rpms/selinux-policy/F-12 policy-F12.patch, 1.152, 1.153 selinux-policy.spec, 1.980, 1.981
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Dec 10 21:38:25 UTC 2009
- Previous message (by thread): rpms/tor/devel tor.upstart,1.5,1.6
- Next message (by thread): rpms/Terminal/devel .cvsignore, 1.13, 1.14 Terminal.spec, 1.33, 1.34 sources, 1.13, 1.14 Terminal-0.4.2-set-correct-gettext-domain.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22917
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Thu Dec 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-58
- Dontaudit udp_socket leaks for xauth_t
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 3
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.fc | 2
policy/modules/admin/kismet.te | 13
policy/modules/admin/logrotate.te | 27
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 ++
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 77 +
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 344 ++++++
policy/modules/admin/rpm.te | 98 +
policy/modules/admin/shorewall.fc | 6
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 10
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 35
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86 +
policy/modules/apps/chrome.te | 78 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 42
policy/modules/apps/execmem.if | 80 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 64 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 +
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 24
policy/modules/apps/java.if | 114 +-
policy/modules/apps/java.te | 19
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 67 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 27
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 68 +
policy/modules/apps/mozilla.te | 28
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 323 +++++
policy/modules/apps/nsplugin.te | 295 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 4
policy/modules/apps/ptchown.if | 25
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 13
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +++
policy/modules/apps/qemu.te | 85 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 60 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 188 +++
policy/modules/apps/sandbox.te | 331 +++++
policy/modules/apps/screen.if | 8
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 43
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 45
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 46
policy/modules/kernel/devices.fc | 13
policy/modules/kernel/devices.if | 309 +++++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 170 ++-
policy/modules/kernel/domain.te | 89 +
policy/modules/kernel/files.fc | 5
policy/modules/kernel/files.if | 417 +++++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 256 ++++
policy/modules/kernel/filesystem.te | 16
policy/modules/kernel/kernel.if | 98 +
policy/modules/kernel/kernel.te | 32
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 2
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 65 +
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 124 --
policy/modules/roles/sysadm.te | 127 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 +++++++++++
policy/modules/roles/unconfineduser.te | 450 ++++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 74 +
policy/modules/services/abrt.fc | 6
policy/modules/services/abrt.if | 102 +
policy/modules/services/abrt.te | 116 +-
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 3
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 112 +
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 57 -
policy/modules/services/apache.if | 410 ++++---
policy/modules/services/apache.te | 453 ++++++--
policy/modules/services/apm.te | 6
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 39
policy/modules/services/asterisk.te | 25
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 10
policy/modules/services/bind.if | 40
policy/modules/services/bitlbee.te | 2
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 11
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.fc | 3
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 +
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 18
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 44
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 25
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 109 +
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74 +
policy/modules/services/cron.te | 84 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 51
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 54
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 60 -
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.te | 31
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.if | 21
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 3
policy/modules/services/fprintd.te | 5
policy/modules/services/ftp.te | 60 -
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 ++
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 51
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 16
policy/modules/services/kerneloops.te | 2
