rpms/selinux-policy/F-11 policy-20090105.patch, 1.94, 1.95 selinux-policy.spec, 1.830, 1.831
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Apr 21 18:19:34 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11525
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Tue Apr 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-10
- Allow nfs to share removable media
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -r1.94 -r1.95
--- policy-20090105.patch 20 Apr 2009 12:32:21 -0000 1.94
+++ policy-20090105.patch 21 Apr 2009 18:19:33 -0000 1.95
@@ -164,6 +164,16 @@
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/securetty_types serefpolicy-3.6.12/config/appconfig-mls/securetty_types
+--- nsaserefpolicy/config/appconfig-mls/securetty_types 2008-08-07 11:15:14.000000000 -0400
++++ serefpolicy-3.6.12/config/appconfig-mls/securetty_types 2009-04-20 10:13:02.000000000 -0400
+@@ -1,6 +1 @@
+-auditadm_tty_device_t
+-secadm_tty_device_t
+-staff_tty_device_t
+-sysadm_tty_device_t
+-unconfined_tty_device_t
+ user_tty_device_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context 2009-04-07 16:01:44.000000000 -0400
@@ -772,7 +782,7 @@
ifdef(`distro_suse', `
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-21 14:06:47.000000000 -0400
@@ -146,6 +146,24 @@
########################################
@@ -927,7 +937,32 @@
')
########################################
-@@ -283,3 +401,175 @@
+@@ -245,6 +363,24 @@
+
+ ########################################
+ ## <summary>
++## Delete the RPM package database.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`rpm_delete_db',`
++ gen_require(`
++ type rpm_var_lib_t;
++ ')
++
++ delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete the RPM package database.
+ ## </summary>
+ ## <param name="domain">
+@@ -283,3 +419,175 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1105,7 +1140,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-19 15:57:21.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-20 12:07:11.000000000 -0400
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -1115,7 +1150,7 @@
domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
-@@ -31,6 +33,9 @@
+@@ -31,11 +33,15 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1125,7 +1160,13 @@
type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
-@@ -52,8 +57,9 @@
+ domain_system_change_exemption(rpm_script_t)
+ corecmd_shell_entry_type(rpm_script_t)
++corecmd_bin_entry_type(rpm_script_t)
+ domain_type(rpm_script_t)
+ domain_entry_file(rpm_t, rpm_script_exec_t)
+ domain_interactive_fd(rpm_script_t)
+@@ -52,8 +58,9 @@
# rpm Local policy
#
@@ -1137,7 +1178,7 @@
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
-@@ -68,6 +74,8 @@
+@@ -68,6 +75,8 @@
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
@@ -1146,7 +1187,7 @@
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -87,8 +95,12 @@
+@@ -87,8 +96,12 @@
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
@@ -1159,7 +1200,7 @@
corecmd_exec_all_executables(rpm_t)
-@@ -108,13 +120,16 @@
+@@ -108,13 +121,16 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -1176,7 +1217,7 @@
mls_file_read_all_levels(rpm_t)
mls_file_write_all_levels(rpm_t)
-@@ -132,6 +147,8 @@
+@@ -132,6 +148,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -1185,7 +1226,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +172,7 @@
+@@ -155,6 +173,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -1193,7 +1234,7 @@
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,17 +192,28 @@
+@@ -174,17 +193,28 @@
')
optional_policy(`
@@ -1223,7 +1264,7 @@
')
ifdef(`TODO',`
-@@ -210,8 +239,8 @@
+@@ -210,8 +240,8 @@
# rpm-script Local policy
#
@@ -1234,7 +1275,7 @@
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +251,15 @@
