rpms/selinux-policy/F-12 modules-minimum.conf, 1.46, 1.47 modules-targeted.conf, 1.155, 1.156 policy-F12.patch, 1.157, 1.158 selinux-policy.spec, 1.984, 1.985
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Dec 21 22:53:30 UTC 2009
- Previous message (by thread): rpms/selinux-policy/devel modules-minimum.conf, 1.43, 1.44 modules-targeted.conf, 1.152, 1.153 policy-F13.patch, 1.17, 1.18 selinux-policy.spec, 1.945, 1.946
- Next message (by thread): rpms/gbirthday/F-11 gbirthday.spec,1.7,1.8
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19880
Modified Files:
modules-minimum.conf modules-targeted.conf policy-F12.patch
selinux-policy.spec
Log Message:
* Mon Dec 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-61
- Fixes for sandbox_x_server
- Fix ntop policy
- Allow screen to use fprintd
- Sandbox fixes
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-minimum.conf,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -p -r1.46 -r1.47
--- modules-minimum.conf 16 Dec 2009 13:03:07 -0000 1.46
+++ modules-minimum.conf 21 Dec 2009 22:53:29 -0000 1.47
@@ -935,7 +935,7 @@ mount = base
#
mozilla = module
-# Layer: admin
+# Layer: services
# Module: ntop
#
# Policy for ntop
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-targeted.conf,v
retrieving revision 1.155
retrieving revision 1.156
diff -u -p -r1.155 -r1.156
--- modules-targeted.conf 15 Dec 2009 16:10:10 -0000 1.155
+++ modules-targeted.conf 21 Dec 2009 22:53:29 -0000 1.156
@@ -935,7 +935,7 @@ mount = base
#
mozilla = module
-# Layer: admin
+# Layer: services
# Module: ntop
#
# Policy for ntop
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 3
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.fc | 2
policy/modules/admin/kismet.te | 14
policy/modules/admin/logrotate.te | 27
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 77 +
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 344 ++++++
policy/modules/admin/rpm.te | 98 +
policy/modules/admin/shorewall.fc | 6
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 12
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 35
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86 +
policy/modules/apps/chrome.te | 82 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 42
policy/modules/apps/execmem.if | 104 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 64 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 188 +++
policy/modules/apps/gnome.te | 99 +
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 24
policy/modules/apps/java.if | 114 +-
policy/modules/apps/java.te | 19
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 67 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 28
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 68 +
policy/modules/apps/mozilla.te | 28
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 323 +++++
policy/modules/apps/nsplugin.te | 295 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 4
policy/modules/apps/ptchown.if | 25
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 13
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +++
policy/modules/apps/qemu.te | 85 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 60 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 189 +++
policy/modules/apps/sandbox.te | 336 +++++
policy/modules/apps/screen.if | 13
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 42
policy/modules/apps/slocate.te | 1
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 49
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 50
policy/modules/kernel/devices.fc | 12
policy/modules/kernel/devices.if | 309 +++++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 170 ++
policy/modules/kernel/domain.te | 91 +
policy/modules/kernel/files.fc | 5
policy/modules/kernel/files.if | 475 ++++++++
policy/modules/kernel/files.te | 7
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 293 +++++
policy/modules/kernel/filesystem.te | 16
policy/modules/kernel/kernel.if | 98 +
policy/modules/kernel/kernel.te | 32
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 2
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 65 +
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 124 --
policy/modules/roles/sysadm.te | 125 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 +++++++++++
policy/modules/roles/unconfineduser.te | 442 +++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 69 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 139 ++
policy/modules/services/abrt.te | 118 +-
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 3
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 112 +
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 57 -
policy/modules/services/apache.if | 466 +++++---
policy/modules/services/apache.te | 457 ++++++--
policy/modules/services/apm.te | 6
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 38
policy/modules/services/asterisk.te | 36
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 13
policy/modules/services/bind.if | 40