policy/modules/services/ksmtuned.fc | 5
policy/modules/services/ksmtuned.if | 76 +
policy/modules/services/ksmtuned.te | 46
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.fc | 2
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 24
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 32
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 9
policy/modules/services/nagios.fc | 20
policy/modules/services/nagios.if | 89 +
policy/modules/services/nagios.te | 106 +
policy/modules/services/networkmanager.fc | 15
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 117 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 21
policy/modules/services/nslcd.if | 8
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 20
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 16
policy/modules/services/nut.if | 58 +
policy/modules/services/nut.te | 188 +++
policy/modules/services/nx.fc | 10
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.if | 41
policy/modules/services/pcscd.te | 4
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 304 +++++
policy/modules/services/plymouth.te | 102 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 67 -
policy/modules/services/portreserve.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 142 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 3
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 83 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 ++++++
policy/modules/services/rhcs.te | 394 +++++++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 19
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 +
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 83 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 1
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 139 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 207 +++
policy/modules/services/ssh.te | 155 ++
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 62 +
policy/modules/services/sssd.te | 15
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/tgtd.fc | 3
policy/modules/services/tgtd.if | 28
policy/modules/services/tgtd.te | 69 +
policy/modules/services/tor.te | 13
policy/modules/services/tuned.fc | 6
policy/modules/services/tuned.if | 140 ++
policy/modules/services/tuned.te | 58 +
policy/modules/services/uucp.te | 10
policy/modules/services/vhostmd.fc | 6
policy/modules/services/vhostmd.if | 228 ++++
policy/modules/services/vhostmd.te | 87 +
policy/modules/services/virt.fc | 14
policy/modules/services/virt.if | 210 +++
policy/modules/services/virt.te | 276 ++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 45
policy/modules/services/xserver.if | 637 ++++++++++-
policy/modules/services/xserver.te | 368 +++++-
policy/modules/services/zebra.if | 20
policy/modules/system/application.if | 20
policy/modules/system/application.te | 12
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 210 +++
policy/modules/system/authlogin.te | 11
policy/modules/system/fstools.fc | 3
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 163 ++
policy/modules/system/init.te | 290 +++--
policy/modules/system/ipsec.fc | 7
policy/modules/system/ipsec.if | 45
policy/modules/system/ipsec.te | 75 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 +
policy/modules/system/iptables.te | 22
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 8
policy/modules/system/kdump.te | 5
policy/modules/system/libraries.fc | 184 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 20
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 31
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 60 +
policy/modules/system/miscfiles.te | 2
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 56
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 82 +
policy/modules/system/mount.te | 86 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 +++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 10
policy/modules/system/sysnetwork.if | 114 +-
policy/modules/system/sysnetwork.te | 79 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 39
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 -------
policy/modules/system/unconfined.te | 224 ---
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 1685 +++++++++++++++++++++++-------
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 47
policy/modules/system/xen.te | 144 ++
policy/support/obj_perm_sets.spt | 31
policy/users | 13
407 files changed, 20787 insertions(+), 2822 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.152
retrieving revision 1.153
diff -u -p -r1.152 -r1.153
--- policy-F12.patch 9 Dec 2009 19:53:38 -0000 1.152
+++ policy-F12.patch 10 Dec 2009 21:38:24 -0000 1.153
@@ -666,8 +666,34 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.32/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/prelink.if 2009-12-03 13:45:10.000000000 -0500
-@@ -151,11 +151,11 @@
++++ serefpolicy-3.6.32/policy/modules/admin/prelink.if 2009-12-10 15:16:57.000000000 -0500
+@@ -21,6 +21,25 @@
+
+ ########################################
+ ## <summary>
++## Execute the prelink program in the current domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`prelink_exec',`
++ gen_require(`
