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Apr 3 21:26:00 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21762
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Fri Apr 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-9
- Allow podsleuth to use tmpfs files
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- policy-20090105.patch 3 Apr 2009 19:25:20 -0000 1.76
+++ policy-20090105.patch 3 Apr 2009 21:25:59 -0000 1.77
@@ -1680,7 +1680,7 @@
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.10/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/apps/gnome.if 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/apps/gnome.if 2009-04-03 17:09:33.000000000 -0400
@@ -89,5 +89,154 @@
allow $1 gnome_home_t:dir manage_dir_perms;
@@ -2843,8 +2843,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.10/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/apps/nsplugin.te 2009-03-30 10:09:41.000000000 -0400
-@@ -0,0 +1,288 @@
++++ serefpolicy-3.6.10/policy/modules/apps/nsplugin.te 2009-04-03 17:12:08.000000000 -0400
+@@ -0,0 +1,292 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3129,6 +3129,10 @@
+')
+
+optional_policy(`
++ pulseaudio_stream_connect(nsplugin_t)
++')
++
++optional_policy(`
+ unconfined_execmem_exec(nsplugin_t)
+')
+
@@ -3300,14 +3304,18 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.10/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/apps/podsleuth.te 2009-03-30 10:09:41.000000000 -0400
-@@ -11,21 +11,59 @@
++++ serefpolicy-3.6.10/policy/modules/apps/podsleuth.te 2009-04-03 16:33:08.000000000 -0400
+@@ -11,21 +11,68 @@
application_domain(podsleuth_t, podsleuth_exec_t)
role system_r types podsleuth_t;
+type podsleuth_tmp_t;
+files_tmp_file(podsleuth_tmp_t)
+
++type podsleuth_tmpfs_t;
++files_tmpfs_file(podsleuth_tmpfs_t)
++ubac_constrained(podsleuth_tmpfs_t)
++
+type podsleuth_cache_t;
+files_type(podsleuth_cache_t)
+
@@ -3352,6 +3360,11 @@
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+
++manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
++manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
++manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
++fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
++
+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
@@ -3371,8 +3384,8 @@
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.10/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.if 2009-03-30 10:09:41.000000000 -0400
-@@ -0,0 +1,105 @@
++++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.if 2009-04-03 17:24:36.000000000 -0400
+@@ -0,0 +1,147 @@
+
+## <summary>policy for pulseaudio</summary>
+
@@ -3476,12 +3489,54 @@
+ userdom_manage_home_role($1, pulseaudio_t)
+ userdom_manage_tmp_role($1, pulseaudio_t)
+ userdom_manage_tmpfs_role($1, pulseaudio_t)
++
++ allow $2 pulseaudio_t:dbus send_msg;
++ allow pulseaudio_t $2:dbus send_msg;
+')
+
++########################################
++## <summary>
++## Send and receive messages from
++## pulseaudio over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pulseaudio_dbus_chat',`
++ gen_require(`
++ type pulseaudio_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 pulseaudio_t:dbus send_msg;
++ allow pulseaudio_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++## pulsaudio connection template.
++## </summary>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++interface(`pulseaudio_stream_connect',`
++ gen_require(`
++ type pulseaudio_t;
++ ')
++
++ allow nsplugin_t pulseaudio_t:process signull;
++ allow $1 pulseaudio_t:unix_stream_socket connectto;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.10/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.te 2009-03-30 10:09:41.000000000 -0400
-@@ -0,0 +1,97 @@
++++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.te 2009-04-03 17:03:52.000000000 -0400
+@@ -0,0 +1,109 @@
+policy_module(pulseaudio,1.0.0)
+
+########################################
@@ -3513,9 +3568,21 @@
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
++allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
++allow pulseaudio_t self:udp_socket create_socket_perms;
+
+corecmd_exec_bin(pulseaudio_t)
+
++corenet_all_recvfrom_unlabeled(pulseaudio_t)
++corenet_all_recvfrom_netlabel(pulseaudio_t)
++corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
++corenet_tcp_bind_sound_port(pulseaudio_t)
++corenet_tcp_sendrecv_generic_if(pulseaudio_t)
++corenet_tcp_sendrecv_generic_node(pulseaudio_t)
++corenet_udp_bind_sap_port(pulseaudio_t)
++corenet_udp_sendrecv_generic_if(pulseaudio_t)
++corenet_udp_sendrecv_generic_node(pulseaudio_t)
++
+dev_read_sound(pulseaudio_t)
+dev_write_sound(pulseaudio_t)
+dev_read_sysfs(pulseaudio_t)
@@ -4511,7 +4578,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.10/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-03-23 13:47:10.000000000 -0400
-+++ serefpolicy-3.6.10/policy/modules/kernel/corenetwork.te.in 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/kernel/corenetwork.te.in 2009-04-03 17:02:58.000000000 -0400
