rpms/selinux-policy/devel policy-F12.patch, 1.50, 1.51 selinux-policy.spec, 1.895, 1.896
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Aug 13 22:33:09 UTC 2009
- Previous message (by thread): rpms/cld/devel cld.spec,1.14,1.15 sources,1.11,1.12
- Next message (by thread): rpms/gnome-media/devel .cvsignore, 1.56, 1.57 gnome-media.spec, 1.176, 1.177 sources, 1.55, 1.56
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29512
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Thu Aug 13 2009 Dan Walsh <dwalsh at redhat.com> 3.6.26-11
- Make all unconfined_domains permissive so we can see what AVC's happen
policy-F12.patch:
Makefile | 2
Rules.modular | 8
config/appconfig-mcs/default_contexts | 19
config/appconfig-mcs/failsafe_context | 2
config/appconfig-mcs/root_default_contexts | 8
config/appconfig-mcs/securetty_types | 5
config/appconfig-mcs/seusers | 4
config/appconfig-mcs/staff_u_default_contexts | 4
config/appconfig-mcs/unconfined_u_default_contexts | 4
config/appconfig-mcs/user_u_default_contexts | 5
config/appconfig-mcs/userhelper_context | 2
config/appconfig-mcs/virtual_domain_context | 1
config/appconfig-mcs/virtual_image_context | 2
config/appconfig-mls/default_contexts | 19
config/appconfig-mls/root_default_contexts | 12
config/appconfig-mls/virtual_domain_context | 1
config/appconfig-mls/virtual_image_context | 2
config/appconfig-standard/securetty_types | 5
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/anaconda.te | 1
policy/modules/admin/certwatch.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 7
policy/modules/admin/kismet.if | 1
policy/modules/admin/kismet.te | 17
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 7
policy/modules/admin/prelink.if | 19
policy/modules/admin/readahead.te | 3
policy/modules/admin/rpm.fc | 15
policy/modules/admin/rpm.if | 176 ++
policy/modules/admin/rpm.te | 65 -
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 4
policy/modules/admin/usermanage.te | 9
policy/modules/admin/vbetool.te | 14
policy/modules/apps/awstats.te | 2
policy/modules/apps/calamaris.te | 4
policy/modules/apps/cpufreqselector.te | 4
policy/modules/apps/gitosis.fc | 4
policy/modules/apps/gitosis.if | 96 +
policy/modules/apps/gitosis.te | 36
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 ++
policy/modules/apps/gnome.te | 92 +
policy/modules/apps/gpg.te | 15
policy/modules/apps/java.fc | 17
policy/modules/apps/java.if | 129 ++
policy/modules/apps/java.te | 17
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 64 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50
policy/modules/apps/livecd.te | 26
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.if | 13
policy/modules/apps/mozilla.te | 21
policy/modules/apps/nsplugin.fc | 12
policy/modules/apps/nsplugin.if | 313 +++++
policy/modules/apps/nsplugin.te | 286 ++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 14
policy/modules/apps/ptchown.fc | 2
policy/modules/apps/ptchown.if | 22
policy/modules/apps/ptchown.te | 38
policy/modules/apps/pulseaudio.te | 9
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 270 +++-
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 55
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 143 ++
policy/modules/apps/sandbox.te | 274 ++++
policy/modules/apps/screen.if | 24
policy/modules/apps/vmware.fc | 1
policy/modules/apps/vmware.te | 1
policy/modules/apps/webalizer.te | 1
policy/modules/apps/wine.fc | 23
policy/modules/apps/wine.if | 60
policy/modules/apps/wine.te | 23
policy/modules/kernel/corecommands.fc | 22
policy/modules/kernel/corecommands.if | 1
policy/modules/kernel/corenetwork.te.in | 29
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.if | 164 ++
policy/modules/kernel/devices.te | 19
policy/modules/kernel/domain.if | 132 +-
policy/modules/kernel/domain.te | 85 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 279 ++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 56
policy/modules/kernel/filesystem.te | 2
policy/modules/kernel/kernel.if | 39
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 -
policy/modules/roles/sysadm.te | 124 -
policy/modules/roles/unconfineduser.fc | 37
policy/modules/roles/unconfineduser.if | 638 ++++++++++
policy/modules/roles/unconfineduser.te | 395 ++++++
policy/modules/roles/unprivuser.te | 131 --
policy/modules/roles/webadm.te | 2
policy/modules/roles/xguest.te | 18
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 35
policy/modules/services/apache.if | 327 +++--
policy/modules/services/apache.te | 409 +++++-
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 19
policy/modules/services/bluetooth.te | 6
policy/modules/services/certmaster.te | 2
policy/modules/services/clamav.te | 12
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 18
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 13
policy/modules/services/cron.if | 202 ++-
policy/modules/services/cron.te | 132 +-
policy/modules/services/cups.fc | 11
policy/modules/services/cups.te | 23
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 26
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 49
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.te | 7
policy/modules/services/exim.te | 4
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 50
policy/modules/services/gnomeclock.fc | 3
policy/modules/services/gnomeclock.if | 69 +
policy/modules/services/gnomeclock.te | 50
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 12
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 46
policy/modules/services/hddtemp.fc | 4
policy/modules/services/hddtemp.if | 38
policy/modules/services/hddtemp.te | 40
policy/modules/services/kerberos.te | 13