++ type prelink_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, prelink_exec_t)
++')
++
++########################################
++## <summary>
+ ## Execute the prelink program in the prelink domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -151,11 +170,11 @@
## </summary>
## </param>
#
@@ -3635,7 +3661,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-12-03 13:45:10.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-12-10 16:33:27.000000000 -0500
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -3694,7 +3720,7 @@ diff -b -B --ignore-all-space --exclude-
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -231,11 +233,15 @@
+@@ -231,11 +233,20 @@
optional_policy(`
dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t)
@@ -3707,10 +3733,15 @@ diff -b -B --ignore-all-space --exclude-
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ pulseaudio_exec(mozilla_t)
++ pulseaudio_stream_connect(mozilla_t)
')
optional_policy(`
-@@ -256,5 +262,10 @@
+@@ -256,5 +267,10 @@
')
optional_policy(`
@@ -4065,7 +4096,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-12-03 13:45:10.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-12-10 15:41:45.000000000 -0500
@@ -0,0 +1,295 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -7282,7 +7313,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-05 18:26:09.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-10 10:34:27.000000000 -0500
@@ -110,6 +110,11 @@
## </param>
#
@@ -9979,8 +10010,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-09 10:12:44.000000000 -0500
-@@ -0,0 +1,449 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-10 15:25:20.000000000 -0500
+@@ -0,0 +1,450 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10155,6 +10186,7 @@ diff -b -B --ignore-all-space --exclude-
+ optional_policy(`
+ xserver_rw_shm(unconfined_usertype)
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
++ xserver_xdm_dbus_chat(unconfined_usertype)
+ ')
+')
+
@@ -10843,7 +10875,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-06 09:56:21.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-10 13:05:08.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10923,7 +10955,7 @@ diff -b -B --ignore-all-space --exclude-
sysnet_read_config(abrt_t)
-@@ -96,22 +124,84 @@
+@@ -96,22 +124,90 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10931,10 +10963,8 @@ diff -b -B --ignore-all-space --exclude-
-# read ~/.abrt/Bugzilla.conf
-userdom_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_user_home_content_files(abrt_t)
-
- optional_policy(`
-- dbus_connect_system_bus(abrt_t)
-- dbus_system_bus_client(abrt_t)
++
++optional_policy(`
+ dbus_system_domain(abrt_t, abrt_exec_t)
+')
+
@@ -10952,6 +10982,14 @@ diff -b -B --ignore-all-space --exclude-
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
++')
+
+ optional_policy(`
+- dbus_connect_system_bus(abrt_t)
+- dbus_system_bus_client(abrt_t)
++ prelink_exec(abrt_t)
++ libs_exec_ld_so(abrt_t)
++ corecmd_exec_all_executables(abrt_t)
')
# to install debuginfo packages
@@ -13919,7 +13957,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-12-10 15:36:16.000000000 -0500
@@ -21,7 +21,7 @@
# consolekit local policy
#
@@ -13929,11 +13967,12 @@ diff -b -B --ignore-all-space --exclude-
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -59,16 +59,21 @@
+@@ -59,16 +59,22 @@
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
+auth_manage_pam_console_data(consolekit_t)
++auth_dontaudit_write_login_records(consolekit_t)
init_telinit(consolekit_t)
init_rw_utmp(consolekit_t)
@@ -13951,7 +13990,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_read_user_tmp_files(consolekit_t)
hal_ptrace(consolekit_t)
-@@ -84,9 +89,12 @@
+@@ -84,9 +90,12 @@
')
optional_policy(`
@@ -13965,7 +14004,7 @@ diff -b -B --ignore-all-space --exclude-
hal_dbus_chat(consolekit_t)
')
-@@ -100,6 +108,7 @@
+@@ -100,6 +109,7 @@
')
optional_policy(`
@@ -13973,7 +14012,7 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
-@@ -108,10 +117,21 @@
+@@ -108,10 +118,21 @@
optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
@@ -15478,9 +15517,20 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(dnsmasq_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.32/policy/modules/services/dovecot.fc
+--- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-09-16 10:01:19.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.fc 2009-12-10 13:09:30.000000000 -0500
+@@ -34,6 +34,7 @@
+
+ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
++/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
+ /var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
+ /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-10 13:13:04.000000000 -0500
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -15490,7 +15540,18 @@ diff -b -B --ignore-all-space --exclude-
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
-@@ -103,6 +103,7 @@
+@@ -73,8 +73,9 @@
+
+ can_exec(dovecot_t, dovecot_exec_t)
+
++manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+ manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+-logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
++logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