+@@ -222,12 +252,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -1250,7 +1291,7 @@
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +271,9 @@
+@@ -239,6 +272,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -1260,7 +1301,7 @@
dev_list_sysfs(rpm_script_t)
-@@ -255,6 +290,7 @@
+@@ -255,6 +291,7 @@
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
@@ -1268,7 +1309,7 @@
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +308,19 @@
+@@ -272,14 +309,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -1288,7 +1329,7 @@
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +332,7 @@
+@@ -291,6 +333,7 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -1296,7 +1337,7 @@
init_domtrans_script(rpm_script_t)
-@@ -308,12 +350,15 @@
+@@ -308,12 +351,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1312,7 +1353,7 @@
')
')
-@@ -326,6 +371,10 @@
+@@ -326,13 +372,18 @@
')
optional_policy(`
@@ -1323,9 +1364,10 @@
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -333,6 +382,7 @@
+
optional_policy(`
- unconfined_domain(rpm_script_t)
+- unconfined_domain(rpm_script_t)
++ unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
+ unconfined_execmem_domtrans(rpm_script_t)
@@ -5183,7 +5225,7 @@
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-09 10:14:04.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-20 12:17:02.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5457,7 +5499,7 @@
')
')
-@@ -4921,3 +5077,95 @@
+@@ -4921,3 +5077,114 @@
typeattribute $1 files_unconfined_type;
')
@@ -5553,6 +5595,25 @@
+ manage_lnk_files_pattern($1, root_t, root_t)
+ can_exec(kernel_t, root_t)
+')
++
++########################################
++## <summary>
++## Do not audit attempts to getattr
++## all tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file getattr;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.12/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/kernel/files.te 2009-04-07 16:01:44.000000000 -0400
@@ -5587,7 +5648,7 @@
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.12/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-14 14:14:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-20 12:16:40.000000000 -0400
@@ -723,6 +723,24 @@
########################################
@@ -5676,7 +5737,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-13 08:28:24.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-21 13:21:45.000000000 -0400
@@ -1197,6 +1197,26 @@
')
@@ -10627,7 +10688,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-09 05:33:16.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-21 09:44:30.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10763,7 +10824,7 @@
ifdef(`distro_debian',`
# pam_limits is used
-@@ -227,21 +256,43 @@
+@@ -227,21 +256,44 @@
')
')
@@ -10804,11 +10865,12 @@
optional_policy(`
- hal_dbus_send(crond_t)
+ hal_dbus_chat(crond_t)
++ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
-@@ -268,8 +319,8 @@
+@@ -268,8 +320,8 @@
# System cron process domain
#
@@ -10819,7 +10881,7 @@
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -283,7 +334,14 @@
+@@ -283,7 +335,14 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -10834,7 +10896,7 @@
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -303,6 +361,7 @@
+@@ -303,6 +362,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -10842,7 +10904,7 @@
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -314,9 +373,13 @@
+@@ -314,9 +374,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -10857,7 +10919,7 @@
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +433,8 @@
+@@ -370,7 +434,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -10867,7 +10929,7 @@
auth_use_nsswitch(system_cronjob_t)
-@@ -378,6 +442,7 @@
+@@ -378,6 +443,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -10875,7 +10937,7 @@