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.te | 11
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/modemmanager.fc | 2
policy/modules/services/modemmanager.if | 43
policy/modules/services/modemmanager.te | 46
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 5
policy/modules/services/mta.te | 52
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 -
policy/modules/services/nagios.te | 55
policy/modules/services/networkmanager.fc | 13
policy/modules/services/networkmanager.if | 45
policy/modules/services/networkmanager.te | 114 +
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 11
policy/modules/services/nslcd.fc | 4
policy/modules/services/nslcd.if | 142 ++
policy/modules/services/nslcd.te | 48
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 7
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 1
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 49
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 136 +-
policy/modules/services/postgresql.fc | 1
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 7
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 14
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/ricci.te | 5
policy/modules/services/rpc.if | 6
policy/modules/services/rpc.te | 10
policy/modules/services/rpcbind.if | 20
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit_daemon.fc | 2
policy/modules/services/rtkit_daemon.if | 64 +
policy/modules/services/rtkit_daemon.te | 38
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 +
policy/modules/services/samba.te | 82 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 63 -
policy/modules/services/setroubleshoot.te | 60
policy/modules/services/shorewall.fc | 12
policy/modules/services/shorewall.if | 166 ++
policy/modules/services/shorewall.te | 95 +
policy/modules/services/smartmon.te | 12
policy/modules/services/spamassassin.fc | 14
policy/modules/services/spamassassin.if | 68 +
policy/modules/services/spamassassin.te | 129 +-
policy/modules/services/squid.te | 7
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 163 ++
policy/modules/services/ssh.te | 66 -
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 43
policy/modules/services/sysstat.te | 2
policy/modules/services/uucp.te | 3
policy/modules/services/virt.fc | 11
policy/modules/services/virt.if | 129 +-
policy/modules/services/virt.te | 270 ++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 29
policy/modules/services/xserver.if | 538 ++++++++
policy/modules/services/xserver.te | 308 ++++
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 204 ++-
policy/modules/system/authlogin.te | 9
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 9
policy/modules/system/hostname.te | 4
policy/modules/system/init.fc | 6
policy/modules/system/init.if | 156 ++
policy/modules/system/init.te | 177 ++
policy/modules/system/ipsec.fc | 2
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 28
policy/modules/system/iptables.fc | 11
policy/modules/system/iptables.te | 5
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/kdump.fc | 8
policy/modules/system/kdump.if | 111 +
policy/modules/system/kdump.te | 38
policy/modules/system/libraries.fc | 152 +-
policy/modules/system/libraries.if | 4
policy/modules/system/libraries.te | 16
policy/modules/system/locallogin.te | 28
policy/modules/system/logging.fc | 11
policy/modules/system/logging.if | 4
policy/modules/system/logging.te | 32
policy/modules/system/lvm.te | 17
policy/modules/system/miscfiles.if | 19
policy/modules/system/modutils.te | 35
policy/modules/system/mount.fc | 7
policy/modules/system/mount.te | 77 +
policy/modules/system/selinuxutil.fc | 16
policy/modules/system/selinuxutil.if | 288 ++++
policy/modules/system/selinuxutil.te | 227 +--
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 +
policy/modules/system/sysnetwork.te | 72 -
policy/modules/system/udev.fc | 3
policy/modules/system/udev.te | 38
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 446 -------
policy/modules/system/unconfined.te | 226 ---
policy/modules/system/userdomain.fc | 5
policy/modules/system/userdomain.if | 1304 +++++++++++++++------
policy/modules/system/userdomain.te | 50
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 127 +-
policy/support/obj_perm_sets.spt | 14
policy/users | 13
support/Makefile.devel | 3
308 files changed, 13444 insertions(+), 2611 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -p -r1.50 -r1.51
--- policy-F12.patch 12 Aug 2009 20:09:21 -0000 1.50
+++ policy-F12.patch 13 Aug 2009 22:33:07 -0000 1.51
@@ -568,7 +568,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.26/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/admin/rpm.if 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/admin/rpm.if 2009-08-13 15:26:27.000000000 -0400
@@ -66,6 +66,11 @@
rpm_domtrans($1)
role $2 types rpm_t;
@@ -1124,10 +1124,22 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.26/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/admin/vbetool.te 2009-07-30 15:33:08.000000000 -0400
-@@ -23,7 +23,10 @@
++++ serefpolicy-3.6.26/policy/modules/admin/vbetool.te 2009-08-13 15:29:00.000000000 -0400
+@@ -15,15 +15,20 @@
+ # Local policy
+ #
+
+-allow vbetool_t self:capability { sys_tty_config sys_admin };
++allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+ allow vbetool_t self:process execmem;
+
+ dev_wx_raw_memory(vbetool_t)
+ dev_read_raw_memory(vbetool_t)
dev_rwx_zero(vbetool_t)
- dev_read_sysfs(vbetool_t)
+-dev_read_sysfs(vbetool_t)
++dev_rw_sysfs(vbetool_t)
++dev_rw_xserver_misc(vbetool_t)
++dev_rw_mtrr(vbetool_t)
+domain_mmap_low_type(vbetool_t)
+tunable_policy(`mmap_low_allowed',`
