rpms/selinux-policy/devel policy-20090105.patch, 1.90, 1.91 selinux-policy.spec, 1.827, 1.828
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Apr 21 20:31:54 UTC 2009
- Previous message (by thread): rpms/kernel/F-11 kernel.spec,1.1566,1.1567
- Next message (by thread): rpms/fedora-release-notes/F-11 .cvsignore, 1.18, 1.19 fedora-release-notes.spec, 1.35, 1.36 import.log, 1.2, 1.3 sources, 1.28, 1.29
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23522
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Tue Apr 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-11
- Allow nsplugin unix_read and write on users shm and sem
- Allow sysadm_t to execute su
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.90
retrieving revision 1.91
diff -u -r1.90 -r1.91
--- policy-20090105.patch 18 Apr 2009 12:13:36 -0000 1.90
+++ policy-20090105.patch 21 Apr 2009 20:31:51 -0000 1.91
@@ -164,6 +164,16 @@
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/securetty_types serefpolicy-3.6.12/config/appconfig-mls/securetty_types
+--- nsaserefpolicy/config/appconfig-mls/securetty_types 2008-08-07 11:15:14.000000000 -0400
++++ serefpolicy-3.6.12/config/appconfig-mls/securetty_types 2009-04-20 10:13:02.000000000 -0400
+@@ -1,6 +1 @@
+-auditadm_tty_device_t
+-secadm_tty_device_t
+-staff_tty_device_t
+-sysadm_tty_device_t
+-unconfined_tty_device_t
+ user_tty_device_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context 2009-04-07 16:01:44.000000000 -0400
@@ -729,17 +739,18 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.12/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc 2009-04-07 16:01:44.000000000 -0400
-@@ -3,6 +3,7 @@
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc 2009-04-19 15:52:53.000000000 -0400
+@@ -3,15 +3,12 @@
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-
+-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
-@@ -11,7 +12,8 @@
-
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
@@ -748,7 +759,7 @@
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
-@@ -21,14 +23,18 @@
+@@ -21,14 +18,18 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -771,7 +782,7 @@
ifdef(`distro_suse', `
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-21 14:06:47.000000000 -0400
@@ -146,6 +146,24 @@
########################################
@@ -926,7 +937,32 @@
')
########################################
-@@ -283,3 +401,175 @@
+@@ -245,6 +363,24 @@
+
+ ########################################
+ ## <summary>
++## Delete the RPM package database.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`rpm_delete_db',`
++ gen_require(`
++ type rpm_var_lib_t;
++ ')
++
++ delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete the RPM package database.
+ ## </summary>
+ ## <param name="domain">
+@@ -283,3 +419,175 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1104,8 +1140,17 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-09 04:59:09.000000000 -0400
-@@ -31,6 +31,9 @@
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-20 12:07:11.000000000 -0400
+@@ -9,6 +9,8 @@
+ type rpm_t;
+ type rpm_exec_t;
+ init_system_domain(rpm_t, rpm_exec_t)
++#application_domain(rpm_t, rpm_exec_t)
++
+ domain_obj_id_change_exemption(rpm_t)
+ domain_role_change_exemption(rpm_t)
+ domain_system_change_exemption(rpm_t)
+@@ -31,11 +33,15 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1115,7 +1160,13 @@
type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
-@@ -52,8 +55,9 @@
+ domain_system_change_exemption(rpm_script_t)
+ corecmd_shell_entry_type(rpm_script_t)
++corecmd_bin_entry_type(rpm_script_t)
+ domain_type(rpm_script_t)
+ domain_entry_file(rpm_t, rpm_script_exec_t)
+ domain_interactive_fd(rpm_script_t)
+@@ -52,8 +58,9 @@
# rpm Local policy
#
@@ -1127,7 +1178,7 @@
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
-@@ -68,6 +72,8 @@
+@@ -68,6 +75,8 @@
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
@@ -1136,7 +1187,7 @@
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -87,8 +93,12 @@
+@@ -87,8 +96,12 @@
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
@@ -1149,7 +1200,7 @@
corecmd_exec_all_executables(rpm_t)
-@@ -108,13 +118,16 @@
+@@ -108,13 +121,16 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -1166,7 +1217,7 @@
mls_file_read_all_levels(rpm_t)
mls_file_write_all_levels(rpm_t)
-@@ -132,6 +145,8 @@
+@@ -132,6 +148,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -1175,7 +1226,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +170,7 @@
+@@ -155,6 +173,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -1183,7 +1234,7 @@
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,17 +190,28 @@