@@ -65,10 +65,12 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4599,8 +4666,11 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -162,9 +183,11 @@
+@@ -160,11 +181,14 @@
+ network_port(rsh, tcp,514,s0)
+ network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
++network_port(sap, tcp,9875,s0, udp,9875,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
@@ -4612,7 +4682,7 @@
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -173,14 +196,17 @@
+@@ -173,14 +197,17 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -4632,7 +4702,7 @@
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -209,6 +235,8 @@
+@@ -209,6 +236,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -8946,7 +9016,7 @@
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.10/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.10/policy/modules/services/consolekit.if 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/consolekit.if 2009-04-03 16:41:51.000000000 -0400
@@ -38,3 +38,24 @@
allow $1 consolekit_t:dbus send_msg;
allow consolekit_t $1:dbus send_msg;
@@ -10806,8 +10876,8 @@
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.10/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/devicekit.if 2009-03-30 10:09:41.000000000 -0400
-@@ -0,0 +1,177 @@
++++ serefpolicy-3.6.10/policy/modules/services/devicekit.if 2009-04-03 16:46:10.000000000 -0400
+@@ -0,0 +1,197 @@
+
+## <summary>policy for devicekit</summary>
+
@@ -10985,6 +11055,26 @@
+ allow $1 devicekit_t:unix_dgram_socket sendto;
+')
+
++########################################
++## <summary>
++## Send and receive messages from
++## devicekit disk over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_disk_dbus_chat',`
++ gen_require(`
++ type devicekit_disk_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 devicekit_disk_t:dbus send_msg;
++ allow devicekit_disk_t $1:dbus send_msg;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.10/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/devicekit.te 2009-04-03 08:12:27.000000000 -0400
@@ -21580,7 +21670,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-04-03 16:51:32.000000000 -0400
@@ -8,20 +8,18 @@
## <desc>
@@ -21667,7 +21757,7 @@
-manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+virtual_manage_image(virtd_t)
-+virtual_manage_relabel(virtd_t)
++virtual_image_relabel(virtd_t)
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
@@ -21769,15 +21859,15 @@
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
-
- optional_policy(`
-- qemu_domtrans(virtd_t)
++
++optional_policy(`
+ polkit_domtrans_auth(virtd_t)
+ polkit_domtrans_resolve(virtd_t)
+ polkit_read_lib(virtd_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- qemu_domtrans(virtd_t)
+ qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t)
qemu_signal(virtd_t)
@@ -21786,7 +21876,7 @@
')
optional_policy(`
-@@ -198,5 +264,74 @@
+@@ -198,5 +264,73 @@
')
optional_policy(`
@@ -21807,7 +21897,6 @@
+#
+# svirt local policy
+#
-+
+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
@@ -27671,7 +27760,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-03 10:26:58.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-03 16:55:31.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -28100,7 +28189,7 @@
##############################
#
-@@ -512,189 +517,198 @@
+@@ -512,189 +517,199 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -28270,6 +28359,7 @@
optional_policy(`
- hal_dbus_chat($1_t)
+ devicekit_power_dbus_chat($1_usertype)
++ devicekit_disk_dbus_chat($1_usertype)
')
optional_policy(`
@@ -28380,7 +28470,7 @@
')
#######################################
-@@ -722,13 +736,26 @@
+@@ -722,13 +737,26 @@
userdom_base_user_template($1)
@@ -28412,7 +28502,7 @@
userdom_change_password_template($1)
-@@ -746,70 +773,71 @@
+@@ -746,70 +774,71 @@
allow $1_t self:context contains;
@@ -28517,7 +28607,7 @@
')
')
-@@ -846,6 +874,28 @@
+@@ -846,6 +875,28 @@
# Local policy
#
@@ -28546,7 +28636,7 @@
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -876,7 +926,7 @@
+@@ -876,7 +927,7 @@
userdom_restricted_user_template($1)
@@ -28555,7 +28645,7 @@
##############################
#
-@@ -884,14 +934,19 @@
+@@ -884,14 +935,19 @@
#
auth_role($1_r, $1_t)
@@ -28580,7 +28670,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +954,33 @@
+@@ -899,28 +955,33 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -28621,7 +28711,7 @@
')
')
-@@ -954,8 +1014,8 @@
+@@ -954,8 +1015,8 @@
# Declarations
#
@@ -28631,7 +28721,7 @@
userdom_common_user_template($1)
##############################
-@@ -964,11 +1024,12 @@
+@@ -964,11 +1025,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -28646,7 +28736,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1047,47 @@
+@@ -986,37 +1048,47 @@
')
')
@@ -28708,7 +28798,7 @@
')
#######################################
-@@ -1050,7 +1121,7 @@
+@@ -1050,7 +1122,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -28717,7 +28807,7 @@
')
