rpms/selinux-policy/devel booleans-targeted.conf, 1.50, 1.51 modules-minimum.conf, 1.26, 1.27 modules-targeted.conf, 1.135, 1.136 policy-F12.patch, 1.49, 1.50
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 12 20:09:22 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11149
Modified Files:
booleans-targeted.conf modules-minimum.conf
modules-targeted.conf policy-F12.patch
Log Message:
* Mon Aug 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.26-9
- Add kdump policy for Miroslav Grepl
- Turn off execstack boolean
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -p -r1.50 -r1.51
--- booleans-targeted.conf 10 Aug 2009 18:22:10 -0000 1.50
+++ booleans-targeted.conf 12 Aug 2009 20:09:21 -0000 1.51
@@ -8,7 +8,7 @@ allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = false
+allow_execstack = true
# Allow ftpd to read cifs directories.
#
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -p -r1.26 -r1.27
--- modules-minimum.conf 10 Aug 2009 18:22:10 -0000 1.26
+++ modules-minimum.conf 12 Aug 2009 20:09:21 -0000 1.27
@@ -557,12 +557,27 @@ gnomeclock = module
hal = module
# Layer: services
+# Module: hddtemp
+#
+# hddtemp hard disk temperature tool running as a daemon
+#
+hddtemp = module
+
+# Layer: services
# Module: policykit
#
# Hardware abstraction layer
#
policykit = module
+
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+#
+ptchown = module
+
# Layer: services
# Module: psad
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.135
retrieving revision 1.136
diff -u -p -r1.135 -r1.136
--- modules-targeted.conf 10 Aug 2009 18:22:10 -0000 1.135
+++ modules-targeted.conf 12 Aug 2009 20:09:21 -0000 1.136
@@ -557,12 +557,27 @@ gnomeclock = module
hal = module
# Layer: services
+# Module: hddtemp
+#
+# hddtemp hard disk temperature tool running as a daemon
+#
+hddtemp = module
+
+# Layer: services
# Module: policykit
#
# Hardware abstraction layer
#
policykit = module
+
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+#
+ptchown = module
+
# Layer: services
# Module: psad
#
policy-F12.patch:
Makefile | 2
Rules.modular | 8
config/appconfig-mcs/default_contexts | 19
config/appconfig-mcs/failsafe_context | 2
config/appconfig-mcs/root_default_contexts | 8
config/appconfig-mcs/securetty_types | 5
config/appconfig-mcs/seusers | 4
config/appconfig-mcs/staff_u_default_contexts | 4
config/appconfig-mcs/unconfined_u_default_contexts | 4
config/appconfig-mcs/user_u_default_contexts | 5
config/appconfig-mcs/userhelper_context | 2
config/appconfig-mcs/virtual_domain_context | 1
config/appconfig-mcs/virtual_image_context | 2
config/appconfig-mls/default_contexts | 19
config/appconfig-mls/root_default_contexts | 12
config/appconfig-mls/virtual_domain_context | 1
config/appconfig-mls/virtual_image_context | 2
config/appconfig-standard/securetty_types | 5
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/anaconda.te | 1
policy/modules/admin/certwatch.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 7
policy/modules/admin/kismet.if | 1
policy/modules/admin/kismet.te | 17
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 7
policy/modules/admin/prelink.if | 19
policy/modules/admin/readahead.te | 3
policy/modules/admin/rpm.fc | 15
policy/modules/admin/rpm.if | 176 ++
policy/modules/admin/rpm.te | 65 -
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 4
policy/modules/admin/usermanage.te | 9
policy/modules/admin/vbetool.te | 8
policy/modules/apps/awstats.te | 2
policy/modules/apps/calamaris.te | 4
policy/modules/apps/cpufreqselector.te | 4
policy/modules/apps/gitosis.fc | 4
policy/modules/apps/gitosis.if | 96 +
policy/modules/apps/gitosis.te | 36
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 ++
policy/modules/apps/gnome.te | 92 +
policy/modules/apps/gpg.te | 15
policy/modules/apps/java.fc | 17
policy/modules/apps/java.if | 129 ++
policy/modules/apps/java.te | 17
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 64 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50
policy/modules/apps/livecd.te | 26
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.if | 13
policy/modules/apps/mozilla.te | 21
policy/modules/apps/nsplugin.fc | 12
policy/modules/apps/nsplugin.if | 313 +++++
policy/modules/apps/nsplugin.te | 286 ++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 14
policy/modules/apps/ptchown.fc | 2
policy/modules/apps/ptchown.if | 22
policy/modules/apps/ptchown.te | 35
policy/modules/apps/pulseaudio.te | 4