+
+ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+ manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -103,6 +104,7 @@
dev_read_urand(dovecot_t)
fs_getattr_all_fs(dovecot_t)
@@ -15498,7 +15559,7 @@ diff -b -B --ignore-all-space --exclude-
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
-@@ -142,6 +143,10 @@
+@@ -142,6 +144,10 @@
')
optional_policy(`
@@ -15509,7 +15570,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(dovecot_t)
')
-@@ -159,7 +164,7 @@
+@@ -159,7 +165,7 @@
#
allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
@@ -15518,7 +15579,7 @@ diff -b -B --ignore-all-space --exclude-
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -220,15 +225,23 @@
+@@ -220,15 +226,23 @@
')
optional_policy(`
@@ -15542,7 +15603,7 @@ diff -b -B --ignore-all-space --exclude-
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-@@ -260,3 +273,14 @@
+@@ -260,3 +274,14 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
')
@@ -15644,7 +15705,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_sendrecv_generic_if(fetchmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.32/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/fprintd.te 2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/fprintd.te 2009-12-10 15:34:43.000000000 -0500
@@ -37,6 +37,8 @@
files_read_etc_files(fprintd_t)
files_read_usr_files(fprintd_t)
@@ -15654,12 +15715,13 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(fprintd_t)
miscfiles_read_localization(fprintd_t)
-@@ -51,5 +53,7 @@
+@@ -51,5 +53,8 @@
optional_policy(`
policykit_read_reload(fprintd_t)
policykit_read_lib(fprintd_t)
+ policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
++ policykit_dbus_chat_auth(fprintd_t)
')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
@@ -16423,8 +16485,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-03 13:45:11.000000000 -0500
-@@ -55,6 +55,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-10 11:28:12.000000000 -0500
+@@ -55,13 +55,16 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -16434,6 +16496,14 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Local policy
+ #
+
+ # execute openvt which needs setuid
+-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
++allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice sys_resource dac_override dac_read_search mknod sys_rawio sys_tty_config };
+ dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
+ allow hald_t self:process { getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
@@ -100,7 +103,9 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
@@ -18289,10 +18359,31 @@ diff -b -B --ignore-all-space --exclude-
+ manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.6.32/policy/modules/services/ntop.fc
+--- nsaserefpolicy/policy/modules/services/ntop.fc 2009-09-16 10:01:19.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ntop.fc 2009-12-10 11:04:30.000000000 -0500
+@@ -1,7 +1,6 @@
+ /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
+
+ /usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
+-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:ntop_http_content_t,s0)
+
+ /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
+ /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.6.32/policy/modules/services/ntop.te
--- nsaserefpolicy/policy/modules/services/ntop.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ntop.te 2009-12-03 13:45:11.000000000 -0500
-@@ -37,7 +37,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/ntop.te 2009-12-10 11:04:34.000000000 -0500
+@@ -14,9 +14,6 @@
+ type ntop_etc_t;
+ files_config_file(ntop_etc_t)
+
+-type ntop_http_content_t;
+-files_type(ntop_http_content_t)
+-
+ type ntop_tmp_t;
+ files_tmp_file(ntop_tmp_t)
+
+@@ -37,15 +34,14 @@
allow ntop_t self:fifo_file rw_fifo_file_perms;
allow ntop_t self:tcp_socket create_stream_socket_perms;
allow ntop_t self:udp_socket create_socket_perms;
@@ -18302,7 +18393,15 @@ diff -b -B --ignore-all-space --exclude-
allow ntop_t ntop_etc_t:dir list_dir_perms;
read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
-@@ -57,6 +59,8 @@
+ read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
+
+-allow ntop_t ntop_http_content_t:dir list_dir_perms;
+-read_files_pattern(ntop_t, ntop_http_content_t, ntop_http_content_t)
+-
+ manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+ manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+ files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
+@@ -57,6 +53,8 @@
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
@@ -18311,7 +18410,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_network_state(ntop_t)
kernel_read_kernel_sysctls(ntop_t)
kernel_list_proc(ntop_t)
-@@ -72,12 +76,17 @@
+@@ -72,12 +70,17 @@
corenet_raw_sendrecv_generic_node(ntop_t)
corenet_tcp_sendrecv_all_ports(ntop_t)
corenet_udp_sendrecv_all_ports(ntop_t)
@@ -18329,7 +18428,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
-@@ -85,6 +94,7 @@
+@@ -85,6 +88,7 @@
logging_send_syslog_msg(ntop_t)
miscfiles_read_localization(ntop_t)
@@ -18337,7 +18436,7 @@ diff -b -B --ignore-all-space --exclude-
sysnet_read_config(ntop_t)
-@@ -92,6 +102,10 @@