policy/modules/services/bitlbee.te | 2
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 12
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.fc | 3
policy/modules/services/certmaster.te | 2
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 +++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 +
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 18
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 44
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 25
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 110 +
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74 +
policy/modules/services/cron.te | 84 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 52
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 3
policy/modules/services/dbus.if | 54
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 60 -
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.te | 31
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.if | 40
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 3
policy/modules/services/fprintd.te | 5
policy/modules/services/ftp.te | 64 -
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 ++
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 53
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 18
policy/modules/services/kerneloops.te | 2
policy/modules/services/ksmtuned.fc | 5
policy/modules/services/ksmtuned.if | 76 +
policy/modules/services/ksmtuned.te | 46
policy/modules/services/ktalk.te | 1
policy/modules/services/ldap.if | 38
policy/modules/services/lircd.fc | 2
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 25
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 4
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 32
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 6
policy/modules/services/mysql.fc | 1
policy/modules/services/mysql.if | 38
policy/modules/services/mysql.te | 25
policy/modules/services/nagios.fc | 46
policy/modules/services/nagios.if | 126 ++
policy/modules/services/nagios.te | 193 ++-
policy/modules/services/networkmanager.fc | 15
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 118 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 21
policy/modules/services/nslcd.if | 8
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 16
policy/modules/services/nut.if | 58 +
policy/modules/services/nut.te | 188 +++
policy/modules/services/nx.fc | 10
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/openvpn.te | 4
policy/modules/services/pcscd.if | 41
policy/modules/services/pcscd.te | 4
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 304 +++++
policy/modules/services/plymouth.te | 102 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 67 -
policy/modules/services/portreserve.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 142 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 60 +
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 3
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rdisc.if | 19
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 187 +++
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 367 ++++++
policy/modules/services/rhcs.te | 410 +++++++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.fc | 4
policy/modules/services/rpc.if | 45
policy/modules/services/rpc.te | 26
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 91 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 83 +
policy/modules/services/smartmon.te | 17
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 1
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 139 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 207 +++
policy/modules/services/ssh.te | 155 ++
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 62 +
policy/modules/services/sssd.te | 17
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/tgtd.fc | 3
policy/modules/services/tgtd.if | 28
policy/modules/services/tgtd.te | 69 +
policy/modules/services/tor.te | 13
policy/modules/services/tuned.fc | 6
policy/modules/services/tuned.if | 140 ++
policy/modules/services/tuned.te | 60 +
policy/modules/services/uucp.te | 10
policy/modules/services/vhostmd.fc | 6
policy/modules/services/vhostmd.if | 228 ++++
policy/modules/services/vhostmd.te | 87 +
policy/modules/services/virt.fc | 14
policy/modules/services/virt.if | 210 +++
policy/modules/services/virt.te | 285 ++++-
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 45
policy/modules/services/xserver.if | 637 ++++++++++-
policy/modules/services/xserver.te | 383 +++++-
policy/modules/services/zebra.if | 20
policy/modules/system/application.if | 20
policy/modules/system/application.te | 12
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 210 +++
policy/modules/system/authlogin.te | 11
policy/modules/system/fstools.fc | 3
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 184 +++
policy/modules/system/init.te | 292 +++--
policy/modules/system/ipsec.fc | 7
policy/modules/system/ipsec.if | 45
policy/modules/system/ipsec.te | 78 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 +