+@@ -174,17 +193,28 @@
')
optional_policy(`
@@ -1213,7 +1264,7 @@
')
ifdef(`TODO',`
-@@ -210,8 +237,8 @@
+@@ -210,8 +240,8 @@
# rpm-script Local policy
#
@@ -1224,7 +1275,7 @@
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +249,15 @@
+@@ -222,12 +252,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -1240,7 +1291,7 @@
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +269,9 @@
+@@ -239,6 +272,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -1250,7 +1301,7 @@
dev_list_sysfs(rpm_script_t)
-@@ -255,6 +288,7 @@
+@@ -255,6 +291,7 @@
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
@@ -1258,7 +1309,7 @@
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +306,19 @@
+@@ -272,14 +309,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -1278,7 +1329,7 @@
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +330,7 @@
+@@ -291,6 +333,7 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -1286,7 +1337,7 @@
init_domtrans_script(rpm_script_t)
-@@ -308,12 +348,15 @@
+@@ -308,12 +351,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1302,7 +1353,7 @@
')
')
-@@ -326,6 +369,10 @@
+@@ -326,13 +372,18 @@
')
optional_policy(`
@@ -1313,9 +1364,10 @@
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -333,6 +380,7 @@
+
optional_policy(`
- unconfined_domain(rpm_script_t)
+- unconfined_domain(rpm_script_t)
++ unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
+ unconfined_execmem_domtrans(rpm_script_t)
@@ -1472,7 +1524,7 @@
application_executable_file(sudo_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.12/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/su.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/su.if 2009-04-21 15:49:55.000000000 -0400
@@ -90,15 +90,6 @@
miscfiles_read_localization($1_su_t)
@@ -2725,8 +2777,8 @@
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-04-07 16:01:44.000000000 -0400
-@@ -0,0 +1,272 @@
++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-04-21 15:54:32.000000000 -0400
+@@ -0,0 +1,274 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -2837,6 +2889,8 @@
+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
++ allow nsplugin_t $2:sem { unix_read unix_write };
++ allow nsplugin_t $2:shm { unix_read unix_write };
+
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
@@ -4676,7 +4730,7 @@
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-17 07:21:07.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-19 15:53:09.000000000 -0400
@@ -32,6 +32,8 @@
#
# /etc
@@ -4695,7 +4749,7 @@
#
# /usr
#
-@@ -299,3 +303,14 @@
+@@ -299,3 +303,20 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4710,6 +4764,12 @@
+/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
+
+/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.12/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.if 2009-04-07 16:01:44.000000000 -0400
@@ -5021,7 +5081,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-21 16:08:44.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5092,7 +5152,7 @@
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -153,3 +172,43 @@
+@@ -153,3 +172,45 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5106,7 +5166,9 @@
+ cron_dontaudit_write_system_job_tmp_files(domain)
+ cron_rw_pipes(domain)
+ cron_rw_system_job_pipes(domain)
++
+ifdef(`hide_broken_symptoms',`
++ fs_list_inotifyfs(domain)
+ allow domain domain:key { link search };
+')
+')
@@ -5167,7 +5229,7 @@
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-09 10:14:04.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-20 12:17:02.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5441,7 +5503,7 @@
')
')
-@@ -4921,3 +5077,95 @@
+@@ -4921,3 +5077,114 @@
typeattribute $1 files_unconfined_type;
')
@@ -5537,6 +5599,25 @@
+ manage_lnk_files_pattern($1, root_t, root_t)
+ can_exec(kernel_t, root_t)
+')
++
++########################################
++## <summary>
++## Do not audit attempts to getattr
++## all tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file getattr;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.12/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/kernel/files.te 2009-04-07 16:01:44.000000000 -0400
@@ -5571,7 +5652,7 @@
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.12/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-14 14:14:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-20 12:16:40.000000000 -0400
@@ -723,6 +723,24 @@
########################################
@@ -5660,7 +5741,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-13 08:28:24.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-21 13:21:45.000000000 -0400
@@ -1197,6 +1197,26 @@
')