+@@ -92,6 +96,10 @@
userdom_dontaudit_search_user_home_dirs(ntop_t)
optional_policy(`
@@ -18743,21 +18842,24 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-12-03 13:45:11.000000000 -0500
-@@ -1,7 +1,12 @@
++++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-12-10 11:22:15.000000000 -0500
+@@ -1,7 +1,15 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
-+/opt/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-
--/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
++/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+ /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+-
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
- /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
++/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
++
++/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
++/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
-+/usr/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
++/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
++/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+
+ /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/nx.if 2009-12-03 13:45:11.000000000 -0500
@@ -19075,8 +19177,8 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.32/policy/modules/services/plymouth.if
--- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-12-03 13:45:11.000000000 -0500
-@@ -0,0 +1,286 @@
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-12-10 15:27:49.000000000 -0500
+@@ -0,0 +1,304 @@
+## <summary>policy for plymouthd</summary>
+
+########################################
@@ -19099,6 +19201,24 @@ diff -b -B --ignore-all-space --exclude-
+
+########################################
+## <summary>
++## Execute a plymoth in the current domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`plymouth_exec', `
++ gen_require(`
++ type plymouthd_exec_t;
++ ')
++
++ can_exec($1, plymouthd_exec_t)
++')
++
++########################################
++## <summary>
+## Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
@@ -19365,8 +19485,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-12-03 13:45:11.000000000 -0500
-@@ -0,0 +1,101 @@
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-12-10 15:31:04.000000000 -0500
+@@ -0,0 +1,102 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
@@ -19425,6 +19545,7 @@ diff -b -B --ignore-all-space --exclude-
+files_read_usr_files(plymouthd_t)
+
+miscfiles_read_localization(plymouthd_t)
++miscfiles_read_fonts(plymouthd_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
@@ -19488,8 +19609,8 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.32/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.if 2009-12-03 13:45:11.000000000 -0500
-@@ -17,6 +17,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/policykit.if 2009-12-10 15:31:52.000000000 -0500
+@@ -17,12 +17,37 @@
class dbus send_msg;
')
@@ -19498,7 +19619,36 @@ diff -b -B --ignore-all-space --exclude-
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
')
-@@ -62,6 +64,9 @@
+
+ ########################################
+ ## <summary>
++## Send and receive messages from
++## policykit over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`policykit_dbus_chat_auth',`
++ gen_require(`
++ type policykit_auth_t;
++ class dbus send_msg;
++ ')
++
++ ps_process_pattern(policykit_auth_t, $1)
++
++ allow $1 policykit_auth_t:dbus send_msg;
++ allow policykit_auth_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+ ## Execute a domain transition to run polkit_auth.
+ ## </summary>
+ ## <param name="domain">
+@@ -62,6 +87,9 @@
policykit_domtrans_auth($1)
role $2 types policykit_auth_t;
@@ -19508,7 +19658,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -206,4 +211,47 @@
+@@ -206,4 +234,47 @@
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
@@ -19558,7 +19708,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-09 09:05:31.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-10 10:38:47.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -19634,7 +19784,7 @@ diff -b -B --ignore-all-space --exclude-
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -92,12 +114,14 @@
+@@ -92,21 +114,25 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -19642,16 +19792,19 @@ diff -b -B --ignore-all-space --exclude-
-
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
-
++files_search_home(policykit_auth_t)
++
+fs_getattr_all_fs(polkit_auth_t)
+fs_search_tmpfs(polkit_auth_t)
-+
+
auth_use_nsswitch(policykit_auth_t)
+auth_domtrans_chk_passwd(policykit_auth_t)
logging_send_syslog_msg(policykit_auth_t)
-@@ -106,7 +130,7 @@
+ miscfiles_read_localization(policykit_auth_t)
++miscfiles_read_fonts(policykit_auth_t)
+
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
@@ -19660,7 +19813,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +143,14 @@
+@@ -119,6 +145,14 @@
hal_read_state(policykit_auth_t)
')
@@ -19675,7 +19828,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# polkit_grant local policy
-@@ -126,7 +158,8 @@
+@@ -126,7 +160,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -19685,7 +19838,7 @@ diff -b -B --ignore-all-space --exclude-
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +189,12 @@
