rpms/selinux-policy/F-10 policy-20080710.patch, 1.159, 1.160 selinux-policy.spec, 1.787, 1.788
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 14 09:57:15 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5391
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
- Fix fail2ban policy
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.159
retrieving revision 1.160
diff -u -r1.159 -r1.160
--- policy-20080710.patch 7 Apr 2009 12:15:38 -0000 1.159
+++ policy-20080710.patch 14 Apr 2009 09:57:10 -0000 1.160
@@ -15131,7 +15131,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/cups.te 2009-04-09 14:15:20.000000000 +0200
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -15162,7 +15162,17 @@
type hplip_etc_t;
files_config_file(hplip_etc_t)
-@@ -65,6 +78,16 @@
+@@ -55,6 +68,9 @@
+ type hplip_var_run_t;
+ files_pid_file(hplip_var_run_t)
+
++type hplip_tmp_t;
++files_tmp_file(hplip_tmp_t)
++
+ type ptal_t;
+ type ptal_exec_t;
+ init_daemon_domain(ptal_t, ptal_exec_t)
+@@ -65,6 +81,16 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
@@ -15179,7 +15189,7 @@
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
-@@ -79,13 +102,14 @@
+@@ -79,13 +105,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
@@ -15197,7 +15207,7 @@
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -97,6 +121,9 @@
+@@ -97,6 +124,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
@@ -15207,7 +15217,7 @@
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-@@ -104,8 +131,11 @@
+@@ -104,8 +134,11 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -15221,7 +15231,7 @@
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
-@@ -116,13 +146,20 @@
+@@ -116,13 +149,20 @@
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -15244,7 +15254,7 @@
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-@@ -149,44 +186,49 @@
+@@ -149,44 +189,49 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -15299,7 +15309,7 @@
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +237,16 @@
+@@ -195,15 +240,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -15320,7 +15330,7 @@
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
-@@ -219,17 +262,21 @@
+@@ -219,17 +265,21 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@@ -15345,7 +15355,7 @@
')
optional_policy(`
-@@ -246,8 +293,16 @@
+@@ -246,8 +296,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -15362,7 +15372,7 @@
')
optional_policy(`
-@@ -263,6 +318,10 @@
+@@ -263,6 +321,10 @@
')
optional_policy(`
@@ -15373,7 +15383,7 @@
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -281,7 +340,7 @@
+@@ -281,7 +343,7 @@
# Cups configuration daemon local policy
#
@@ -15382,7 +15392,7 @@
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -313,7 +372,7 @@
+@@ -313,7 +375,7 @@
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
kernel_read_system_state(cupsd_config_t)
@@ -15391,7 +15401,7 @@
corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -326,6 +385,7 @@
+@@ -326,6 +388,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -15399,7 +15409,7 @@
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -343,7 +403,7 @@
+@@ -343,7 +406,7 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
@@ -15408,7 +15418,7 @@
auth_use_nsswitch(cupsd_config_t)
-@@ -353,6 +413,7 @@
+@@ -353,6 +416,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
@@ -15416,7 +15426,7 @@
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -365,14 +426,16 @@
+@@ -365,14 +429,16 @@
sysadm_dontaudit_search_home_dirs(cupsd_config_t)
ifdef(`distro_redhat',`
@@ -15435,7 +15445,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -388,6 +451,7 @@
+@@ -388,6 +454,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -15443,7 +15453,7 @@
')
optional_policy(`
-@@ -500,7 +564,11 @@
+@@ -500,7 +567,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -15452,20 +15462,22 @@
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
-+
cups_stream_connect(hplip_t)
-@@ -509,6 +577,8 @@
+@@ -509,6 +579,11 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
++manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
++files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
++
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -538,7 +608,8 @@
+@@ -538,7 +613,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -15475,7 +15487,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -552,6 +623,8 @@
+@@ -552,6 +628,8 @@
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -15484,7 +15496,7 @@
libs_use_ld_so(hplip_t)
libs_use_shared_libs(hplip_t)
-@@ -564,12 +637,14 @@
+@@ -564,12 +642,14 @@
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -15500,7 +15512,7 @@
')
optional_policy(`
-@@ -651,3 +726,55 @@
+@@ -651,3 +731,55 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -15601,7 +15613,7 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2009-04-14 10:39:44.000000000 +0200
@@ -53,19 +53,19 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -15830,7 +15842,7 @@