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 270 +++-
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 57
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 145 ++
policy/modules/apps/sandbox.te | 274 ++++
policy/modules/apps/screen.if | 24
policy/modules/apps/vmware.fc | 1
policy/modules/apps/vmware.te | 1
policy/modules/apps/webalizer.te | 1
policy/modules/apps/wine.fc | 23
policy/modules/apps/wine.if | 60
policy/modules/apps/wine.te | 23
policy/modules/kernel/corecommands.fc | 22
policy/modules/kernel/corecommands.if | 1
policy/modules/kernel/corenetwork.te.in | 29
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.if | 164 ++
policy/modules/kernel/devices.te | 19
policy/modules/kernel/domain.if | 132 +-
policy/modules/kernel/domain.te | 85 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 279 ++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 38
policy/modules/kernel/filesystem.te | 2
policy/modules/kernel/kernel.if | 39
policy/modules/kernel/kernel.te | 31
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 -
policy/modules/roles/sysadm.te | 124 -
policy/modules/roles/unconfineduser.fc | 37
policy/modules/roles/unconfineduser.if | 638 ++++++++++
policy/modules/roles/unconfineduser.te | 395 ++++++
policy/modules/roles/unprivuser.te | 131 --
policy/modules/roles/webadm.te | 2
policy/modules/roles/xguest.te | 18
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 35
policy/modules/services/apache.if | 327 +++--
policy/modules/services/apache.te | 409 +++++-
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 19
policy/modules/services/bluetooth.te | 6
policy/modules/services/certmaster.te | 2
policy/modules/services/clamav.te | 12
policy/modules/services/consolekit.if | 20
policy/modules/services/consolekit.te | 18
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 13
policy/modules/services/cron.if | 202 ++-
policy/modules/services/cron.te | 132 +-
policy/modules/services/cups.fc | 11
policy/modules/services/cups.te | 23
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 26
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 55
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.te | 7
policy/modules/services/exim.te | 4
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.te | 50
policy/modules/services/gnomeclock.fc | 3
policy/modules/services/gnomeclock.if | 69 +
policy/modules/services/gnomeclock.te | 50
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 12
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 45
policy/modules/services/hddtemp.fc | 4
policy/modules/services/hddtemp.if | 38
policy/modules/services/hddtemp.te | 40
policy/modules/services/kerberos.te | 13
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.te | 11
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/modemmanager.fc | 2
policy/modules/services/modemmanager.if | 43
policy/modules/services/modemmanager.te | 46
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 5
policy/modules/services/mta.te | 52
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 -
policy/modules/services/nagios.te | 55
policy/modules/services/networkmanager.fc | 13
policy/modules/services/networkmanager.if | 45
policy/modules/services/networkmanager.te | 114 +
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 11
policy/modules/services/nslcd.fc | 4
policy/modules/services/nslcd.if | 142 ++
policy/modules/services/nslcd.te | 50
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 7
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 1
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/policykit.fc | 4
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 49
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 136 +-
policy/modules/services/postgresql.fc | 1
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 7
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 14
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/ricci.te | 5
policy/modules/services/rpc.if | 6
policy/modules/services/rpc.te | 10
policy/modules/services/rpcbind.if | 20
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit_daemon.fc | 2
policy/modules/services/rtkit_daemon.if | 64 +
policy/modules/services/rtkit_daemon.te | 38
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 +
policy/modules/services/samba.te | 80 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 63 -
policy/modules/services/setroubleshoot.te | 60