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -418,6 +483,10 @@
+@@ -418,6 +484,10 @@
')
optional_policy(`
@@ -10886,7 +10948,7 @@
ftp_read_log(system_cronjob_t)
')
-@@ -428,11 +497,20 @@
+@@ -428,11 +498,20 @@
')
optional_policy(`
@@ -10907,7 +10969,7 @@
')
optional_policy(`
-@@ -447,6 +525,7 @@
+@@ -447,6 +526,7 @@
prelink_read_cache(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
@@ -10915,7 +10977,7 @@
')
optional_policy(`
-@@ -460,8 +539,7 @@
+@@ -460,8 +540,7 @@
')
optional_policy(`
@@ -10925,7 +10987,7 @@
')
optional_policy(`
-@@ -469,24 +547,17 @@
+@@ -469,24 +548,17 @@
')
optional_policy(`
@@ -10953,7 +11015,7 @@
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +641,9 @@
+@@ -570,6 +642,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@@ -11623,7 +11685,7 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-13 10:31:12.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-21 13:57:58.000000000 -0400
@@ -44,6 +44,7 @@
attribute session_bus_type;
@@ -12493,7 +12555,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-21 10:30:59.000000000 -0400
@@ -42,8 +42,7 @@
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
@@ -19866,9 +19928,21 @@
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.12/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/rpcbind.te 2009-04-21 13:15:10.000000000 -0400
+@@ -40,6 +40,8 @@
+ manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
+
++fs_list_inotifyfs(rpcbind_t)
++
+ kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-14 10:34:47.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-21 13:16:52.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -19878,7 +19952,13 @@
rpc_domain_template(gssd)
-@@ -79,16 +79,25 @@
+@@ -74,21 +74,31 @@
+
+ files_manage_mounttab(rpcd_t)
+
++fs_list_inotifyfs(rpcd_t)
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
@@ -19904,16 +19984,26 @@
########################################
#
# NFSD local policy
-@@ -116,7 +125,7 @@
+@@ -116,8 +126,9 @@
# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
-files_manage_mounttab(rpcd_t)
+files_manage_mounttab(nfsd_t)
++fs_list_inotifyfs(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
-@@ -141,6 +150,7 @@
+ fs_getattr_all_fs(nfsd_t)
+@@ -125,6 +136,7 @@
+ fs_rw_nfsd_fs(nfsd_t)
+
+ storage_dontaudit_read_fixed_disk(nfsd_t)
++storage_raw_read_removable_device(nfsd_t)
+
+ # Read access to public_content_t and public_content_rw_t
+ miscfiles_read_public_files(nfsd_t)
+@@ -141,6 +153,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -19921,7 +20011,15 @@
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -183,9 +193,12 @@
+@@ -175,6 +188,7 @@
+
+ corecmd_exec_bin(gssd_t)
+
++fs_list_inotifyfs(gssd_t)
+ fs_list_rpc(gssd_t)
+ fs_rw_rpc_sockets(gssd_t)
+ fs_read_rpc_files(gssd_t)
+@@ -183,9 +197,12 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@@ -21886,7 +21984,7 @@
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-21 13:22:50.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -22006,7 +22104,15 @@
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -229,7 +223,12 @@
+@@ -214,6 +208,7 @@
+ allow $1_t sshd_key_t:file read_file_perms;
+
+ kernel_read_kernel_sysctls($1_t)
++ kernel_read_network_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+@@ -229,7 +224,12 @@
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
@@ -22019,7 +22125,7 @@
fs_dontaudit_getattr_all_fs($1_t)
-@@ -254,9 +253,14 @@
+@@ -254,9 +254,14 @@
userdom_dontaudit_relabelfrom_user_ptys($1_t)
userdom_search_user_home_dirs($1_t)
@@ -22034,7 +22140,7 @@
')
tunable_policy(`use_samba_home_dirs',`
-@@ -265,11 +269,7 @@
+@@ -265,11 +270,7 @@
optional_policy(`
kerberos_use($1_t)
@@ -22047,7 +22153,7 @@
')