@@ -1136,7 +1148,7 @@ diff -b -B --ignore-all-space --exclude-
term_use_unallocated_ttys(vbetool_t)
-@@ -34,3 +37,8 @@
+@@ -34,3 +39,8 @@
hal_write_log(vbetool_t)
hal_dontaudit_append_lib_files(vbetool_t)
')
@@ -2693,7 +2705,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.26/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te 2009-08-06 08:01:24.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te 2009-08-13 14:58:45.000000000 -0400
@@ -0,0 +1,286 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -3137,8 +3149,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.26/policy/modules/apps/ptchown.te
--- nsaserefpolicy/policy/modules/apps/ptchown.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.26/policy/modules/apps/ptchown.te 2009-08-12 14:55:11.000000000 -0400
-@@ -0,0 +1,35 @@
++++ serefpolicy-3.6.26/policy/modules/apps/ptchown.te 2009-08-13 17:39:44.000000000 -0400
+@@ -0,0 +1,38 @@
+policy_module(ptchown,1.0.0)
+
+########################################
@@ -3158,7 +3170,7 @@ diff -b -B --ignore-all-space --exclude-
+# ptchown local policy
+#
+
-+allow ptchown_t self:capability { chown setuid };
++allow ptchown_t self:capability { fowner chown setuid };
+allow ptchown_t self:process { getcap setcap };
+
+# Init script handling
@@ -3170,13 +3182,16 @@ diff -b -B --ignore-all-space --exclude-
+
+files_read_etc_files(ptchown_t)
+
++fs_rw_anon_inodefs_files(ptchown_t)
++
++term_use_generic_ptys(ptchown_t)
+term_setattr_generic_ptys(ptchown_t)
+term_setattr_all_user_ptys(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te 2009-08-04 05:32:34.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te 2009-08-13 15:27:08.000000000 -0400
@@ -22,6 +22,7 @@
allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
@@ -3193,7 +3208,15 @@ diff -b -B --ignore-all-space --exclude-
term_use_all_user_ttys(pulseaudio_t)
term_use_all_user_ptys(pulseaudio_t)
-@@ -85,8 +87,8 @@
+@@ -81,12 +83,15 @@
+ ')
+
+ optional_policy(`
++ rpm_dbus_chat(pulseaudio_t)
++')
++
++optional_policy(`
+ udev_read_db(pulseaudio_t)
')
optional_policy(`
@@ -3202,7 +3225,7 @@ diff -b -B --ignore-all-space --exclude-
xserver_read_xdm_lib_files(pulseaudio_t)
+ xserver_common_app(pulseaudio_t)
')
-
+-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.26/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/apps/qemu.fc 2009-07-30 15:33:08.000000000 -0400
@@ -3643,8 +3666,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.26/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.26/policy/modules/apps/sambagui.te 2009-07-30 15:33:08.000000000 -0400
-@@ -0,0 +1,57 @@
++++ serefpolicy-3.6.26/policy/modules/apps/sambagui.te 2009-08-13 09:46:37.000000000 -0400
+@@ -0,0 +1,55 @@
+policy_module(sambagui,1.0.0)
+
+########################################
@@ -3700,8 +3723,6 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
-+
-+permissive sambagui_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.26/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.26/policy/modules/apps/sandbox.fc 2009-07-30 15:33:08.000000000 -0400
@@ -3709,8 +3730,8 @@ diff -b -B --ignore-all-space --exclude-
+# No types are sandbox_exec_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.26/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.26/policy/modules/apps/sandbox.if 2009-07-30 15:33:08.000000000 -0400
-@@ -0,0 +1,145 @@
++++ serefpolicy-3.6.26/policy/modules/apps/sandbox.if 2009-08-13 09:52:58.000000000 -0400
+@@ -0,0 +1,143 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -3834,8 +3855,6 @@ diff -b -B --ignore-all-space --exclude-
+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
-+
-+# permissive $1_client_t;
+')
+
+########################################
@@ -4516,7 +4535,7 @@ diff -b -B --ignore-all-space --exclude-
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.26/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-08-03 06:30:31.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-08-13 15:24:04.000000000 -0400
@@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -4536,9 +4555,18 @@ diff -b -B --ignore-all-space --exclude-
/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -148,6 +151,8 @@
+ /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
+
++/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++
+ /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-11 18:56:44.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-13 15:36:14.000000000 -0400
@@ -1655,6 +1655,78 @@
########################################
@@ -5120,7 +5148,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.26/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-10 11:51:27.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-13 18:17:55.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5531,7 +5559,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.26/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.if 2009-08-11 16:06:07.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.if 2009-08-13 15:46:05.000000000 -0400
@@ -1537,6 +1537,24 @@
########################################
@@ -5557,7 +5585,32 @@ diff -b -B --ignore-all-space --exclude-
## Search inotifyfs filesystem.
## </summary>
## <param name="domain">
-@@ -3971,3 +3989,23 @@
+@@ -2542,6 +2560,24 @@
+
+ ########################################
+ ## <summary>
++## Getattr files on an nfsd filesystem
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_getattr_nfsd_files',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ allow $1 nfsd_fs_t:file getattr;
++')
++
++########################################
++## <summary>
+ ## Read and write NFS server files.