policy/modules/services/shorewall.fc | 12
policy/modules/services/shorewall.if | 166 ++
policy/modules/services/shorewall.te | 97 +
policy/modules/services/smartmon.te | 12
policy/modules/services/spamassassin.fc | 14
policy/modules/services/spamassassin.if | 68 +
policy/modules/services/spamassassin.te | 129 +-
policy/modules/services/squid.te | 7
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 163 ++
policy/modules/services/ssh.te | 66 -
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 43
policy/modules/services/sysstat.te | 2
policy/modules/services/uucp.te | 3
policy/modules/services/virt.fc | 11
policy/modules/services/virt.if | 128 +-
policy/modules/services/virt.te | 272 ++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 28
policy/modules/services/xserver.if | 538 ++++++++
policy/modules/services/xserver.te | 308 ++++
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 204 ++-
policy/modules/system/authlogin.te | 9
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 9
policy/modules/system/hostname.te | 4
policy/modules/system/init.fc | 6
policy/modules/system/init.if | 156 ++
policy/modules/system/init.te | 175 ++
policy/modules/system/ipsec.fc | 2
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 28
policy/modules/system/iptables.fc | 11
policy/modules/system/iptables.te | 5
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/kdump.fc | 8
policy/modules/system/kdump.if | 111 +
policy/modules/system/kdump.te | 38
policy/modules/system/libraries.fc | 152 +-
policy/modules/system/libraries.if | 4
policy/modules/system/libraries.te | 16
policy/modules/system/locallogin.te | 28
policy/modules/system/logging.fc | 11
policy/modules/system/logging.if | 4
policy/modules/system/logging.te | 32
policy/modules/system/lvm.te | 17
policy/modules/system/miscfiles.if | 19
policy/modules/system/modutils.te | 35
policy/modules/system/mount.fc | 7
policy/modules/system/mount.te | 77 +
policy/modules/system/selinuxutil.fc | 16
policy/modules/system/selinuxutil.if | 288 ++++
policy/modules/system/selinuxutil.te | 227 +--
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 116 +
policy/modules/system/sysnetwork.te | 72 -
policy/modules/system/udev.fc | 3
policy/modules/system/udev.te | 42
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 439 -------
policy/modules/system/unconfined.te | 226 ---
policy/modules/system/userdomain.fc | 5
policy/modules/system/userdomain.if | 1303 +++++++++++++++------
policy/modules/system/userdomain.te | 50
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 127 +-
policy/support/obj_perm_sets.spt | 14
policy/users | 13
support/Makefile.devel | 3
308 files changed, 13400 insertions(+), 2605 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -p -r1.49 -r1.50
--- policy-F12.patch 10 Aug 2009 18:22:10 -0000 1.49
+++ policy-F12.patch 12 Aug 2009 20:09:21 -0000 1.50
@@ -460,7 +460,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.26/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/admin/mrtg.te 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/admin/mrtg.te 2009-08-11 14:24:37.000000000 -0400
@@ -116,6 +116,9 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -471,6 +471,17 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`enable_mls',`
corenet_udp_sendrecv_lo_if(mrtg_t)
+@@ -139,6 +142,10 @@
+ ')
+
+ optional_policy(`
++ hddtemp_domtrans(mrtg_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(mrtg_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.26/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/admin/prelink.if 2009-07-30 15:33:08.000000000 -0400
@@ -783,7 +794,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.26/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/admin/rpm.te 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/admin/rpm.te 2009-08-12 15:12:20.000000000 -0400
@@ -31,11 +31,15 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -986,7 +997,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -326,13 +370,18 @@
+@@ -326,13 +370,22 @@
')
optional_policy(`
@@ -1000,6 +1011,10 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
- unconfined_domain(rpm_script_t)
++ udev_domtrans(rpm_script_t)
++')
++
++optional_policy(`
+ unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
+ unconfined_execmem_domtrans(rpm_script_t)
@@ -3088,6 +3103,77 @@ diff -b -B --ignore-all-space --exclude-
+
+