optional_policy(`
-@@ -454,6 +454,24 @@
+@@ -454,6 +455,24 @@
########################################
## <summary>
@@ -22072,7 +22178,7 @@
## Read a ssh server unnamed pipe.
## </summary>
## <param name="domain">
-@@ -611,3 +629,42 @@
+@@ -611,3 +630,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -25584,7 +25690,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-19 15:52:00.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-21 14:07:27.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -25688,7 +25794,7 @@
can_exec(initrc_t,initrc_tmp_t)
-allow initrc_t initrc_tmp_t:file manage_file_perms;
-allow initrc_t initrc_tmp_t:dir manage_dir_perms;
-+allow initrc_t initrc_tmp_t:file relabelfrom;
++allow initrc_t initrc_tmp_t:file relabel_file_perms;
+manage_chr_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -25752,12 +25858,13 @@
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -343,14 +384,13 @@
+@@ -343,14 +384,14 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
++files_manage_boot_files(initrc_t)
files_read_all_pids(initrc_t)
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
@@ -25768,7 +25875,7 @@
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -366,7 +406,9 @@
+@@ -366,7 +407,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -25778,7 +25885,7 @@
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -451,7 +493,7 @@
+@@ -451,7 +494,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -25787,7 +25894,7 @@
files_dontaudit_read_root_files(initrc_t)
selinux_set_enforce_mode(initrc_t)
-@@ -465,6 +507,7 @@
+@@ -465,6 +508,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -25795,7 +25902,7 @@
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -498,6 +541,7 @@
+@@ -498,6 +542,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -25803,7 +25910,7 @@
')
optional_policy(`
-@@ -516,6 +560,33 @@
+@@ -516,6 +561,33 @@
')
')
@@ -25837,7 +25944,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +641,10 @@
+@@ -570,6 +642,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -25848,7 +25955,7 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -591,6 +666,10 @@
+@@ -591,6 +667,10 @@
')
optional_policy(`
@@ -25859,7 +25966,7 @@
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,6 +726,11 @@
+@@ -647,6 +727,11 @@
')
optional_policy(`
@@ -25871,7 +25978,7 @@
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
-@@ -655,12 +739,6 @@
+@@ -655,12 +740,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -25884,7 +25991,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -719,8 +797,6 @@
+@@ -719,8 +798,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -25893,7 +26000,7 @@
')
optional_policy(`
-@@ -733,10 +809,12 @@
+@@ -733,10 +810,12 @@
squid_manage_logs(initrc_t)
')
@@ -25906,7 +26013,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +832,11 @@
+@@ -754,6 +833,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -25918,29 +26025,21 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -765,6 +848,21 @@
+@@ -765,6 +849,13 @@
optional_policy(`
mono_domtrans(initrc_t)
')
+
-+ # why is this needed:
-+ rpm_manage_db(initrc_t)
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
+')
+
+optional_policy(`
-+ # sudo service restart causes this
-+ unconfined_signull(daemon)
-+')
-+
-+
-+optional_policy(`
-+ rpm_dontaudit_rw_pipes(daemon)
++ rpm_delete_db(initrc_t)
')
optional_policy(`
-@@ -790,3 +888,25 @@
+@@ -790,3 +881,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -25952,6 +26051,16 @@
+logging_append_all_logs(daemon)
+
+optional_policy(`
++ # sudo service restart causes this
++ unconfined_signull(daemon)
++')
++
++
++optional_policy(`
++ rpm_dontaudit_rw_pipes(daemon)
++')
++
++optional_policy(`
+ xserver_rw_xdm_home_files(daemon)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(daemon)
@@ -26103,7 +26212,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-21 13:55:23.000000000 -0400
@@ -55,6 +55,7 @@
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
@@ -26504,7 +26613,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-04-21 14:01:28.000000000 -0400
@@ -126,7 +126,7 @@
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
@@ -26615,7 +26724,7 @@