policy/modules/system/iptables.te | 23
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 8
policy/modules/system/kdump.te | 5
policy/modules/system/libraries.fc | 193 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 20
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 31
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 60 +
policy/modules/system/miscfiles.te | 2
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 47
policy/modules/system/modutils.te | 56
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 82 +
policy/modules/system/mount.te | 87 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 +++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 10
policy/modules/system/sysnetwork.if | 114 +-
policy/modules/system/sysnetwork.te | 80 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 39
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 -------
policy/modules/system/unconfined.te | 224 ---
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 1702 +++++++++++++++++++++++-------
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 47
policy/modules/system/xen.te | 144 ++
policy/support/obj_perm_sets.spt | 31
policy/users | 13
413 files changed, 21772 insertions(+), 2838 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.157
retrieving revision 1.158
diff -u -p -r1.157 -r1.158
--- policy-F12.patch 18 Dec 2009 21:25:50 -0000 1.157
+++ policy-F12.patch 21 Dec 2009 22:53:29 -0000 1.158
@@ -306,7 +306,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-12-21 14:18:28.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -437,221 +437,6 @@ diff -b -B --ignore-all-space --exclude-
userdom_use_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.fc serefpolicy-3.6.32/policy/modules/admin/ntop.fc
---- nsaserefpolicy/policy/modules/admin/ntop.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/admin/ntop.fc 2009-12-17 11:20:45.000000000 -0500
-@@ -0,0 +1,5 @@
-+/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0)
-+
-+/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
-+
-+/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.if serefpolicy-3.6.32/policy/modules/admin/ntop.if
---- nsaserefpolicy/policy/modules/admin/ntop.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/admin/ntop.if 2009-12-17 11:20:45.000000000 -0500
-@@ -0,0 +1,158 @@
-+
-+## <summary>policy for ntop</summary>
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run ntop.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`ntop_domtrans',`
-+ gen_require(`
-+ type ntop_t, ntop_exec_t;
-+ ')
-+
-+ domtrans_pattern($1,ntop_exec_t,ntop_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Execute ntop server in the ntop domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`ntop_initrc_domtrans',`
-+ gen_require(`
-+ type ntop_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1,ntop_initrc_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search ntop lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ntop_search_lib',`
-+ gen_require(`
-+ type ntop_var_lib_t;
-+ ')
-+
-+ allow $1 ntop_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read ntop lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ntop_read_lib_files',`
-+ gen_require(`
-+ type ntop_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete
-+## ntop lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ntop_manage_lib_files',`
-+ gen_require(`
-+ type ntop_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage ntop var_lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ntop_manage_var_lib',`
-+ gen_require(`
-+ type ntop_var_lib_t;
-+ ')
-+
-+ manage_dirs_pattern($1,ntop_var_lib_t,ntop_var_lib_t)
-+ manage_files_pattern($1,ntop_var_lib_t,ntop_var_lib_t)
-+ manage_lnk_files_pattern($1,ntop_var_lib_t,ntop_var_lib_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an ntop environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`ntop_admin',`
-+ gen_require(`
-+ type ntop_t;
-+ ')
-+
-+ allow $1 ntop_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, ntop_t, ntop_t)
-+
-+
-+ gen_require(`
-+ type ntop_initrc_exec_t;
-+ ')
-+
-+ # Allow ntop_t to restart the apache service
-+ ntop_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 ntop_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ ntop_manage_var_lib($1)
-+
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.te serefpolicy-3.6.32/policy/modules/admin/ntop.te
---- nsaserefpolicy/policy/modules/admin/ntop.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/admin/ntop.te 2009-12-17 11:20:45.000000000 -0500
-@@ -0,0 +1,40 @@
-+policy_module(ntop,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type ntop_t;
-+type ntop_exec_t;
-+init_daemon_domain(ntop_t, ntop_exec_t)
-+
-+permissive ntop_t;
-+
-+type ntop_initrc_exec_t;
-+init_script_file(ntop_initrc_exec_t)
-+
-+type ntop_var_lib_t;
-+files_type(ntop_var_lib_t)
-+
-+########################################
-+#
-+# ntop local policy