## Read dbus configuration.
## </summary>
## <param name="domain">
-@@ -366,3 +440,120 @@
+@@ -366,3 +440,122 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -15885,6 +15897,8 @@
+ dbus_system_bus_client_template($1, $1)
+ dbus_connect_system_bus($1)
+
++ userdom_dontaudit_search_admin_dir($1)
++
+ ifdef(`hide_broken_symptoms', `
+ dbus_dontaudit_rw_system_selinux_socket($1)
+ ');
@@ -17248,10 +17262,47 @@
+ spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.5.13/policy/modules/services/fail2ban.fc
+--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-10-17 14:49:13.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/fail2ban.fc 2009-04-14 11:02:53.000000000 +0200
+@@ -2,5 +2,6 @@
+
+ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+ /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
++/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
+ /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+ /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.13/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/fail2ban.if 2009-03-30 12:51:09.000000000 +0200
-@@ -79,6 +79,27 @@
++++ serefpolicy-3.5.13/policy/modules/services/fail2ban.if 2009-04-14 11:02:23.000000000 +0200
+@@ -60,6 +60,26 @@
+ allow $1 fail2ban_log_t:file append_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Read fail2ban lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fail2ban_read_lib_files',`
++ gen_require(`
++ type fail2ban_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 fail2ban_var_lib_t:file read_file_perms;
++')
++
++
+ ########################################
+ ## <summary>
+ ## Read fail2ban PID files.
+@@ -79,6 +99,27 @@
allow $1 fail2ban_var_run_t:file read_file_perms;
')
@@ -17279,10 +17330,39 @@
########################################
## <summary>
## All of the rules required to administrate
+@@ -100,6 +141,7 @@
+ gen_require(`
+ type fail2ban_t, fail2ban_log_t;
+ type fail2ban_var_run_t, fail2ban_initrc_exec_t;
++ type fail2ban_var_lib_t;
+ ')
+
+ allow $1 fail2ban_t:process { ptrace signal_perms };
+@@ -113,6 +155,9 @@
+ logging_list_logs($1)
+ admin_pattern($1, fail2ban_log_t)
+
++ files_list_var_lib($1)
++ admin_pattern($1, fail2ban_var_lib_t)
++
+ files_list_pids($1)
+ admin_pattern($1, fail2ban_var_run_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.5.13/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/fail2ban.te 2009-03-30 12:52:34.000000000 +0200
-@@ -27,6 +27,7 @@
++++ serefpolicy-3.5.13/policy/modules/services/fail2ban.te 2009-04-14 10:56:48.000000000 +0200
+@@ -17,6 +17,10 @@
+ type fail2ban_log_t;
+ logging_log_file(fail2ban_log_t)
+
++# lib files
++type fail2ban_var_lib_t;
++files_type(fail2ban_var_lib_t)
++
+ # pid files
+ type fail2ban_var_run_t;
+ files_pid_file(fail2ban_var_run_t)
+@@ -27,6 +31,7 @@
#
allow fail2ban_t self:process signal;
@@ -17290,6 +17370,18 @@
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
+@@ -36,6 +41,11 @@
+ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+ logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+
++# lib files
++manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
++manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
++files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
++
+ # pid file
+ manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.fc serefpolicy-3.5.13/policy/modules/services/fetchmail.fc
--- nsaserefpolicy/policy/modules/services/fetchmail.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.fc 2009-03-05 15:02:41.000000000 +0100
@@ -17990,7 +18082,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2009-03-25 09:04:18.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/hal.te 2009-04-14 10:23:38.000000000 +0200
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -18161,7 +18253,7 @@
dev_rw_input_dev(hald_keymap_t)
files_read_usr_files(hald_keymap_t)