@@ -6242,7 +6323,7 @@
## requiring the caller to use setexeccon().
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-21 15:50:14.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -6290,15 +6371,16 @@
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -127,18 +114,10 @@
+@@ -127,7 +114,7 @@
')
optional_policy(`
- cron_admin_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- cvs_exec(sysadm_t)
++ su_exec(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -135,10 +122,6 @@
')
optional_policy(`
@@ -6309,7 +6391,7 @@
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
-@@ -166,10 +145,6 @@
+@@ -166,10 +149,6 @@
')
optional_policy(`
@@ -6320,7 +6402,7 @@
firstboot_run(sysadm_t, sysadm_r)
')
-@@ -178,22 +153,6 @@
+@@ -178,22 +157,6 @@
')
optional_policy(`
@@ -6343,7 +6425,7 @@
hostname_run(sysadm_t, sysadm_r)
')
-@@ -212,11 +171,7 @@
+@@ -212,11 +175,7 @@
')
optional_policy(`
@@ -6356,7 +6438,7 @@
')
optional_policy(`
-@@ -228,10 +183,6 @@
+@@ -228,10 +187,6 @@
')
optional_policy(`
@@ -6367,7 +6449,7 @@
logrotate_run(sysadm_t, sysadm_r)
')
-@@ -255,14 +206,6 @@
+@@ -255,14 +210,6 @@
')
optional_policy(`
@@ -6382,7 +6464,7 @@
mta_role(sysadm_r, sysadm_t)
')
-@@ -290,11 +233,6 @@
+@@ -290,11 +237,6 @@
')
optional_policy(`
@@ -6394,7 +6476,7 @@
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -308,10 +246,6 @@
+@@ -308,10 +250,6 @@
')
optional_policy(`
@@ -6405,7 +6487,7 @@
quota_run(sysadm_t, sysadm_r)
')
-@@ -320,22 +254,10 @@
+@@ -320,22 +258,10 @@
')
optional_policy(`
@@ -6428,7 +6510,7 @@
rsync_exec(sysadm_t)
')
-@@ -345,10 +267,6 @@
+@@ -345,10 +271,6 @@
')
optional_policy(`
@@ -6439,7 +6521,7 @@
secadm_role_change(sysadm_r)
')
-@@ -358,35 +276,15 @@
+@@ -358,35 +280,15 @@
')
optional_policy(`
@@ -6475,7 +6557,7 @@
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +292,10 @@
+@@ -394,18 +296,10 @@
')
optional_policy(`
@@ -6494,7 +6576,7 @@
unconfined_domtrans(sysadm_t)
')
-@@ -418,20 +308,12 @@
+@@ -418,20 +312,12 @@
')
optional_policy(`
@@ -6515,7 +6597,7 @@
vpn_run(sysadm_t, sysadm_r)
')
-@@ -440,13 +322,5 @@
+@@ -440,13 +326,5 @@
')
optional_policy(`
@@ -10611,7 +10693,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-09 05:33:16.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-21 16:03:54.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10747,7 +10829,7 @@
ifdef(`distro_debian',`
# pam_limits is used
-@@ -227,21 +256,43 @@
+@@ -227,21 +256,44 @@
')
')
@@ -10788,11 +10870,12 @@
optional_policy(`
- hal_dbus_send(crond_t)
+ hal_dbus_chat(crond_t)
++ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
-@@ -268,8 +319,8 @@
+@@ -268,8 +320,8 @@
# System cron process domain
#
@@ -10803,7 +10886,7 @@
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -283,7 +334,14 @@
+@@ -283,7 +335,14 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -10818,7 +10901,7 @@
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -303,6 +361,7 @@
+@@ -303,6 +362,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -10826,7 +10909,7 @@
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -314,9 +373,13 @@
+@@ -314,9 +374,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -10841,7 +10924,15 @@
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +433,8 @@
+@@ -345,6 +409,7 @@
+ fs_getattr_all_symlinks(system_cronjob_t)
+ fs_getattr_all_pipes(system_cronjob_t)
+ fs_getattr_all_sockets(system_cronjob_t)
++fs_list_inotifyfs(system_cronjob_t)
+
+ # quiet other ps operations
+ domain_dontaudit_read_all_domains_state(system_cronjob_t)
+@@ -370,7 +435,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -10851,7 +10942,7 @@
auth_use_nsswitch(system_cronjob_t)
-@@ -378,6 +442,7 @@
+@@ -378,6 +444,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -10859,7 +10950,7 @@
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -418,6 +483,10 @@
+@@ -418,6 +485,10 @@
')
optional_policy(`
@@ -10870,7 +10961,7 @@
ftp_read_log(system_cronjob_t)
')
-@@ -428,11 +497,20 @@
+@@ -428,11 +499,20 @@
')
optional_policy(`
@@ -10891,7 +10982,7 @@
')
optional_policy(`
-@@ -447,6 +525,7 @@
+@@ -447,6 +527,7 @@