-+#
-+allow ntop_t self:capability { setgid setuid };
-+allow ntop_t self:fifo_file manage_file_perms;
-+allow ntop_t self:unix_stream_socket create_stream_socket_perms;
-+
-+# Init script handling
-+domain_use_interactive_fds(ntop_t)
-+
-+files_read_etc_files(ntop_t)
-+
-+manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
-+manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
-+files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
-+
-+auth_use_nsswitch(ntop_t)
-+
-+miscfiles_read_localization(ntop_t)
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.32/policy/modules/admin/portage.te
--- nsaserefpolicy/policy/modules/admin/portage.te 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/admin/portage.te 2009-12-17 11:20:45.000000000 -0500
@@ -2211,7 +1996,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-12-18 10:19:15.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-12-21 13:49:17.000000000 -0500
@@ -0,0 +1,82 @@
+policy_module(chrome,1.0.0)
+
@@ -2240,7 +2025,7 @@ diff -b -B --ignore-all-space --exclude-
+#
+allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid };
+dontaudit chrome_sandbox_t self:capability { sys_ptrace };
-+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem };
++allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -5293,8 +5078,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-12-17 11:20:45.000000000 -0500
-@@ -0,0 +1,335 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-12-21 14:31:10.000000000 -0500
+@@ -0,0 +1,336 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5401,6 +5186,7 @@ diff -b -B --ignore-all-space --exclude-
+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
++allow sandbox_domain self:unix_dgram_socket create_socket_perms;
+
+gen_require(`
+ type usr_t, lib_t, locale_t;
@@ -5632,7 +5418,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.32/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/screen.if 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/screen.if 2009-12-21 14:51:45.000000000 -0500
@@ -45,6 +45,7 @@
allow $1_screen_t self:capability { setuid setgid fsetid };
@@ -5661,11 +5447,16 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch($1_screen_t)
auth_dontaudit_read_shadow($1_screen_t)
auth_dontaudit_exec_utempter($1_screen_t)
-@@ -134,6 +141,7 @@
+@@ -134,6 +141,12 @@
userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
userdom_setattr_user_ptys($1_screen_t)
+ userdom_setattr_user_ttys($1_screen_t)
++
++ optional_policy(`
++ dbus_system_bus_client($1_screen_t)
++ fprintd_dbus_chat($1_screen_t)
++ ')
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
@@ -7410,7 +7201,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-18 15:32:53.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-21 17:41:42.000000000 -0500
@@ -110,7 +110,11 @@
## </param>
#
@@ -10230,8 +10021,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-17 11:20:45.000000000 -0500
-@@ -0,0 +1,443 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-21 11:46:41.000000000 -0500
+@@ -0,0 +1,442 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10268,7 +10059,6 @@ diff -b -B --ignore-all-space --exclude-
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-+userdom_execmod_user_home_files(unconfined_t)
+userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
@@ -10931,14 +10721,15 @@ diff -b -B --ignore-all-space --exclude-
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.32/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.fc 2009-12-18 08:10:43.000000000 -0500
-@@ -1,11 +1,16 @@
++++ serefpolicy-3.6.32/policy/modules/services/abrt.fc 2009-12-21 12:21:10.000000000 -0500
+@@ -1,11 +1,17 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-/usr/sbin/abrt -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
@@ -17159,7 +16950,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-18 08:18:28.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-21 10:21:57.000000000 -0500
@@ -55,13 +55,16 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -17188,7 +16979,7 @@ diff -b -B --ignore-all-space --exclude-
auth_read_pam_console_data(hald_t)
-@@ -156,6 +161,12 @@
+@@ -156,6 +161,13 @@
fs_search_all(hald_t)
fs_list_inotifyfs(hald_t)
fs_list_auto_mountpoints(hald_t)
@@ -17197,11 +16988,12 @@ diff -b -B --ignore-all-space --exclude-
+fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
+fs_manage_fusefs_files(hald_t)
++fs_rw_removable_blk_files(hald_t)
+
files_getattr_all_mountpoints(hald_t)
mls_file_read_all_levels(hald_t)
-@@ -197,13 +208,16 @@
+@@ -197,13 +209,16 @@
miscfiles_read_hwdata(hald_t)
modutils_domtrans_insmod(hald_t)
@@ -17219,7 +17011,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -290,6 +304,7 @@
+@@ -290,6 +305,7 @@
')
optional_policy(`
@@ -17227,7 +17019,7 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
-@@ -321,6 +336,10 @@
+@@ -321,6 +337,10 @@
virt_manage_images(hald_t)
')
@@ -17238,7 +17030,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Hal acl local policy