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.26/policy/modules/apps/ptchown.fc
+--- nsaserefpolicy/policy/modules/apps/ptchown.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/apps/ptchown.fc 2009-08-12 14:48:50.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.26/policy/modules/apps/ptchown.if
+--- nsaserefpolicy/policy/modules/apps/ptchown.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/apps/ptchown.if 2009-08-12 14:51:46.000000000 -0400
+@@ -0,0 +1,22 @@
++
++## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run ptchown.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ptchown_domtrans',`
++ gen_require(`
++ type ptchown_t;
++ type ptchown_exec_t;
++ ')
++
++ domtrans_pattern($1,ptchown_exec_t,ptchown_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.26/policy/modules/apps/ptchown.te
+--- nsaserefpolicy/policy/modules/apps/ptchown.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/apps/ptchown.te 2009-08-12 14:55:11.000000000 -0400
+@@ -0,0 +1,35 @@
++policy_module(ptchown,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ptchown_t;
++type ptchown_exec_t;
++application_domain(ptchown_t, ptchown_exec_t)
++role system_r types ptchown_t;
++
++permissive ptchown_t;
++
++########################################
++#
++# ptchown local policy
++#
++
++allow ptchown_t self:capability { chown setuid };
++allow ptchown_t self:process { getcap setcap };
++
++# Init script handling
++domain_use_interactive_fds(ptchown_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow ptchown_t self:fifo_file rw_file_perms;
++allow ptchown_t self:unix_stream_socket create_stream_socket_perms;
++
++files_read_etc_files(ptchown_t)
++
++term_setattr_generic_ptys(ptchown_t)
++term_setattr_all_user_ptys(ptchown_t)
++
++miscfiles_read_localization(ptchown_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te 2009-08-04 05:32:34.000000000 -0400
@@ -4266,8 +4352,16 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.26/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/corecommands.fc 2009-07-30 15:33:08.000000000 -0400
-@@ -142,6 +142,9 @@
++++ serefpolicy-3.6.26/policy/modules/kernel/corecommands.fc 2009-08-11 14:58:11.000000000 -0400
+@@ -125,6 +125,7 @@
+ /sbin/.* gen_context(system_u:object_r:bin_t,s0)
+ /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+ /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
++/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ #
+ # /opt
+@@ -142,6 +143,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -4277,7 +4371,7 @@ diff -b -B --ignore-all-space --exclude-
#
# /usr
#
-@@ -315,3 +318,21 @@
+@@ -315,3 +319,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4312,7 +4406,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.26/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/corenetwork.te.in 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/corenetwork.te.in 2009-08-11 14:24:37.000000000 -0400
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4321,7 +4415,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -87,17 +88,21 @@
+@@ -87,25 +88,31 @@
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
@@ -4344,7 +4438,9 @@ diff -b -B --ignore-all-space --exclude-
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
-@@ -106,6 +111,7 @@
+ network_port(gpsd, tcp,2947,s0)
++network_port(hddtemp, tcp,7634,s0)
+ network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
@@ -4352,7 +4448,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -128,7 +134,7 @@
+@@ -128,7 +135,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -4361,7 +4457,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -146,6 +152,12 @@
+@@ -146,6 +153,12 @@
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -4374,7 +4470,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -172,27 +184,31 @@
+@@ -172,27 +185,31 @@
network_port(sap, tcp,9875,s0, udp,9875,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -4409,7 +4505,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -221,6 +237,8 @@
+@@ -221,6 +238,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -4442,7 +4538,7 @@ diff -b -B --ignore-all-space --exclude-
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-10 10:05:44.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-11 18:56:44.000000000 -0400
@@ -1655,6 +1655,78 @@
########################################
@@ -4584,11 +4680,11 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Read the lvm comtrol device.