prelink_read_cache(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
@@ -10899,7 +10990,7 @@
')
optional_policy(`
-@@ -460,8 +539,7 @@
+@@ -460,8 +541,7 @@
')
optional_policy(`
@@ -10909,7 +11000,7 @@
')
optional_policy(`
-@@ -469,24 +547,17 @@
+@@ -469,24 +549,17 @@
')
optional_policy(`
@@ -10937,7 +11028,7 @@
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +641,9 @@
+@@ -570,6 +643,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@@ -11607,7 +11698,7 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-13 10:31:12.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-21 13:57:58.000000000 -0400
@@ -44,6 +44,7 @@
attribute session_bus_type;
@@ -12477,7 +12568,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-21 10:30:59.000000000 -0400
@@ -42,8 +42,7 @@
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
@@ -13382,6 +13473,18 @@
+ polkit_read_reload(gnomeclock_t)
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.if serefpolicy-3.6.12/policy/modules/services/gpm.if
+--- nsaserefpolicy/policy/modules/services/gpm.if 2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/gpm.if 2009-04-20 08:24:22.000000000 -0400
+@@ -16,7 +16,7 @@
+ type gpmctl_t, gpm_t;
+ ')
+
+- allow $1 gpmctl_t:sock_file { getattr write };
++ allow $1 gpmctl_t:sock_file rw_sock_file_perms;
+ allow $1 gpm_t:unix_stream_socket connectto;
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.12/policy/modules/services/gpm.te
--- nsaserefpolicy/policy/modules/services/gpm.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/gpm.te 2009-04-07 16:01:44.000000000 -0400
@@ -13685,7 +13788,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-11 07:33:35.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-20 07:58:45.000000000 -0400
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -13745,16 +13848,20 @@
rpc_search_nfs_state_data(hald_t)
')
-@@ -301,12 +327,16 @@
- virt_manage_images(hald_t)
+@@ -298,7 +324,11 @@
')
-+optional_policy(`
-+ xserver_read_pid(hald_t)
+ optional_policy(`
+- virt_manage_images(hald_t)
++ virtual_manage_image(hald_t)
+')
+
++optional_policy(`
++ xserver_read_pid(hald_t)
+ ')
+
########################################
- #
+@@ -306,7 +336,7 @@
# Hal acl local policy
#
@@ -17642,7 +17749,7 @@
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-04-20 07:42:10.000000000 -0400
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -17812,7 +17919,7 @@
')
########################################
-@@ -500,3 +558,23 @@
+@@ -500,3 +558,43 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -17836,6 +17943,26 @@
+ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+')
+
++########################################
++## <summary>
++## Execute the master postdrop in the
++## postfix_postdrop domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_run_postdrop',`
++ gen_require(`
++ type postfix_postdrop_t;
++ ')
++
++ postfix_domtrans_postdrop($1)
++ role $2 types postfix_postdrop_t;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-15 08:35:07.000000000 -0400
@@ -19814,9 +19941,21 @@
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.12/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/rpcbind.te 2009-04-21 13:15:10.000000000 -0400
+@@ -40,6 +40,8 @@
+ manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
+
++fs_list_inotifyfs(rpcbind_t)
++
+ kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-14 10:34:47.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-21 15:17:25.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -19826,7 +19965,13 @@
rpc_domain_template(gssd)
-@@ -79,16 +79,25 @@
+@@ -74,21 +74,31 @@
+
+ files_manage_mounttab(rpcd_t)
+
++fs_list_inotifyfs(rpcd_t)
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
@@ -19852,16 +19997,26 @@
########################################
#
# NFSD local policy
-@@ -116,7 +125,7 @@
+@@ -116,8 +126,9 @@
# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
-files_manage_mounttab(rpcd_t)
+files_manage_mounttab(nfsd_t)
++fs_list_inotifyfs(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
-@@ -141,6 +150,7 @@
+ fs_getattr_all_fs(nfsd_t)
+@@ -125,6 +136,7 @@
+ fs_rw_nfsd_fs(nfsd_t)