+ ## </summary>
+ ## <param name="domain">
+@@ -3971,3 +4007,23 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -5655,7 +5708,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.26/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/kernel.te 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/kernel.te 2009-08-13 18:32:39.000000000 -0400
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -5731,14 +5784,12 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -387,3 +410,7 @@
+@@ -387,3 +410,5 @@
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+
+files_boot(kernel_t)
-+
-+permissive kernel_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.26/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/kernel/selinux.if 2009-07-30 15:33:08.000000000 -0400
@@ -9207,14 +9258,33 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.26/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/consolekit.if 2009-08-10 13:11:45.000000000 -0400
-@@ -57,3 +57,23 @@
++++ serefpolicy-3.6.26/policy/modules/services/consolekit.if 2009-08-13 15:40:37.000000000 -0400
+@@ -57,3 +57,42 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
')
+
+########################################
+## <summary>
++## Manage consolekit log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`consolekit_manage_log',`
++ gen_require(`
++ type consolekit_log_t;
++ ')
++
++ manage_files_pattern($1, consolekit_log_t, consolekit_log_t)
++ files_search_pids($1)
++')
++
++########################################
++## <summary>
+## Read consolekit PID files.
+## </summary>
+## <param name="domain">
@@ -10410,7 +10480,7 @@ diff -b -B --ignore-all-space --exclude-
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.26/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-11 13:59:10.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-13 09:46:15.000000000 -0400
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -10490,22 +10560,16 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -134,14 +152,28 @@
+@@ -134,14 +152,22 @@
udev_read_db(devicekit_disk_t)
')
+
-+#ifdef(`TESTING',`
-+ permissive devicekit_t;
-+ permissive devicekit_power_t;
-+ permissive devicekit_disk_t;
-+#',`
-+#optional_policy(`
-+# unconfined_domain(devicekit_t)
-+# unconfined_domain(devicekit_power_t)
-+# unconfined_domain(devicekit_disk_t)
-+#')
-+#')
++optional_policy(`
++ unconfined_domain(devicekit_t)
++ unconfined_domain(devicekit_power_t)
++ unconfined_domain(devicekit_disk_t)
++')
+
########################################
#
@@ -10520,7 +10584,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +183,7 @@
+@@ -151,6 +177,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -10528,7 +10592,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +192,7 @@
+@@ -159,6 +186,7 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -10536,7 +10600,7 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +201,16 @@
+@@ -167,12 +195,16 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -10553,7 +10617,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,8 +218,11 @@
+@@ -180,8 +212,11 @@
')
optional_policy(`
@@ -10566,7 +10630,7 @@ diff -b -B --ignore-all-space --exclude-
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
-@@ -203,17 +244,23 @@
+@@ -203,17 +238,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -10663,8 +10727,17 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_sendrecv_generic_if(fetchmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.26/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/fprintd.te 2009-07-30 15:33:08.000000000 -0400
-@@ -51,5 +51,7 @@
++++ serefpolicy-3.6.26/policy/modules/services/fprintd.te 2009-08-13 12:03:17.000000000 -0400
+@@ -37,6 +37,8 @@
+ files_read_etc_files(fprintd_t)
+ files_read_usr_files(fprintd_t)
+
++fs_getattr_all_fs(fprintd_t)
++
+ auth_use_nsswitch(fprintd_t)
+
+ miscfiles_read_localization(fprintd_t)
+@@ -51,5 +53,7 @@
optional_policy(`
policykit_read_reload(fprintd_t)
policykit_read_lib(fprintd_t)
@@ -11043,7 +11116,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.26/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/hal.te 2009-08-05 17:09:21.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/hal.te 2009-08-13 12:00:48.000000000 -0400
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -11074,7 +11147,18 @@ diff -b -B --ignore-all-space --exclude-
files_getattr_all_mountpoints(hald_t)
mls_file_read_all_levels(hald_t)
-@@ -290,6 +299,7 @@
+@@ -202,8 +211,9 @@
+ seutil_read_default_contexts(hald_t)
+ seutil_read_file_contexts(hald_t)
+
+-sysnet_read_config(hald_t)
+ sysnet_domtrans_dhcpc(hald_t)
++sysnet_read_config(hald_t)
++sysnet_read_dhcp_config(hald_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(hald_t)
+ userdom_dontaudit_search_user_home_dirs(hald_t)
+@@ -290,6 +300,7 @@
')
optional_policy(`
@@ -11082,7 +11166,7 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
-@@ -321,6 +331,10 @@
+@@ -321,6 +332,10 @@
virt_manage_images(hald_t)
')
@@ -11093,7 +11177,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Hal acl local policy
-@@ -341,6 +355,7 @@
+@@ -341,6 +356,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -11101,7 +11185,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(hald_acl_t)