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.12/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-09 10:07:34.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-21 14:01:57.000000000 -0400
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t,clvmd_exec_t)
@@ -26672,8 +26781,11 @@
files_read_etc_files(clvmd_t)
files_list_usr(clvmd_t)
-@@ -99,9 +109,12 @@
+@@ -97,11 +107,15 @@
+ fs_search_auto_mountpoints(clvmd_t)
+ fs_dontaudit_list_tmpfs(clvmd_t)
fs_dontaudit_read_removable_files(clvmd_t)
++fs_rw_anon_inodefs_files(clvmd_t)
storage_dontaudit_getattr_removable_dev(clvmd_t)
+storage_dev_filetrans_fixed_disk(clvmd_t)
@@ -26685,7 +26797,7 @@
storage_raw_read_fixed_disk(clvmd_t)
auth_use_nsswitch(clvmd_t)
-@@ -112,6 +125,9 @@
+@@ -112,6 +126,9 @@
seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
@@ -26695,7 +26807,7 @@
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_user_home_dirs(clvmd_t)
-@@ -124,6 +140,14 @@
+@@ -124,6 +141,14 @@
')
optional_policy(`
@@ -26710,7 +26822,7 @@
gpm_dontaudit_getattr_gpmctl(clvmd_t)
')
-@@ -133,6 +157,14 @@
+@@ -133,6 +158,14 @@
')
optional_policy(`
@@ -26725,7 +26837,7 @@
udev_read_db(clvmd_t)
')
-@@ -143,17 +175,19 @@
+@@ -143,17 +176,19 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -26748,7 +26860,7 @@
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
-@@ -185,6 +219,7 @@
+@@ -185,6 +220,7 @@
manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t)
filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file)
files_etc_filetrans(lvm_t,lvm_metadata_t,file)
@@ -26756,7 +26868,7 @@
kernel_read_system_state(lvm_t)
kernel_read_kernel_sysctls(lvm_t)
-@@ -192,6 +227,8 @@
+@@ -192,6 +228,8 @@
kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
@@ -26765,7 +26877,7 @@
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -221,6 +258,7 @@
+@@ -221,6 +259,7 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -26773,7 +26885,15 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -239,12 +277,18 @@
+@@ -228,6 +267,7 @@
+ fs_read_tmpfs_symlinks(lvm_t)
+ fs_dontaudit_read_removable_files(lvm_t)
+ fs_dontaudit_getattr_tmpfs_files(lvm_t)
++fs_rw_anon_inodefs_files(lvm_t)
+
+ storage_relabel_fixed_disk(lvm_t)
+ storage_dontaudit_read_removable_device(lvm_t)
+@@ -239,20 +279,28 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -26792,7 +26912,9 @@
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
-@@ -253,6 +297,7 @@
+ files_dontaudit_search_isid_type_dirs(lvm_t)
++files_dontaudit_getattr_tmpfs_files(lvm_t)
+
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
@@ -26800,7 +26922,7 @@
logging_send_syslog_msg(lvm_t)
-@@ -283,5 +328,22 @@
+@@ -283,5 +331,22 @@
')
optional_policy(`
@@ -28433,8 +28555,24 @@
xen_append_log(ifconfig_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-09 05:27:54.000000000 -0400
-@@ -210,6 +210,11 @@
++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-21 13:55:54.000000000 -0400
+@@ -50,6 +50,7 @@
+ allow udev_t self:unix_stream_socket connectto;
+ allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow udev_t self:rawip_socket create_socket_perms;
++allow udev_t self:netlink_socket create_netlink_socket_perms;
+
+ allow udev_t udev_exec_t:file write;
+ can_exec(udev_t, udev_exec_t)
+@@ -140,6 +141,7 @@
+ logging_send_audit_msgs(udev_t)
+
+ miscfiles_read_localization(udev_t)
++miscfiles_read_hwdata(udev_t)
+
+ modutils_domtrans_insmod(udev_t)
+ # read modules.inputmap:
+@@ -210,6 +212,11 @@
')
optional_policy(`
@@ -28446,7 +28584,7 @@
lvm_domtrans(udev_t)
')
-@@ -219,6 +224,7 @@
+@@ -219,6 +226,7 @@
optional_policy(`
hal_dgram_send(udev_t)
@@ -28454,7 +28592,7 @@
')
optional_policy(`
-@@ -242,6 +248,10 @@
+@@ -242,6 +250,10 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.830
retrieving revision 1.831
diff -u -r1.830 -r1.831
--- selinux-policy.spec 20 Apr 2009 12:32:21 -0000 1.830
+++ selinux-policy.spec 21 Apr 2009 18:19:34 -0000 1.831
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
%endif
%changelog
+* Tue Apr 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-10
+- Allow nfs to share removable media
+
* Mon Apr 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-9
- Add ability to run postdrop from confined users
More information about the fedora-extras-commits
mailing list