-@@ -2232,6 +2359,24 @@
+@@ -2268,6 +2395,25 @@
########################################
## <summary>
-+## Read and write the the wireless device.
++## Delete the null device (/dev/null).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -4596,24 +4692,25 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`dev_rw_wireless',`
++interface(`dev_delete_null',`
+ gen_require(`
-+ type device_t, wireless_device_t;
++ type device_t, null_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, wireless_device_t)
++ allow $1 device_t:dir del_entry_dir_perms;
++ allow $1 null_device_t:chr_file unlink;
+')
+
+########################################
+## <summary>
- ## Get the attributes of the null device nodes.
+ ## Read and write to the null device (/dev/null).
## </summary>
## <param name="domain">
-@@ -2268,6 +2413,25 @@
+@@ -3562,6 +3708,24 @@
########################################
## <summary>
-+## Delete the null device (/dev/null).
++## Read and write the the wireless device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -4621,18 +4718,17 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`dev_delete_null',`
++interface(`dev_rw_wireless',`
+ gen_require(`
-+ type device_t, null_device_t;
++ type device_t, wireless_device_t;
+ ')
+
-+ allow $1 device_t:dir del_entry_dir_perms;
-+ allow $1 null_device_t:chr_file unlink;
++ rw_chr_files_pattern($1, device_t, wireless_device_t)
+')
+
+########################################
+## <summary>
- ## Read and write to the null device (/dev/null).
+ ## Read and write Xen devices.
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.26/policy/modules/kernel/devices.te
@@ -5399,7 +5495,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.26/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/files.te 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/files.te 2009-08-12 14:53:21.000000000 -0400
@@ -42,6 +42,7 @@
#
type boot_t;
@@ -5419,6 +5515,14 @@ diff -b -B --ignore-all-space --exclude-
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
+@@ -193,6 +196,7 @@
+ fs_associate_noxattr(file_type)
+ fs_associate_tmpfs(file_type)
+ fs_associate_ramfs(file_type)
++fs_associate_hugetlbfs(file_type)
+
+ ########################################
+ #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.26/policy/modules/kernel/filesystem.fc
--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.fc 2009-07-30 15:33:08.000000000 -0400
@@ -5427,8 +5531,33 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.26/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.if 2009-07-30 15:33:08.000000000 -0400
-@@ -3971,3 +3971,23 @@
++++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.if 2009-08-11 16:06:07.000000000 -0400
+@@ -1537,6 +1537,24 @@
+
+ ########################################
+ ## <summary>
++## Allow the type to associate to hugetlbfs filesystems.
++## </summary>
++## <param name="type">
++## <summary>
++## The type of the object to be associated.