##############################
-@@ -1059,8 +1130,7 @@
+@@ -1059,8 +1131,7 @@
#
# Inherit rules for ordinary users.
@@ -28727,7 +28817,7 @@
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1153,8 @@
+@@ -1083,7 +1154,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -28737,7 +28827,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1170,7 @@
+@@ -1099,6 +1171,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -28745,7 +28835,7 @@
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1178,6 @@
+@@ -1106,8 +1179,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -28754,7 +28844,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1232,6 @@
+@@ -1162,20 +1233,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -28775,7 +28865,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1277,7 @@
+@@ -1221,6 +1278,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -28783,7 +28873,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1343,15 @@
+@@ -1286,11 +1344,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -28799,7 +28889,7 @@
')
########################################
-@@ -1387,7 +1448,7 @@
+@@ -1387,7 +1449,7 @@
########################################
## <summary>
@@ -28808,7 +28898,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1481,14 @@
+@@ -1420,6 +1482,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -28823,7 +28913,7 @@
')
########################################
-@@ -1435,9 +1504,11 @@
+@@ -1435,9 +1505,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -28835,7 +28925,7 @@
')
########################################
-@@ -1494,6 +1565,25 @@
+@@ -1494,6 +1566,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -28861,7 +28951,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1568,6 +1658,8 @@
+@@ -1568,6 +1659,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -28870,7 +28960,7 @@
')
########################################
-@@ -1643,6 +1735,7 @@
+@@ -1643,6 +1736,7 @@
type user_home_dir_t, user_home_t;
')
@@ -28878,26 +28968,34 @@
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,6 +1834,62 @@
+@@ -1741,30 +1835,79 @@
########################################
## <summary>
+-## Execute user home files.
+## Delete user home subdirectory symbolic links.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`userdom_exec_user_home_content_files',`
+interface(`userdom_delete_user_home_content_symlinks',`
-+ gen_require(`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
+ type user_home_t;
-+ ')
-+
+ ')
+
+- files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ allow $1 user_home_t:lnk_file delete_lnk_file_perms;
+')
-+
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
+########################################
+## <summary>
+## Delete files
@@ -28912,8 +29010,10 @@
+interface(`userdom_delete_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
-+ ')
-+
+ ')
+
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ allow $1 user_home_t:dir delete_file_perms;
+')
+
@@ -28938,25 +29038,27 @@
+
+########################################
+## <summary>
- ## Execute user home files.
- ## </summary>
- ## <param name="domain">
-@@ -1757,14 +1906,6 @@
-
- files_search_home($1)
- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
++## Execute user home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_exec_user_home_content_files',`
++ gen_require(`
++ type user_home_dir_t;
++ attribute user_home_type;
+ ')
++
++ files_search_home($1)
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
')
########################################
-@@ -1787,6 +1928,46 @@
+@@ -1787,6 +1930,46 @@
########################################
## <summary>
@@ -29003,7 +29105,7 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -1799,6 +1980,7 @@
+@@ -1799,6 +1982,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -29011,7 +29113,7 @@
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2510,7 @@
+@@ -2328,7 +2512,7 @@
########################################
## <summary>
@@ -29020,7 +29122,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -2814,7 +2996,25 @@
+@@ -2814,7 +2998,25 @@
type user_tmp_t;
')
@@ -29047,7 +29149,7 @@
')
########################################
-@@ -2851,6 +3051,7 @@
+@@ -2851,6 +3053,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -29055,7 +29157,7 @@
kernel_search_proc($1)
')
-@@ -2981,3 +3182,482 @@
+@@ -2981,3 +3184,482 @@
allow $1 userdomain:dbus send_msg;
')
@@ -29631,8 +29733,8 @@
+# No application file contexts.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-30 10:09:41.000000000 -0400
-@@ -0,0 +1,113 @@
++++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-04-03 16:50:58.000000000 -0400
+@@ -0,0 +1,114 @@
+## <summary>Virtual machine emulator and virtualizer</summary>
+
+########################################
@@ -29720,12 +29822,13 @@
+## </summary>
+## </param>
+#
-+interface(`virtual_manage_relabel',`
++interface(`virtual_image_relabel',`
+ gen_require(`
+ attribute virtual_image_type;
+ ')
+
+ allow $1 virtual_image_type:file { relabelfrom relabelto };
++ allow $1 virtual_image_type:blk_file { relabelfrom relabelto };
+')
+
+########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.817
retrieving revision 1.818
diff -u -r1.817 -r1.818
--- selinux-policy.spec 3 Apr 2009 19:25:21 -0000 1.817
+++ selinux-policy.spec 3 Apr 2009 21:25:59 -0000 1.818
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.10
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
%endif
%changelog
+* Fri Apr 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-9
+- Allow podsleuth to use tmpfs files
+
* Fri Apr 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-8
- Add customizable_types for svirt
More information about the fedora-extras-commits
mailing list