+
+ storage_dontaudit_read_fixed_disk(nfsd_t)
++storage_raw_read_removable_device(nfsd_t)
+
+ # Read access to public_content_t and public_content_rw_t
+ miscfiles_read_public_files(nfsd_t)
+@@ -141,6 +153,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -19869,7 +20024,15 @@
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -183,9 +193,12 @@
+@@ -175,6 +188,7 @@
+
+ corecmd_exec_bin(gssd_t)
+
++fs_list_inotifyfs(gssd_t)
+ fs_list_rpc(gssd_t)
+ fs_rw_rpc_sockets(gssd_t)
+ fs_read_rpc_files(gssd_t)
+@@ -183,9 +197,12 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@@ -21834,7 +21997,7 @@
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-21 13:22:50.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -21954,7 +22117,15 @@
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -229,7 +223,12 @@
+@@ -214,6 +208,7 @@
+ allow $1_t sshd_key_t:file read_file_perms;
+
+ kernel_read_kernel_sysctls($1_t)
++ kernel_read_network_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+@@ -229,7 +224,12 @@
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
@@ -21967,7 +22138,7 @@
fs_dontaudit_getattr_all_fs($1_t)
-@@ -254,9 +253,14 @@
+@@ -254,9 +254,14 @@
userdom_dontaudit_relabelfrom_user_ptys($1_t)
userdom_search_user_home_dirs($1_t)
@@ -21982,7 +22153,7 @@
')
tunable_policy(`use_samba_home_dirs',`
-@@ -265,11 +269,7 @@
+@@ -265,11 +270,7 @@
optional_policy(`
kerberos_use($1_t)
@@ -21995,7 +22166,7 @@
')
optional_policy(`
-@@ -454,6 +454,24 @@
+@@ -454,6 +455,24 @@
########################################
## <summary>
@@ -22020,7 +22191,7 @@
## Read a ssh server unnamed pipe.
## </summary>
## <param name="domain">
-@@ -611,3 +629,42 @@
+@@ -611,3 +630,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -22843,7 +23014,7 @@
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.12/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.if 2009-04-20 08:00:16.000000000 -0400
@@ -2,28 +2,6 @@
########################################
@@ -22896,7 +23067,20 @@
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
-@@ -293,6 +272,41 @@
+@@ -272,11 +251,7 @@
+ ')
+
+ virt_search_lib($1)
+- allow $1 virt_image_t:dir list_dir_perms;
+- manage_dirs_pattern($1, virt_image_t, virt_image_t)
+- manage_files_pattern($1, virt_image_t, virt_image_t)
+- read_lnk_files_pattern($1, virt_image_t, virt_image_t)
+- rw_blk_files_pattern($1, virt_image_t, virt_image_t)
++ virtual_manage_image($1)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs($1)
+@@ -293,6 +268,41 @@
########################################
## <summary>
@@ -22938,7 +23122,7 @@
## All of the rules required to administrate
## an virt environment
## </summary>
-@@ -327,3 +341,53 @@
+@@ -327,3 +337,53 @@
virt_manage_log($1)
')
@@ -22994,7 +23178,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-17 11:32:56.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-20 07:48:51.000000000 -0400
@@ -8,19 +8,24 @@
## <desc>
@@ -23067,7 +23251,7 @@
-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
-allow virtd_t self:process { getsched sigkill signal execmem };
+allow virtd_t self:capability { chown dac_override ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
-+allow virtd_t self:process { getsched sigkill signal execmem setexec setfscreate setsched };
++allow virtd_t self:process { getsched sigkill signal signull execmem setexec setfscreate setsched };
allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -25519,7 +25703,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 11:41:15.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-21 14:07:27.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -25623,7 +25807,7 @@
can_exec(initrc_t,initrc_tmp_t)
-allow initrc_t initrc_tmp_t:file manage_file_perms;
-allow initrc_t initrc_tmp_t:dir manage_dir_perms;
-+allow initrc_t initrc_tmp_t:file relabelfrom;
++allow initrc_t initrc_tmp_t:file relabel_file_perms;
+manage_chr_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -25687,12 +25871,13 @@
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -343,14 +384,13 @@
+@@ -343,14 +384,14 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