++## </summary>
++## </param>
++#
++interface(`fs_associate_hugetlbfs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:filesystem associate;
++')
++
++########################################
++## <summary>
+ ## Search inotifyfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -3971,3 +3989,23 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -5452,6 +5581,18 @@ diff -b -B --ignore-all-space --exclude-
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.26/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.te 2009-08-12 11:10:36.000000000 -0400
+@@ -93,7 +93,7 @@
+ type hugetlbfs_t;
+ fs_type(hugetlbfs_t)
+ files_mountpoint(hugetlbfs_t)
+-genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
++fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+
+ type ibmasmfs_t;
+ fs_type(ibmasmfs_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.26/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/kernel/kernel.if 2009-08-10 11:43:18.000000000 -0400
@@ -5671,7 +5812,7 @@ diff -b -B --ignore-all-space --exclude-
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.26/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/terminal.if 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/terminal.if 2009-08-12 14:54:39.000000000 -0400
@@ -173,7 +173,7 @@
dev_list_all_dev_nodes($1)
@@ -5743,6 +5884,17 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Read and write the controlling
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.26/policy/modules/kernel/terminal.te
+--- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/terminal.te 2009-08-11 14:33:58.000000000 -0400
+@@ -44,6 +44,7 @@
+ type ptmx_t;
+ dev_node(ptmx_t)
+ mls_trusted_object(ptmx_t)
++allow ptmx_t devpts_t:filesystem associate;
+
+ #
+ # tty_device_t is the type of /dev/*tty*
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.26/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/roles/guest.te 2009-07-30 15:33:08.000000000 -0400
@@ -8947,7 +9099,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.26/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/bind.if 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/bind.if 2009-08-12 15:14:43.000000000 -0400
@@ -287,6 +287,25 @@
########################################
@@ -9997,7 +10149,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.26/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/dbus.if 2009-08-06 08:01:02.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/dbus.if 2009-08-12 16:08:16.000000000 -0400
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -10027,16 +10179,17 @@ diff -b -B --ignore-all-space --exclude-
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -146,6 +148,8 @@
+@@ -146,6 +148,9 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
+ term_use_all_terms($1_dbusd_t)
+
++ userdom_dontaudit_search_admin_dir($1_dbusd_t)
userdom_read_user_home_content_files($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
-@@ -153,12 +157,15 @@
+@@ -153,12 +158,15 @@
')
optional_policy(`
@@ -10054,7 +10207,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -178,10 +185,12 @@
+@@ -178,10 +186,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -10068,7 +10221,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -190,6 +199,10 @@
+@@ -190,6 +200,10 @@
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
@@ -10079,7 +10232,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -256,7 +269,7 @@
+@@ -256,7 +270,7 @@
########################################
## <summary>
@@ -10257,7 +10410,7 @@ diff -b -B --ignore-all-space --exclude-
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.26/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-10 11:51:36.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-11 13:59:10.000000000 -0400
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -10302,9 +10455,9 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
+dev_manage_generic_files(devicekit_disk_t)
-
-+domain_read_all_domains_state(devicekit_disk_t)
+
++domain_read_all_domains_state(devicekit_disk_t)
+
+files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_files(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
@@ -10383,7 +10536,7 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,6 +201,8 @@
+@@ -167,12 +201,16 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -10392,7 +10545,15 @@ diff -b -B --ignore-all-space --exclude-
term_use_all_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
-@@ -180,8 +216,11 @@
+
+ miscfiles_read_localization(devicekit_power_t)
+
++sysnet_read_dhcp_config(devicekit_power_t)
++
+ userdom_read_all_users_state(devicekit_power_t)
+
+ optional_policy(`
+@@ -180,8 +218,11 @@
')
optional_policy(`
@@ -10405,7 +10566,7 @@ diff -b -B --ignore-all-space --exclude-
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
-@@ -203,17 +242,23 @@
+@@ -203,17 +244,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -11017,6 +11178,100 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+permissive hald_dccm_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.26/policy/modules/services/hddtemp.fc