-@@ -357,6 +372,8 @@
+@@ -357,6 +373,8 @@
files_read_usr_files(hald_acl_t)
files_read_etc_files(hald_acl_t)
@@ -11110,7 +11194,7 @@ diff -b -B --ignore-all-space --exclude-
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
storage_getattr_fixed_disk_dev(hald_acl_t)
-@@ -369,6 +386,7 @@
+@@ -369,6 +387,7 @@
miscfiles_read_localization(hald_acl_t)
optional_policy(`
@@ -11118,7 +11202,7 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
-@@ -450,12 +468,16 @@
+@@ -450,12 +469,16 @@
miscfiles_read_localization(hald_keymap_t)
@@ -11137,7 +11221,7 @@ diff -b -B --ignore-all-space --exclude-
allow hald_dccm_t self:process getsched;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
allow hald_dccm_t self:udp_socket create_socket_perms;
-@@ -469,10 +491,22 @@
+@@ -469,10 +492,22 @@
manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_dccm_t)
@@ -11160,7 +11244,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
-@@ -484,6 +518,7 @@
+@@ -484,6 +519,7 @@
corenet_tcp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_dhcpc_port(hald_dccm_t)
@@ -11168,7 +11252,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_dccm_port(hald_dccm_t)
logging_send_syslog_msg(hald_dccm_t)
-@@ -491,3 +526,9 @@
+@@ -491,3 +527,7 @@
files_read_usr_files(hald_dccm_t)
miscfiles_read_localization(hald_dccm_t)
@@ -11176,8 +11260,6 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
-+
-+permissive hald_dccm_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.26/policy/modules/services/hddtemp.fc
--- nsaserefpolicy/policy/modules/services/hddtemp.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.26/policy/modules/services/hddtemp.fc 2009-08-11 14:24:37.000000000 -0400
@@ -12672,8 +12754,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.26/policy/modules/services/nslcd.te
--- nsaserefpolicy/policy/modules/services/nslcd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.26/policy/modules/services/nslcd.te 2009-07-30 15:33:09.000000000 -0400
-@@ -0,0 +1,50 @@
++++ serefpolicy-3.6.26/policy/modules/services/nslcd.te 2009-08-13 09:51:48.000000000 -0400
+@@ -0,0 +1,48 @@
+policy_module(nslcd,1.0.0)
+
+########################################
@@ -12685,8 +12767,6 @@ diff -b -B --ignore-all-space --exclude-
+type nslcd_exec_t;
+init_daemon_domain(nslcd_t, nslcd_exec_t)
+
-+#permissive nslcd_t;
-+
+type nslcd_initrc_exec_t;
+init_script_file(nslcd_initrc_exec_t)
+
@@ -12976,18 +13056,22 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.26/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/policykit.fc 2009-07-31 06:55:00.000000000 -0400
-@@ -1,7 +1,9 @@
++++ serefpolicy-3.6.26/policy/modules/services/policykit.fc 2009-08-13 15:56:23.000000000 -0400
+@@ -1,10 +1,13 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-+/usr/libexec/polkit-gnome-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
++/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+ /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+ /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.26/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/policykit.if 2009-08-03 06:44:10.000000000 -0400
@@ -14789,7 +14873,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.26/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/samba.te 2009-08-06 07:30:26.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/samba.te 2009-08-13 18:18:57.000000000 -0400
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -14823,7 +14907,16 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
pcscd_read_pub_files(samba_net_t)
-@@ -341,6 +350,8 @@
+@@ -325,6 +334,8 @@
+ files_read_etc_runtime_files(smbd_t)
+ files_read_usr_files(smbd_t)
+ files_search_spool(smbd_t)
++# smbd seems to getattr all mountpoints
++files_dontaudit_getattr_all_dirs(smbd_t)
+ # Allow samba to list mnt_t for potential mounted dirs
+ files_list_mnt(smbd_t)
+
+@@ -341,6 +352,8 @@
usermanage_read_crack_db(smbd_t)
@@ -14832,7 +14925,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -352,19 +363,19 @@
+@@ -352,19 +365,19 @@
')
tunable_policy(`samba_domain_controller',`
@@ -14858,7 +14951,7 @@ diff -b -B --ignore-all-space --exclude-
')
# Support Samba sharing of NFS mount points
-@@ -376,6 +387,15 @@
+@@ -376,6 +389,15 @@
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -14874,7 +14967,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -391,6 +411,11 @@
+@@ -391,6 +413,11 @@
')
optional_policy(`
@@ -14886,7 +14979,7 @@ diff -b -B --ignore-all-space --exclude-
rpc_search_nfs_state_data(smbd_t)
')
-@@ -405,13 +430,15 @@
+@@ -405,13 +432,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -14903,7 +14996,7 @@ diff -b -B --ignore-all-space --exclude-
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -420,8 +447,8 @@
+@@ -420,8 +449,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -14913,7 +15006,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
-@@ -525,6 +552,7 @@
+@@ -525,6 +554,7 @@
allow smbcontrol_t winbind_t:process { signal signull };
@@ -14921,7 +15014,7 @@ diff -b -B --ignore-all-space --exclude-
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -638,6 +666,10 @@
+@@ -638,6 +668,10 @@
allow swat_t smbd_var_run_t:file { lock unlink };
@@ -14932,7 +15025,7 @@ diff -b -B --ignore-all-space --exclude-