++files_manage_boot_files(initrc_t)
files_read_all_pids(initrc_t)
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
@@ -25703,7 +25888,7 @@
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -366,7 +406,9 @@
+@@ -366,7 +407,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -25713,7 +25898,7 @@
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -451,7 +493,7 @@
+@@ -451,7 +494,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -25722,7 +25907,7 @@
files_dontaudit_read_root_files(initrc_t)
selinux_set_enforce_mode(initrc_t)
-@@ -465,6 +507,7 @@
+@@ -465,6 +508,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -25730,7 +25915,7 @@
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -498,6 +541,7 @@
+@@ -498,6 +542,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -25738,7 +25923,7 @@
')
optional_policy(`
-@@ -516,6 +560,33 @@
+@@ -516,6 +561,33 @@
')
')
@@ -25772,7 +25957,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +641,10 @@
+@@ -570,6 +642,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -25783,7 +25968,7 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -591,6 +666,10 @@
+@@ -591,6 +667,10 @@
')
optional_policy(`
@@ -25794,7 +25979,7 @@
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,6 +726,11 @@
+@@ -647,6 +727,11 @@
')
optional_policy(`
@@ -25806,7 +25991,7 @@
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
-@@ -655,12 +739,6 @@
+@@ -655,12 +740,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -25819,17 +26004,16 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -721,6 +799,9 @@
+@@ -719,8 +798,6 @@
+ # bash tries ioctl for some reason
+ files_dontaudit_ioctl_all_pids(initrc_t)
- # why is this needed:
- rpm_manage_db(initrc_t)
-+ # Allow SELinux aware applications to request rpm_script_t execution
-+ rpm_transition_script(initrc_t)
-+
+- # why is this needed:
+- rpm_manage_db(initrc_t)
')
optional_policy(`
-@@ -733,10 +814,12 @@
+@@ -733,10 +810,12 @@
squid_manage_logs(initrc_t)
')
@@ -25842,7 +26026,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +837,11 @@
+@@ -754,6 +833,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -25854,27 +26038,21 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -761,6 +849,8 @@
- # system-config-services causes avc messages that should be dontaudited
- unconfined_dontaudit_rw_pipes(daemon)
- ')
-+ # sudo service restart causes this
-+ unconfined_signull(daemon)
-
+@@ -765,6 +849,13 @@
optional_policy(`
mono_domtrans(initrc_t)
-@@ -768,6 +858,10 @@
- ')
-
- optional_policy(`
-+ rpm_dontaudit_rw_pipes(daemon)
+ ')
++
++ # Allow SELinux aware applications to request rpm_script_t execution
++ rpm_transition_script(initrc_t)
+')
+
+optional_policy(`
- vmware_read_system_config(initrc_t)
- vmware_append_system_config(initrc_t)
++ rpm_delete_db(initrc_t)
')
-@@ -790,3 +884,25 @@
+
+ optional_policy(`
+@@ -790,3 +881,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -25886,6 +26064,16 @@
+logging_append_all_logs(daemon)
+
+optional_policy(`
++ # sudo service restart causes this
++ unconfined_signull(daemon)
++')
++
++
++optional_policy(`
++ rpm_dontaudit_rw_pipes(daemon)
++')
++
++optional_policy(`
+ xserver_rw_xdm_home_files(daemon)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(daemon)
@@ -26037,7 +26225,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-21 13:55:23.000000000 -0400
@@ -55,6 +55,7 @@
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
@@ -26438,7 +26626,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-04-21 14:01:28.000000000 -0400
@@ -126,7 +126,7 @@
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
@@ -26549,7 +26737,7 @@
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.12/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-09 10:07:34.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-21 14:01:57.000000000 -0400
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t,clvmd_exec_t)
@@ -26606,8 +26794,11 @@
files_read_etc_files(clvmd_t)
files_list_usr(clvmd_t)
-@@ -99,9 +109,12 @@
+@@ -97,11 +107,15 @@
+ fs_search_auto_mountpoints(clvmd_t)