+--- nsaserefpolicy/policy/modules/services/hddtemp.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/services/hddtemp.fc 2009-08-11 14:24:37.000000000 -0400
+@@ -0,0 +1,4 @@
++
++/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
++
++/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.if serefpolicy-3.6.26/policy/modules/services/hddtemp.if
+--- nsaserefpolicy/policy/modules/services/hddtemp.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/services/hddtemp.if 2009-08-11 14:26:32.000000000 -0400
+@@ -0,0 +1,38 @@
++## <summary>hddtemp hard disk temperature tool running as a daemon</summary>
++
++#######################################
++## <summary>
++## Execute hddtemp in the hddtemp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`hddtemp_domtrans',`
++ gen_require(`
++ type hddtemp_t, hddtemp_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
++')
++
++######################################
++## <summary>
++## Execute hddtemp
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`hddtemp_exec',`
++ gen_require(`
++ type hddtemp_exec_t;
++ ')
++
++ can_exec($1, hddtemp_exec_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.6.26/policy/modules/services/hddtemp.te
+--- nsaserefpolicy/policy/modules/services/hddtemp.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/services/hddtemp.te 2009-08-11 14:24:37.000000000 -0400
+@@ -0,0 +1,40 @@
++policy_module(hddtemp,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type hddtemp_t;
++type hddtemp_exec_t;
++init_daemon_domain(hddtemp_t,hddtemp_exec_t)
++
++type hddtemp_initrc_exec_t;
++init_script_file(hddtemp_initrc_exec_t)
++
++########################################
++#
++# hddtemp local policy
++#
++
++allow hddtemp_t self:capability sys_rawio;
++dontaudit hddtemp_t self:capability sys_admin;
++
++allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms;
++allow hddtemp_t self:tcp_socket create_stream_socket_perms;
++allow hddtemp_t self:udp_socket create_socket_perms;
++
++corenet_tcp_bind_all_nodes(hddtemp_t)
++corenet_tcp_bind_hddtemp_port(hddtemp_t)
++
++storage_raw_read_fixed_disk(hddtemp_t)
++
++# read hddtemp db file
++files_read_usr_files(hddtemp_t)
++
++logging_send_syslog_msg(hddtemp_t)
++
++miscfiles_read_localization(hddtemp_t)
++
++permissive hddtemp_t;
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.26/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/kerberos.te 2009-07-30 15:33:08.000000000 -0400
@@ -12812,7 +13067,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-10 10:24:17.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-11 14:14:45.000000000 -0400
@@ -38,9 +38,10 @@
allow policykit_t self:capability { setgid setuid };
@@ -12852,11 +13107,13 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
-@@ -77,12 +90,15 @@
+@@ -76,13 +89,16 @@
+ #
allow policykit_auth_t self:capability setgid;
- allow policykit_auth_t self:process getattr;
+-allow policykit_auth_t self:process getattr;
-allow policykit_auth_t self:fifo_file rw_file_perms;
++allow policykit_auth_t self:process { getattr getsched };
+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
@@ -12889,7 +13146,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -116,6 +136,13 @@
+@@ -116,6 +136,14 @@
hal_read_state(policykit_auth_t)
')
@@ -12898,12 +13155,13 @@ diff -b -B --ignore-all-space --exclude-
+ xserver_xdm_append_log(policykit_auth_t)
+ xserver_read_xdm_pid(policykit_auth_t)
+ xserver_search_xdm_lib(policykit_auth_t)
++ xserver_create_xdm_tmp_sockets(policykit_auth_t)
+')
+
########################################
#
# polkit_grant local policy
-@@ -123,7 +150,8 @@
+@@ -123,7 +151,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -12913,7 +13171,7 @@ diff -b -B --ignore-all-space --exclude-
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -153,9 +181,12 @@
+@@ -153,9 +182,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -12927,7 +13185,7 @@ diff -b -B --ignore-all-space --exclude-
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,7 +198,8 @@
+@@ -167,7 +199,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -14184,7 +14442,7 @@ diff -b -B --ignore-all-space --exclude-
auth_manage_cache(gssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.26/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/rsync.te 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/rsync.te 2009-08-12 07:48:31.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -14199,7 +14457,15 @@ diff -b -B --ignore-all-space --exclude-
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
-@@ -126,4 +133,19 @@
+@@ -24,7 +31,6 @@
+
+ type rsync_t;
+ type rsync_exec_t;
+-init_daemon_domain(rsync_t, rsync_exec_t)
+ application_executable_file(rsync_exec_t)
+ role system_r types rsync_t;
+
+@@ -126,4 +132,19 @@
auth_read_all_symlinks_except_shadow(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
@@ -16746,7 +17012,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.26/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-05 16:59:48.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-12 16:06:07.000000000 -0400