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -713,12 +745,23 @@
+@@ -713,12 +747,23 @@
kerberos_use(swat_t)
')
@@ -14957,7 +15050,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -866,6 +909,16 @@
+@@ -866,6 +911,16 @@
#
optional_policy(`
@@ -14974,7 +15067,7 @@ diff -b -B --ignore-all-space --exclude-
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +929,12 @@
+@@ -876,9 +931,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -15803,8 +15896,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.26/policy/modules/services/shorewall.te
--- nsaserefpolicy/policy/modules/services/shorewall.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.26/policy/modules/services/shorewall.te 2009-07-30 15:33:09.000000000 -0400
-@@ -0,0 +1,97 @@
++++ serefpolicy-3.6.26/policy/modules/services/shorewall.te 2009-08-13 09:47:21.000000000 -0400
+@@ -0,0 +1,95 @@
+policy_module(shorewall,1.0.0)
+
+########################################
@@ -15900,8 +15993,6 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ ulogd_search_log(shorewall_t)
+')
-+
-+permissive shorewall_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.26/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/smartmon.te 2009-07-30 15:33:09.000000000 -0400
@@ -17012,7 +17103,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.26/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-12 16:06:07.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-13 15:24:46.000000000 -0400
@@ -103,7 +103,7 @@
########################################
@@ -17110,7 +17201,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
## an virt environment
## </summary>
-@@ -327,3 +364,76 @@
+@@ -327,3 +364,77 @@
virt_manage_log($1)
')
@@ -17184,12 +17275,13 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ files_search_var($1)
++ manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.26/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-12 16:05:46.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-13 16:49:58.000000000 -0400
@@ -20,6 +20,28 @@
## </desc>
gen_tunable(virt_use_samba, false)
@@ -17391,16 +17483,16 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- qemu_domtrans(virtd_t)
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+')
-
- optional_policy(`
-- qemu_domtrans(virtd_t)
++
++optional_policy(`
+ qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t)
qemu_signal(virtd_t)
@@ -17409,7 +17501,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -195,8 +292,161 @@
+@@ -195,8 +292,159 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -17427,8 +17519,6 @@ diff -b -B --ignore-all-space --exclude-
+manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+
-+permissive virtd_t;
-+
+########################################
+#
+# svirt local policy
@@ -17595,8 +17685,8 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.26/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/xserver.fc 2009-07-30 15:33:09.000000000 -0400
-@@ -3,12 +3,16 @@
++++ serefpolicy-3.6.26/policy/modules/services/xserver.fc 2009-08-13 13:40:39.000000000 -0400
+@@ -3,12 +3,17 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
@@ -17607,13 +17697,14 @@ diff -b -B --ignore-all-space --exclude-
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0)
-+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
#
-@@ -32,11 +36,6 @@
+@@ -32,11 +37,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -17625,7 +17716,7 @@ diff -b -B --ignore-all-space --exclude-
#
# /opt
#
-@@ -61,7 +60,9 @@
+@@ -61,7 +61,9 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -17635,7 +17726,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,16 +90,27 @@
+@@ -89,16 +91,27 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -19843,7 +19934,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.26/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-07-30 09:44:08.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-12 16:06:54.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-13 15:46:16.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -19912,7 +20003,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-+ consolekit_read_log(init_t)
++ consolekit_manage_log(init_t)
+')
+
+optional_policy(`
@@ -20005,7 +20096,16 @@ diff -b -B --ignore-all-space --exclude-
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
fs_write_ramfs_pipes(initrc_t)
-@@ -328,7 +375,7 @@
+@@ -289,6 +336,8 @@
+ fs_unmount_all_fs(initrc_t)
+ fs_remount_all_fs(initrc_t)
+ fs_getattr_all_fs(initrc_t)
++fs_search_nfsd_fs(initrc_t)
++fs_getattr_nfsd_files(initrc_t)
+
+ # initrc_t needs to do a pidof which requires ptrace
+ mcs_ptrace_all(initrc_t)
+@@ -328,7 +377,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -20014,7 +20114,7 @@ diff -b -B --ignore-all-space --exclude-
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -343,14 +390,15 @@
+@@ -343,14 +392,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -20032,7 +20132,7 @@ diff -b -B --ignore-all-space --exclude-
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -366,7 +414,9 @@
+@@ -366,7 +416,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -20042,7 +20142,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -423,8 +473,6 @@