+ fs_dontaudit_list_tmpfs(clvmd_t)
fs_dontaudit_read_removable_files(clvmd_t)
++fs_rw_anon_inodefs_files(clvmd_t)
storage_dontaudit_getattr_removable_dev(clvmd_t)
+storage_dev_filetrans_fixed_disk(clvmd_t)
@@ -26619,7 +26810,7 @@
storage_raw_read_fixed_disk(clvmd_t)
auth_use_nsswitch(clvmd_t)
-@@ -112,6 +125,9 @@
+@@ -112,6 +126,9 @@
seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
@@ -26629,7 +26820,7 @@
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_user_home_dirs(clvmd_t)
-@@ -124,6 +140,14 @@
+@@ -124,6 +141,14 @@
')
optional_policy(`
@@ -26644,7 +26835,7 @@
gpm_dontaudit_getattr_gpmctl(clvmd_t)
')
-@@ -133,6 +157,14 @@
+@@ -133,6 +158,14 @@
')
optional_policy(`
@@ -26659,7 +26850,7 @@
udev_read_db(clvmd_t)
')
-@@ -143,17 +175,19 @@
+@@ -143,17 +176,19 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -26682,7 +26873,7 @@
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
-@@ -185,6 +219,7 @@
+@@ -185,6 +220,7 @@
manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t)
filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file)
files_etc_filetrans(lvm_t,lvm_metadata_t,file)
@@ -26690,7 +26881,7 @@
kernel_read_system_state(lvm_t)
kernel_read_kernel_sysctls(lvm_t)
-@@ -192,6 +227,8 @@
+@@ -192,6 +228,8 @@
kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
@@ -26699,7 +26890,7 @@
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -221,6 +258,7 @@
+@@ -221,6 +259,7 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -26707,7 +26898,15 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -239,12 +277,18 @@
+@@ -228,6 +267,7 @@
+ fs_read_tmpfs_symlinks(lvm_t)
+ fs_dontaudit_read_removable_files(lvm_t)
+ fs_dontaudit_getattr_tmpfs_files(lvm_t)
++fs_rw_anon_inodefs_files(lvm_t)
+
+ storage_relabel_fixed_disk(lvm_t)
+ storage_dontaudit_read_removable_device(lvm_t)
+@@ -239,20 +279,28 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -26726,7 +26925,9 @@
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
-@@ -253,6 +297,7 @@
+ files_dontaudit_search_isid_type_dirs(lvm_t)
++files_dontaudit_getattr_tmpfs_files(lvm_t)
+
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
@@ -26734,7 +26935,7 @@
logging_send_syslog_msg(lvm_t)
-@@ -283,5 +328,22 @@
+@@ -283,5 +331,22 @@
')
optional_policy(`
@@ -28367,8 +28568,24 @@
xen_append_log(ifconfig_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-09 05:27:54.000000000 -0400
-@@ -210,6 +210,11 @@
++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-21 14:41:11.000000000 -0400
+@@ -50,6 +50,7 @@
+ allow udev_t self:unix_stream_socket connectto;
+ allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow udev_t self:rawip_socket create_socket_perms;
++allow udev_t self:netlink_socket create_socket_perms;
+
+ allow udev_t udev_exec_t:file write;
+ can_exec(udev_t, udev_exec_t)
+@@ -140,6 +141,7 @@
+ logging_send_audit_msgs(udev_t)
+
+ miscfiles_read_localization(udev_t)
++miscfiles_read_hwdata(udev_t)
+
+ modutils_domtrans_insmod(udev_t)
+ # read modules.inputmap:
+@@ -210,6 +212,11 @@
')
optional_policy(`
@@ -28380,7 +28597,7 @@
lvm_domtrans(udev_t)
')
-@@ -219,6 +224,7 @@
+@@ -219,6 +226,7 @@
optional_policy(`
hal_dgram_send(udev_t)
@@ -28388,7 +28605,7 @@
')
optional_policy(`
-@@ -242,6 +248,10 @@
+@@ -242,6 +250,10 @@
')
optional_policy(`
@@ -29161,7 +29378,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-18 06:14:35.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-20 08:25:48.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -30146,7 +30363,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1050,47 @@
+@@ -986,37 +1050,55 @@
')
')
@@ -30189,6 +30406,10 @@
+ ')
+
+ optional_policy(`
++ gpm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
+ ')
+
@@ -30200,6 +30421,10 @@
+ mount_run($1_t, $1_r)
+ ')
+
++ optional_policy(`
++ postfix_run_postdrop($1_t, $1_r)
++ ')
++
+ # Run pppd in pppd_t by default for user
+ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
@@ -30208,7 +30433,7 @@
')
#######################################
-@@ -1050,7 +1124,7 @@
+@@ -1050,7 +1132,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -30217,7 +30442,7 @@
')