-@@ -419,4 +476,51 @@
+@@ -419,4 +476,53 @@
# This is caused by a bug in hald and PolicyKit.
# Should be removed when this is fixed
@@ -18211,6 +18303,8 @@
+libs_use_ld_so(hald_dccm_t)
+libs_use_shared_libs(hald_dccm_t)
+
++logging_send_syslog_msg(hald_dccm_t)
++
+miscfiles_read_localization(hald_dccm_t)
+
+permissive hald_dccm_t;
@@ -19168,7 +19262,7 @@
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.13/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mta.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mta.te 2009-04-14 10:49:52.000000000 +0200
@@ -39,34 +39,50 @@
#
@@ -19271,7 +19365,7 @@
')
optional_policy(`
-@@ -142,11 +171,40 @@
+@@ -142,11 +171,44 @@
')
optional_policy(`
@@ -19292,6 +19386,10 @@
')
-# should break this up among sections:
++optional_policy(`
++ unconfined_use_terms(system_mail_t)
++')
++
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
+init_stream_connect_script(mailserver_delivery)
@@ -27301,7 +27399,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.13/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/sendmail.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/sendmail.te 2009-04-14 11:07:49.000000000 +0200
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -27361,7 +27459,7 @@
auth_use_nsswitch(sendmail_t)
-@@ -91,34 +102,59 @@
+@@ -91,34 +102,63 @@
libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
@@ -27392,10 +27490,15 @@
optional_policy(`
clamav_search_lib(sendmail_t)
+ clamav_stream_connect(sendmail_t)
+ ')
+
+ optional_policy(`
+- postfix_exec_master(sendmail_t)
++ cyrus_stream_connect(sendmail_t)
+')
+
+optional_policy(`
-+ cyrus_stream_connect(sendmail_t)
++ fail2ban_read_lib_files(daemon)
+')
+
+optional_policy(`
@@ -27408,10 +27511,9 @@
+
+optional_policy(`
+ munin_dontaudit_search_lib(sendmail_t)
- ')
-
- optional_policy(`
-- postfix_exec_master(sendmail_t)
++')
++
++optional_policy(`
+ postfix_domtrans_postdrop(sendmail_t)
+ postfix_domtrans_master(sendmail_t)
postfix_read_config(sendmail_t)
@@ -27424,7 +27526,7 @@
')
optional_policy(`
-@@ -126,24 +162,33 @@
+@@ -126,24 +166,33 @@
')
optional_policy(`
@@ -27946,11 +28048,13 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.13/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.fc 2009-02-10 15:07:15.000000000 +0100
-@@ -1,16 +1,27 @@
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.fc 2009-04-14 10:34:25.000000000 +0200
+@@ -1,16 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
++/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
@@ -27961,7 +28065,6 @@
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-+#/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
@@ -27971,8 +28074,6 @@
+
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-+#/var/run/spamass-milter.* gen_context(system_u:object_r:spamd_var_run_t,s0)
-+#/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
@@ -32899,7 +33000,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/init.te 2009-03-27 09:06:57.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/init.te 2009-04-14 11:07:25.000000000 +0200
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -33123,7 +33224,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -759,6 +819,11 @@
+@@ -759,6 +819,15 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -33132,10 +33233,14 @@
+ cron_rw_pipes(daemon)
+')
+
++optional_policy(`
++ fail2ban_read_lib_files(daemon)
++')
++
optional_policy(`
unconfined_domain(initrc_t)
-@@ -773,6 +838,10 @@
+@@ -773,6 +842,10 @@
')
optional_policy(`
@@ -33146,7 +33251,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -795,3 +864,17 @@
+@@ -795,3 +868,19 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -33164,6 +33269,8 @@
+ fs_dontaudit_rw_cifs_files(daemon)
+ ')
+')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.5.13/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc 2009-02-10 15:07:15.000000000 +0100
@@ -36673,7 +36780,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-03-05 13:30:03.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-04-14 10:42:32.000000000 +0200
@@ -28,10 +28,14 @@
class context contains;
')
@@ -38894,7 +39001,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5513,3 +5725,622 @@
+@@ -5513,3 +5725,642 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -39500,6 +39607,25 @@
+
+ allow $1 user_home_t:file execmod;
+')
++
++#######################################
++## <summary>
++## dontaudit Search /root
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_search_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:dir search_dir_perms;
++')
++
+########################################
+## <summary>
+## dontaudit list /root
@@ -39517,6 +39643,7 @@
+
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2009-02-10 15:07:15.000000000 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.787
retrieving revision 1.788
diff -u -r1.787 -r1.788
--- selinux-policy.spec 7 Apr 2009 12:15:39 -0000 1.787
+++ selinux-policy.spec 14 Apr 2009 09:57:14 -0000 1.788
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 55%{?dist}
+Release: 56%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,9 @@
%endif
%changelog
+* Tue Apr 14 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-56
+- Fix fail2ban policy
+
* Tue Apr 7 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-55
- Allow swat_t domtrans to smbd_t
More information about the fedora-extras-commits
mailing list