+@@ -156,9 +191,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -19699,7 +19852,7 @@ diff -b -B --ignore-all-space --exclude-
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +206,8 @@
+@@ -170,7 +208,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -26357,21 +26510,22 @@ diff -b -B --ignore-all-space --exclude-
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-12-05 06:43:26.000000000 -0500
-@@ -74,6 +74,12 @@
++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-12-10 15:23:11.000000000 -0500
+@@ -74,6 +74,13 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+ifdef(`hide_broken_symptoms', `
+ dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit iceauth_t $2:tcp_socket rw_socket_perms;
++ dontaudit iceauth_t $2:udp_socket rw_socket_perms;
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+')
+
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -89,8 +95,8 @@
+@@ -89,8 +96,8 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -26382,7 +26536,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit $2 xdm_t:tcp_socket { read write };
# Client read xserver shm
-@@ -211,6 +217,7 @@
+@@ -211,6 +218,7 @@
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -26390,7 +26544,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -245,7 +252,7 @@
+@@ -245,7 +253,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -26399,7 +26553,7 @@ diff -b -B --ignore-all-space --exclude-
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -299,7 +306,7 @@
+@@ -299,7 +307,7 @@
interface(`xserver_user_client',`
refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
@@ -26408,7 +26562,7 @@ diff -b -B --ignore-all-space --exclude-
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
')
-@@ -308,14 +315,14 @@
+@@ -308,14 +316,14 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -26428,7 +26582,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit $1 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -367,7 +374,6 @@
+@@ -367,7 +375,6 @@
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
@@ -26436,7 +26590,7 @@ diff -b -B --ignore-all-space --exclude-
attribute xproperty_type;
attribute xevent_type;
attribute input_xevent_type;
-@@ -376,6 +382,8 @@
+@@ -376,6 +383,8 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -26445,7 +26599,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -383,20 +391,11 @@
+@@ -383,20 +392,11 @@
# Local Policy
#
@@ -26466,7 +26620,7 @@ diff -b -B --ignore-all-space --exclude-
allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
-@@ -409,8 +408,10 @@
+@@ -409,8 +409,10 @@
type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
type_transition $2 xevent_t:x_event $1_default_xevent_t;
@@ -26478,7 +26632,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -484,13 +485,14 @@
+@@ -484,13 +486,14 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -26497,7 +26651,7 @@ diff -b -B --ignore-all-space --exclude-
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
-@@ -498,9 +500,9 @@
+@@ -498,9 +501,9 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -26510,7 +26664,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -526,6 +528,10 @@
+@@ -526,6 +529,10 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
@@ -26521,7 +26675,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -585,6 +591,12 @@
+@@ -585,6 +592,13 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -26529,12 +26683,13 @@ diff -b -B --ignore-all-space --exclude-
+ifdef(`hide_broken_symptoms', `
+ dontaudit xauth_t $1:unix_stream_socket rw_socket_perms;
+ dontaudit xauth_t $1:tcp_socket rw_socket_perms;
++ dontaudit xauth_t $1:udp_socket rw_socket_perms;
+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+')
')
########################################
-@@ -728,7 +740,7 @@
+@@ -728,7 +742,7 @@
type xdm_t;
')
@@ -26543,7 +26698,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -764,11 +776,11 @@
+@@ -764,11 +778,11 @@
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -26557,7 +26712,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -802,10 +814,10 @@
+@@ -802,10 +816,10 @@
#
interface(`xserver_setattr_xdm_tmp_dirs',`
gen_require(`
@@ -26570,7 +26725,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -821,12 +833,13 @@
+@@ -821,12 +835,13 @@
#
interface(`xserver_create_xdm_tmp_sockets',`
gen_require(`
@@ -26587,7 +26742,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -845,7 +858,44 @@
+@@ -845,7 +860,44 @@
')
files_search_pids($1)
@@ -26633,7 +26788,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -868,6 +918,75 @@
+@@ -868,6 +920,75 @@
########################################
## <summary>
@@ -26709,7 +26864,7 @@ diff -b -B --ignore-all-space --exclude-
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -886,6 +1005,24 @@
+@@ -886,6 +1007,24 @@
########################################
## <summary>
@@ -26734,7 +26889,7 @@ diff -b -B --ignore-all-space --exclude-
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -961,6 +1098,27 @@
+@@ -961,6 +1100,27 @@
########################################
## <summary>
@@ -26762,7 +26917,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to write the X server