##############################
-@@ -1059,8 +1133,7 @@
+@@ -1059,8 +1141,7 @@
#
# Inherit rules for ordinary users.
@@ -30227,7 +30452,7 @@
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1156,8 @@
+@@ -1083,7 +1164,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -30237,7 +30462,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1173,7 @@
+@@ -1099,6 +1181,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -30245,7 +30470,7 @@
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1181,6 @@
+@@ -1106,8 +1189,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -30254,7 +30479,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1235,6 @@
+@@ -1162,20 +1243,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -30275,7 +30500,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1280,7 @@
+@@ -1221,6 +1288,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -30283,7 +30508,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1346,15 @@
+@@ -1286,11 +1354,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -30299,7 +30524,7 @@
')
########################################
-@@ -1387,7 +1451,7 @@
+@@ -1387,7 +1459,7 @@
########################################
## <summary>
@@ -30308,7 +30533,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1484,14 @@
+@@ -1420,6 +1492,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -30323,7 +30548,7 @@
')
########################################
-@@ -1435,9 +1507,11 @@
+@@ -1435,9 +1515,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -30335,7 +30560,7 @@
')
########################################
-@@ -1494,6 +1568,25 @@
+@@ -1494,6 +1576,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -30361,7 +30586,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1568,6 +1661,8 @@
+@@ -1568,6 +1669,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -30370,7 +30595,7 @@
')
########################################
-@@ -1643,6 +1738,7 @@
+@@ -1643,6 +1746,7 @@
type user_home_dir_t, user_home_t;
')
@@ -30378,7 +30603,7 @@
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,30 +1837,80 @@
+@@ -1741,30 +1845,80 @@
########################################
## <summary>
@@ -30441,7 +30666,7 @@
+interface(`userdom_dontaudit_delete_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
-+ ')
+ ')
+
+ allow $1 user_home_t:dir delete_file_perms;
+')
@@ -30461,7 +30686,7 @@
+ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
- ')
++ ')
+
+ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
@@ -30469,7 +30694,7 @@
')
########################################
-@@ -1787,6 +1933,46 @@
+@@ -1787,6 +1941,46 @@
########################################
## <summary>
@@ -30516,7 +30741,7 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -1799,6 +1985,7 @@
+@@ -1799,6 +1993,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -30524,7 +30749,7 @@
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2515,7 @@
+@@ -2328,7 +2523,7 @@
########################################
## <summary>
@@ -30533,17 +30758,59 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -2814,7 +3001,25 @@
+@@ -2814,12 +3009,12 @@
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to use user ttys.
++## Delete all users files in /tmp
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2827,17 +3022,17 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_delete_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ allow $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read the process state of all user domains.
++## Do not audit attempts to use user ttys.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2845,12 +3040,31 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_use_user_ttys',`
++ gen_require(`
++ type user_tty_device_t;
++ ')
++
++ dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
-+## Delete all users files in /tmp
++## Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -30551,16 +30818,9 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_delete_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
-@@ -2851,6 +3056,7 @@
++interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
')
read_files_pattern($1,userdomain,userdomain)
@@ -30568,7 +30828,7 @@
kernel_search_proc($1)
')
-@@ -2981,3 +3187,481 @@
+@@ -2981,3 +3195,481 @@
allow $1 userdomain:dbus send_msg;
')
@@ -31143,7 +31403,7 @@
+# No application file contexts.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.12/policy/modules/system/virtual.if
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-20 07:58:28.000000000 -0400
@@ -0,0 +1,114 @@
+## <summary>Virtual machine emulator and virtualizer</summary>
+
@@ -31453,7 +31713,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-20 07:59:14.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.827
retrieving revision 1.828
diff -u -r1.827 -r1.828
--- selinux-policy.spec 18 Apr 2009 12:13:36 -0000 1.827
+++ selinux-policy.spec 21 Apr 2009 20:31:51 -0000 1.828
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 8%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,17 @@
%endif
%changelog
+* Tue Apr 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-11
+- Allow nsplugin unix_read and write on users shm and sem
+- Allow sysadm_t to execute su
+
+* Tue Apr 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-10
+- Dontaudit attempts to getattr user_tmpfs_t by lvm
+- Allow nfs to share removable media
+
+* Mon Apr 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-9
+- Add ability to run postdrop from confined users
+
* Sat Apr 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-8
- Fixes for podsleuth
- Previous message (by thread): rpms/kernel/F-11 kernel.spec,1.1566,1.1567
- Next message (by thread): rpms/fedora-release-notes/F-11 .cvsignore, 1.18, 1.19 fedora-release-notes.spec, 1.35, 1.36 import.log, 1.2, 1.3 sources, 1.28, 1.29
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list