@@ -103,7 +103,7 @@
########################################
@@ -16844,7 +17110,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
## an virt environment
## </summary>
-@@ -327,3 +364,56 @@
+@@ -327,3 +364,76 @@
virt_manage_log($1)
')
@@ -16901,9 +17167,29 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+')
+
++########################################
++## <summary>
++## Create, read, write, and delete
++## svirt cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_manage_svirt_cache',`
++ gen_require(`
++ type svirt_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
++ manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.26/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-05 15:13:13.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-12 16:05:46.000000000 -0400
@@ -20,6 +20,28 @@
## </desc>
gen_tunable(virt_use_samba, false)
@@ -16989,7 +17275,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -68,6 +115,12 @@
+@@ -68,6 +115,14 @@
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -16997,12 +17283,14 @@ diff -b -B --ignore-all-space --exclude-
+allow virtd_t virt_image_type:file { relabelfrom relabelto };
+allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+
++mcs_process_set_categories(virtd_t)
++
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +139,7 @@
+@@ -86,6 +141,7 @@
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
kernel_load_module(virtd_t)
@@ -17010,7 +17298,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -96,30 +150,51 @@
+@@ -96,30 +152,51 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -17065,7 +17353,7 @@ diff -b -B --ignore-all-space --exclude-
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -129,7 +204,14 @@
+@@ -129,7 +206,14 @@
logging_send_syslog_msg(virtd_t)
@@ -17080,7 +17368,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -167,22 +249,35 @@
+@@ -167,22 +251,35 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -17121,7 +17409,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -195,8 +290,155 @@
+@@ -195,8 +292,161 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -17232,6 +17520,8 @@ diff -b -B --ignore-all-space --exclude-
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+
++stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
++
+kernel_read_system_state(virt_domain)
+
+corenet_all_recvfrom_unlabeled(virt_domain)
@@ -17272,6 +17562,10 @@ diff -b -B --ignore-all-space --exclude-
+miscfiles_read_localization(virt_domain)
+
+optional_policy(`
++ ptchown_domtrans(virt_domain)
++')
++
++optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
@@ -17374,7 +17668,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-05 07:48:30.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-11 14:14:49.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -19549,7 +19843,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.26/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-07-30 09:44:08.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-10 13:12:20.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-12 16:06:54.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -19907,19 +20201,23 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +837,11 @@
- uml_setattr_util_sockets(initrc_t)
+@@ -755,6 +838,15 @@
')
+ optional_policy(`
++ virt_manage_svirt_cache(initrc_t)
++')
++
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_rw_pipes(daemon)
+')
+
- optional_policy(`
++optional_policy(`
unconfined_domain(initrc_t)
-@@ -765,6 +853,13 @@
+ ifdef(`distro_redhat',`
+@@ -765,6 +857,13 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -19933,7 +20231,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -790,3 +885,31 @@
+@@ -790,3 +889,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -20860,7 +21158,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.26/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/logging.if 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/logging.if 2009-08-12 15:17:48.000000000 -0400
@@ -623,7 +623,7 @@
')
@@ -22206,7 +22504,7 @@ diff -b -B --ignore-all-space --exclude-
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.26/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/sysnetwork.if 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/sysnetwork.if 2009-08-11 13:58:43.000000000 -0400
@@ -43,6 +43,39 @@
sysnet_domtrans_dhcpc($1)
@@ -22591,7 +22889,7 @@ diff -b -B --ignore-all-space --exclude-
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.26/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-10 10:36:14.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-11 14:30:39.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -22697,7 +22995,7 @@ diff -b -B --ignore-all-space --exclude-
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -242,6 +270,10 @@
+@@ -242,6 +270,14 @@
')
optional_policy(`
@@ -22705,6 +23003,10 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
++ vbetool_domtrans(udev_t)
++')
++
++optional_policy(`
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
More information about the fedora-extras-commits
mailing list