## log files.
## </summary>
-@@ -1014,11 +1172,11 @@
+@@ -1014,11 +1174,11 @@
#
interface(`xserver_read_xdm_tmp_files',`
gen_require(`
@@ -26776,7 +26931,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1033,11 +1191,11 @@
+@@ -1033,11 +1193,11 @@
#
interface(`xserver_dontaudit_read_xdm_tmp_files',`
gen_require(`
@@ -26791,7 +26946,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1052,11 +1210,11 @@
+@@ -1052,11 +1212,11 @@
#
interface(`xserver_rw_xdm_tmp_files',`
gen_require(`
@@ -26806,7 +26961,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1071,10 +1229,10 @@
+@@ -1071,10 +1231,10 @@
#
interface(`xserver_manage_xdm_tmp_files',`
gen_require(`
@@ -26819,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1089,10 +1247,10 @@
+@@ -1089,10 +1249,10 @@
#
interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
gen_require(`
@@ -26832,7 +26987,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1107,10 +1265,11 @@
+@@ -1107,10 +1267,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -26845,7 +27000,7 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1248,6 +1407,288 @@
+@@ -1248,6 +1409,288 @@
########################################
## <summary>
@@ -27134,7 +27289,7 @@ diff -b -B --ignore-all-space --exclude-
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1261,7 +1702,103 @@
+@@ -1261,7 +1704,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -27240,7 +27395,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-09 11:40:19.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-10 15:28:03.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -27734,7 +27889,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -542,6 +677,38 @@
+@@ -542,6 +677,39 @@
')
optional_policy(`
@@ -27751,6 +27906,7 @@ diff -b -B --ignore-all-space --exclude-
+
+optional_policy(`
+ plymouth_search_spool(xdm_t)
++ plymouth_exec(xdm_t)
+')
+
+optional_policy(`
@@ -27773,7 +27929,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +717,9 @@
+@@ -550,8 +718,9 @@
')
optional_policy(`
@@ -27785,7 +27941,7 @@ diff -b -B --ignore-all-space --exclude-
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +728,6 @@
+@@ -560,7 +729,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -27793,7 +27949,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +738,10 @@
+@@ -571,6 +739,10 @@
')
optional_policy(`
@@ -27804,7 +27960,7 @@ diff -b -B --ignore-all-space --exclude-
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +758,9 @@
+@@ -587,10 +759,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -27816,7 +27972,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +772,12 @@
+@@ -602,9 +773,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -27829,7 +27985,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +789,14 @@
+@@ -616,13 +790,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -27845,7 +28001,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +809,19 @@
+@@ -635,9 +810,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -27865,7 +28021,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +855,6 @@
+@@ -671,7 +856,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -27873,7 +28029,7 @@ diff -b -B --ignore-all-space --exclude-
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +864,12 @@
+@@ -681,9 +865,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -27887,7 +28043,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +884,12 @@
+@@ -698,8 +885,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -27900,7 +28056,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +911,7 @@
+@@ -721,6 +912,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -27908,7 +28064,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +934,7 @@
+@@ -743,7 +935,7 @@
')
ifdef(`enable_mls',`
@@ -27917,7 +28073,7 @@ diff -b -B --ignore-all-space --exclude-
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +966,20 @@
+@@ -775,12 +967,20 @@
')
optional_policy(`
@@ -27939,7 +28095,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domtrans(xserver_t)
')
-@@ -807,12 +1006,12 @@
+@@ -807,12 +1007,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -27956,7 +28112,7 @@ diff -b -B --ignore-all-space --exclude-
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +1027,14 @@
+@@ -828,9 +1028,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27971,7 +28127,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1049,14 @@
+@@ -845,11 +1050,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -27987,7 +28143,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -882,6 +1089,8 @@
+@@ -882,6 +1090,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -27996,7 +28152,7 @@ diff -b -B --ignore-all-space --exclude-
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1115,8 @@
+@@ -906,6 +1116,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -28005,7 +28161,7 @@ diff -b -B --ignore-all-space --exclude-
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1184,49 @@
+@@ -973,17 +1185,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28184,7 +28340,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-12-07 15:55:13.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-12-10 15:35:58.000000000 -0500
@@ -40,17 +40,76 @@
## </summary>
## </param>
@@ -28502,16 +28658,19 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.32/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-12-03 13:45:11.000000000 -0500
-@@ -103,6 +103,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-12-10 13:28:10.000000000 -0500
+@@ -103,8 +103,10 @@