+@@ -423,8 +475,6 @@
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
@@ -20051,7 +20151,7 @@ diff -b -B --ignore-all-space --exclude-
# for integrated run_init to read run_init_type.
# happens during boot (/sbin/rc execs init scripts)
seutil_read_default_contexts(initrc_t)
-@@ -451,11 +499,9 @@
+@@ -451,11 +501,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -20064,7 +20164,7 @@ diff -b -B --ignore-all-space --exclude-
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -465,6 +511,7 @@
+@@ -465,6 +513,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -20072,7 +20172,7 @@ diff -b -B --ignore-all-space --exclude-
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -498,6 +545,7 @@
+@@ -498,6 +547,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -20080,7 +20180,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -516,6 +564,33 @@
+@@ -516,6 +566,33 @@
')
')
@@ -20114,7 +20214,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +645,10 @@
+@@ -570,6 +647,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -20125,7 +20225,7 @@ diff -b -B --ignore-all-space --exclude-
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -591,6 +670,10 @@
+@@ -591,6 +672,10 @@
')
optional_policy(`
@@ -20136,7 +20236,7 @@ diff -b -B --ignore-all-space --exclude-
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,20 +730,20 @@
+@@ -647,20 +732,20 @@
')
optional_policy(`
@@ -20163,7 +20263,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
ifdef(`distro_redhat',`
-@@ -669,6 +752,7 @@
+@@ -669,6 +754,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -20171,7 +20271,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -697,7 +781,6 @@
+@@ -697,7 +783,6 @@
')
optional_policy(`
@@ -20179,7 +20279,7 @@ diff -b -B --ignore-all-space --exclude-
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -719,8 +802,6 @@
+@@ -719,8 +804,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -20188,7 +20288,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -733,10 +814,12 @@
+@@ -733,10 +816,12 @@
squid_manage_logs(initrc_t)
')
@@ -20201,7 +20301,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -755,6 +838,15 @@
+@@ -755,6 +840,15 @@
')
optional_policy(`
@@ -20217,7 +20317,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domain(initrc_t)
ifdef(`distro_redhat',`
-@@ -765,6 +857,13 @@
+@@ -765,6 +859,13 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -20231,7 +20331,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -790,3 +889,31 @@
+@@ -790,3 +891,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -22504,7 +22604,7 @@ diff -b -B --ignore-all-space --exclude-
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.26/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/sysnetwork.if 2009-08-11 13:58:43.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/sysnetwork.if 2009-08-13 12:00:25.000000000 -0400
@@ -43,6 +43,39 @@
sysnet_domtrans_dhcpc($1)
@@ -22592,7 +22692,15 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -541,6 +594,7 @@
+@@ -464,6 +517,7 @@
+ ')
+
+ files_search_etc($1)
++ allow $1 dhcp_etc_t:dir list_dir_perms;
+ read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
+ ')
+
+@@ -541,6 +595,7 @@
type net_conf_t;
')
@@ -22600,7 +22708,7 @@ diff -b -B --ignore-all-space --exclude-
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
-@@ -557,6 +611,14 @@
+@@ -557,6 +612,14 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -22615,7 +22723,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -586,6 +648,8 @@
+@@ -586,6 +649,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -22624,7 +22732,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -620,3 +684,49 @@
+@@ -620,3 +685,49 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
')
@@ -22889,7 +22997,7 @@ diff -b -B --ignore-all-space --exclude-
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.26/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-11 14:30:39.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-13 09:56:06.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -22922,22 +23030,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
-@@ -182,9 +186,11 @@
- # for arping used for static IP addresses on PCMCIA ethernet
- netutils_domtrans(udev_t)
-
-- optional_policy(`
-- unconfined_domain(udev_t)
-- ')
-+ permissive udev_t;
-+
-+# optional_policy(`
-+# unconfined_domain(udev_t)
-+# ')
- ')
-
- optional_policy(`
-@@ -194,6 +200,10 @@
+@@ -194,6 +198,10 @@
')
optional_policy(`
@@ -22948,7 +23041,7 @@ diff -b -B --ignore-all-space --exclude-
brctl_domtrans(udev_t)
')
-@@ -202,14 +212,27 @@
+@@ -202,14 +210,27 @@
')
optional_policy(`
@@ -22976,7 +23069,7 @@ diff -b -B --ignore-all-space --exclude-
lvm_domtrans(udev_t)
')
-@@ -219,6 +242,7 @@
+@@ -219,6 +240,7 @@
optional_policy(`
hal_dgram_send(udev_t)
@@ -22984,7 +23077,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -228,6 +252,10 @@
+@@ -228,6 +250,10 @@
')
optional_policy(`
@@ -22995,7 +23088,7 @@ diff -b -B --ignore-all-space --exclude-
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -242,6 +270,14 @@
+@@ -242,6 +268,18 @@
')
optional_policy(`
@@ -23007,6 +23100,10 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
++ unconfined_signal(udev_t)
++')
++
++optional_policy(`
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
@@ -23032,7 +23129,7 @@ diff -b -B --ignore-all-space --exclude-
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.26/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/unconfined.if 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/unconfined.if 2009-08-13 16:47:59.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -23103,18 +23200,30 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -111,6 +122,10 @@
+@@ -111,16 +122,17 @@
## </param>
#
interface(`unconfined_domain',`
+- unconfined_domain_noaudit($1)
+ gen_require(`
+ attribute unconfined_services;
+ ')
+
- unconfined_domain_noaudit($1)
++ # unconfined_domain_noaudit($1)
++ permissive $1;
tunable_policy(`allow_execheap',`
-@@ -173,411 +188,3 @@
+ auditallow $1 self:process execheap;
+ ')
+
+-# Turn off this audit for FC5
+-# tunable_policy(`allow_execmem',`
+-# auditallow $1 self:process execmem;
+-# ')
+ ')
+
+ ########################################
+@@ -173,411 +185,3 @@
refpolicywarn(`$0($1) has been deprecated.')