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+term_dontaudit_use_console(chkpwd_t)
term_dontaudit_use_unallocated_ttys(chkpwd_t)
term_dontaudit_use_generic_ptys(chkpwd_t)
++term_dontaudit_use_all_server_ptys(chkpwd_t)
+
+ auth_use_nsswitch(chkpwd_t)
-@@ -125,9 +126,18 @@
+@@ -125,9 +127,18 @@
')
optional_policy(`
@@ -29537,7 +29696,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-12-10 11:41:15.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -29552,7 +29711,7 @@ diff -b -B --ignore-all-space --exclude-
type ipsec_t;
type ipsec_exec_t;
init_daemon_domain(ipsec_t, ipsec_exec_t)
-@@ -15,6 +22,9 @@
+@@ -15,13 +22,22 @@
type ipsec_conf_file_t;
files_type(ipsec_conf_file_t)
@@ -29562,17 +29721,20 @@ diff -b -B --ignore-all-space --exclude-
# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
-@@ -22,6 +32,9 @@
- # Default type for IPSEC SPD entries
- type ipsec_spd_t;
+type ipsec_log_t;
+logging_log_file(ipsec_log_t)
+
+ # Default type for IPSEC SPD entries
+ type ipsec_spd_t;
+
++type ipsec_tmp_t;
++files_tmp_file(ipsec_tmp_t)
++
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
-@@ -43,6 +56,9 @@
+@@ -43,6 +59,9 @@
init_daemon_domain(racoon_t, racoon_exec_t)
role system_r types racoon_t;
@@ -29582,7 +29744,7 @@ diff -b -B --ignore-all-space --exclude-
type setkey_t;
type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
-@@ -53,21 +69,23 @@
+@@ -53,21 +72,23 @@
# ipsec Local policy
#
@@ -29609,7 +29771,7 @@ diff -b -B --ignore-all-space --exclude-
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -82,16 +100,17 @@
+@@ -82,16 +103,17 @@
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
@@ -29629,7 +29791,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)
-@@ -120,7 +139,9 @@
+@@ -120,7 +142,9 @@
domain_use_interactive_fds(ipsec_t)
@@ -29639,7 +29801,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
-@@ -154,16 +175,19 @@
+@@ -154,16 +178,19 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -29661,7 +29823,18 @@ diff -b -B --ignore-all-space --exclude-
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-@@ -241,6 +265,7 @@
+@@ -188,6 +215,10 @@
+ manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+ files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
+
++manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
++manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
++files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
++
+ # whack needs to connect to pluto
+ stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
+
+@@ -241,6 +272,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -29669,7 +29842,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -280,6 +305,13 @@
+@@ -280,6 +312,13 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
@@ -29683,7 +29856,7 @@ diff -b -B --ignore-all-space --exclude-
# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +329,13 @@
+@@ -297,6 +336,13 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -29697,7 +29870,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t)
-@@ -314,6 +353,8 @@
+@@ -314,6 +360,8 @@
files_read_etc_files(racoon_t)
@@ -29706,7 +29879,7 @@ diff -b -B --ignore-all-space --exclude-
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
-@@ -328,6 +369,14 @@
+@@ -328,6 +376,14 @@
miscfiles_read_localization(racoon_t)
@@ -29721,7 +29894,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Setkey local policy
-@@ -341,12 +390,15 @@
+@@ -341,12 +397,15 @@
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
@@ -29737,6 +29910,12 @@ diff -b -B --ignore-all-space --exclude-
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
+@@ -358,3 +417,5 @@
+ seutil_read_config(setkey_t)
+
+ userdom_use_user_terminals(setkey_t)
++
++userdom_read_user_tmp_files(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.32/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/iptables.fc 2009-12-03 13:45:11.000000000 -0500
@@ -33838,7 +34017,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-09 09:27:20.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-10 15:29:01.000000000 -0500
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.980
retrieving revision 1.981
diff -u -p -r1.980 -r1.981
--- selinux-policy.spec 9 Dec 2009 19:53:39 -0000 1.980
+++ selinux-policy.spec 10 Dec 2009 21:38:24 -0000 1.981
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 57%{?dist}
+Release: 58%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,8 +449,20 @@ exit 0
%endif
%changelog
+* Thu Dec 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-58
+- Dontaudit udp_socket leaks for xauth_t
+
* Wed Dec 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-57
- Allow unconfined_t to send dbus messages to setroubleshoot
+- Allow confined screen app to setattr on user ttys
+- remove wine_t from unconfined domain when unconfined.pp disabled
+- Allow sysadm_t to communicate with racoon
+- Allow xauth to be run from all unconfined user types
+- Fix labeling on all /var/cache/mod_* apps
+- Allow asterisk to communicate with postgresql
+- Fix labeling for /var/lib/certmaster
+- Add policy for ksmtuned and tgtd
+- Fixes fro vhostmd
* Mon Dec 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-56
- Dontaudit exec of fusermount from xguest
- Previous message (by thread): rpms/tor/devel tor.upstart,1.5,1.6
- Next message (by thread): rpms/Terminal/devel .cvsignore, 1.13, 1.14 Terminal.spec, 1.33, 1.34 sources, 1.13, 1.14 Terminal-0.4.2-set-correct-gettext-domain.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list