')
@@ -23777,7 +23886,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.26/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-10 11:36:42.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-12 16:13:59.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -24215,11 +24324,12 @@ diff -b -B --ignore-all-space --exclude-
##############################
#
-@@ -511,182 +518,194 @@
+@@ -511,182 +518,195 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
++ allow $1_t self:socket create_socket_perms;
- allow $1_t unpriv_userdomain:fd use;
+ allow $1_usertype unpriv_userdomain:fd use;
@@ -24486,7 +24596,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -714,13 +733,26 @@
+@@ -714,13 +734,26 @@
userdom_base_user_template($1)
@@ -24518,7 +24628,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_change_password_template($1)
-@@ -738,70 +770,71 @@
+@@ -738,70 +771,71 @@
allow $1_t self:context contains;
@@ -24623,7 +24733,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -838,6 +871,28 @@
+@@ -838,6 +872,28 @@
# Local policy
#
@@ -24652,7 +24762,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -868,7 +923,10 @@
+@@ -868,7 +924,10 @@
userdom_restricted_user_template($1)
@@ -24664,7 +24774,7 @@ diff -b -B --ignore-all-space --exclude-
##############################
#
-@@ -876,14 +934,19 @@
+@@ -876,14 +935,19 @@
#
auth_role($1_r, $1_t)
@@ -24689,7 +24799,7 @@ diff -b -B --ignore-all-space --exclude-
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -891,28 +954,47 @@
+@@ -891,28 +955,47 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -24744,7 +24854,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -946,8 +1028,8 @@
+@@ -946,8 +1029,8 @@
# Declarations
#
@@ -24754,7 +24864,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_common_user_template($1)
##############################
-@@ -956,11 +1038,12 @@
+@@ -956,11 +1039,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -24769,7 +24879,7 @@ diff -b -B --ignore-all-space --exclude-
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -978,36 +1061,53 @@
+@@ -978,36 +1062,53 @@
')
')
@@ -24837,7 +24947,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -1042,7 +1142,7 @@
+@@ -1042,7 +1143,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -24846,7 +24956,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -1051,8 +1151,7 @@
+@@ -1051,8 +1152,7 @@
#
# Inherit rules for ordinary users.
@@ -24856,7 +24966,7 @@ diff -b -B --ignore-all-space --exclude-
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,7 +1174,8 @@
+@@ -1075,7 +1175,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -24866,7 +24976,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1091,6 +1191,7 @@
+@@ -1091,6 +1192,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -24874,7 +24984,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1098,8 +1199,6 @@
+@@ -1098,8 +1200,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -24883,7 +24993,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1154,20 +1253,6 @@
+@@ -1154,20 +1254,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -24904,7 +25014,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1213,6 +1298,7 @@
+@@ -1213,6 +1299,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -24912,7 +25022,7 @@ diff -b -B --ignore-all-space --exclude-
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1278,11 +1364,15 @@
+@@ -1278,11 +1365,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -24928,7 +25038,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1374,12 +1464,13 @@
+@@ -1374,12 +1465,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -24943,7 +25053,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1412,6 +1503,14 @@
+@@ -1412,6 +1504,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -24958,7 +25068,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1427,9 +1526,11 @@
+@@ -1427,9 +1527,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -24970,7 +25080,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1486,6 +1587,25 @@
+@@ -1486,6 +1588,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -24996,7 +25106,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1560,6 +1680,8 @@
+@@ -1560,6 +1681,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -25005,7 +25115,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1653,6 +1775,7 @@
+@@ -1653,6 +1776,7 @@
type user_home_dir_t, user_home_t;
')
@@ -25013,7 +25123,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1780,19 +1903,32 @@
+@@ -1780,19 +1904,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -25053,7 +25163,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1827,6 +1963,7 @@
+@@ -1827,6 +1964,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -25061,7 +25171,7 @@ diff -b -B --ignore-all-space --exclude-
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2374,7 +2511,7 @@
+@@ -2374,7 +2512,7 @@
########################################
## <summary>
@@ -25070,7 +25180,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2728,11 +2865,32 @@
+@@ -2728,11 +2866,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -25105,7 +25215,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2860,7 +3018,25 @@
+@@ -2860,7 +3019,25 @@
type user_tmp_t;
')
@@ -25132,7 +25242,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,6 +3073,7 @@
+@@ -2897,6 +3074,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -25140,7 +25250,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3027,3 +3204,501 @@
+@@ -3027,3 +3205,501 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.895
retrieving revision 1.896
diff -u -p -r1.895 -r1.896
--- selinux-policy.spec 12 Aug 2009 20:10:51 -0000 1.895
+++ selinux-policy.spec 13 Aug 2009 22:33:07 -0000 1.896
@@ -15,12 +15,12 @@
%endif
%define POLICYVER 23
%define libsepolver 2.0.20-1
-%define POLICYCOREUTILSVER 2.0.62-10
+%define POLICYCOREUTILSVER 2.0.71-2
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.26
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -348,7 +348,7 @@ if [ $1 -eq 1 ]; then
%loadpolicy targeted $packages
restorecon -R /root /var/log /var/run 2> /dev/null
else
- semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth 2>/dev/null
+ semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit 2>/dev/null
packages="%{expand:%%moduleList targeted} `get_unconfined`"
%loadpolicy targeted $packages
%relabel targeted
@@ -459,7 +459,7 @@ SELinux Reference policy mls base module
%saveFileContext mls
%post mls
-semodule -n -s mls -r mailscanner -r polkit_auth 2>/dev/null
+semodule -n -s mls -r mailscanner -r polkit 2>/dev/null
packages="%{expand:%%moduleList mls}"
%loadpolicy mls $packages
@@ -475,6 +475,9 @@ exit 0
%endif
%changelog
+* Thu Aug 13 2009 Dan Walsh <dwalsh at redhat.com> 3.6.26-11
+- Make all unconfined_domains permissive so we can see what AVC's happen
+
* Mon Aug 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.26-10
- Add pt_chown policy
- Previous message (by thread): rpms/cld/devel cld.spec,1.14,1.15 sources,1.11,1.12
- Next message (by thread): rpms/gnome-media/devel .cvsignore, 1.56, 1.57 gnome-media.spec, 1.176, 1.177 sources, 1.55, 1.56
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list