-@@ -341,6 +360,7 @@
+@@ -341,6 +361,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -17246,7 +17038,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(hald_acl_t)
-@@ -357,6 +377,8 @@
+@@ -357,6 +378,8 @@
files_read_usr_files(hald_acl_t)
files_read_etc_files(hald_acl_t)
@@ -17255,7 +17047,7 @@ diff -b -B --ignore-all-space --exclude-
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
storage_getattr_fixed_disk_dev(hald_acl_t)
-@@ -369,6 +391,7 @@
+@@ -369,6 +392,7 @@
miscfiles_read_localization(hald_acl_t)
optional_policy(`
@@ -17263,7 +17055,7 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
-@@ -450,12 +473,16 @@
+@@ -450,12 +474,16 @@
miscfiles_read_localization(hald_keymap_t)
@@ -17282,7 +17074,7 @@ diff -b -B --ignore-all-space --exclude-
allow hald_dccm_t self:process getsched;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
allow hald_dccm_t self:udp_socket create_socket_perms;
-@@ -469,10 +496,22 @@
+@@ -469,10 +497,22 @@
manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_dccm_t)
@@ -17305,7 +17097,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
-@@ -484,6 +523,7 @@
+@@ -484,6 +524,7 @@
corenet_tcp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_dhcpc_port(hald_dccm_t)
@@ -17313,7 +17105,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_dccm_port(hald_dccm_t)
logging_send_syslog_msg(hald_dccm_t)
-@@ -491,3 +531,7 @@
+@@ -491,3 +532,7 @@
files_read_usr_files(hald_dccm_t)
miscfiles_read_localization(hald_dccm_t)
@@ -17405,7 +17197,7 @@ diff -b -B --ignore-all-space --exclude-
allow $1 self:udp_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.32/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/kerberos.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/kerberos.te 2009-12-21 17:39:29.000000000 -0500
@@ -110,8 +110,9 @@
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
@@ -17417,7 +17209,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
-@@ -277,6 +278,8 @@
+@@ -277,11 +278,13 @@
#
allow kpropd_t self:capability net_bind_service;
@@ -17426,6 +17218,12 @@ diff -b -B --ignore-all-space --exclude-
allow kpropd_t self:fifo_file rw_file_perms;
allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
allow kpropd_t self:tcp_socket create_stream_socket_perms;
+
+-allow kpropd_t krb5_host_rcache_t:file rw_file_perms;
++allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
+
+ allow kpropd_t krb5_keytab_t:file read_file_perms;
+
@@ -286,8 +289,13 @@
allow kpropd_t krb5_keytab_t:file read_file_perms;
@@ -17559,7 +17357,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.6.32/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.te 2009-12-21 09:46:33.000000000 -0500
@@ -0,0 +1,46 @@
+policy_module(ksmtuned,1.0.0)
+
@@ -17584,7 +17382,7 @@ diff -b -B --ignore-all-space --exclude-
+#
+# ksmtuned local policy
+#
-+allow ksmtuned_t self:capability sys_ptrace;
++allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
+
+# Init script handling
+domain_use_interactive_fds(ksmtuned_t)
@@ -18028,7 +17826,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/munin.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/munin.te 2009-12-21 11:34:20.000000000 -0500
@@ -33,7 +33,7 @@
# Local policy
#
@@ -18038,7 +17836,17 @@ diff -b -B --ignore-all-space --exclude-
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -147,6 +147,7 @@
+@@ -55,7 +55,8 @@
+
+ manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+ manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+-files_tmp_filetrans(munin_t, munin_tmp_t, { file dir })
++manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
++files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
+
+ # Allow access to the munin databases
+ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -147,6 +148,7 @@
optional_policy(`
postfix_list_spool(munin_t)
@@ -19337,7 +19145,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.6.32/policy/modules/services/ntop.fc
--- nsaserefpolicy/policy/modules/services/ntop.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ntop.fc 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/ntop.fc 2009-12-21 11:13:49.000000000 -0500
@@ -1,7 +1,6 @@
/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
@@ -19348,8 +19156,14 @@ diff -b -B --ignore-all-space --exclude-
/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.6.32/policy/modules/services/ntop.te
--- nsaserefpolicy/policy/modules/services/ntop.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ntop.te 2009-12-17 11:20:45.000000000 -0500
-@@ -14,9 +14,6 @@
++++ serefpolicy-3.6.32/policy/modules/services/ntop.te 2009-12-21 11:12:35.000000000 -0500
+@@ -11,12 +11,12 @@
+ init_daemon_domain(ntop_t, ntop_exec_t)
+ application_domain(ntop_t, ntop_exec_t)
+
++type ntop_initrc_exec_t;
++init_script_file(ntop_initrc_exec_t)
++
type ntop_etc_t;
files_config_file(ntop_etc_t)
@@ -19359,11 +19173,12 @@ diff -b -B --ignore-all-space --exclude-
type ntop_tmp_t;
files_tmp_file(ntop_tmp_t)
-@@ -37,15 +34,14 @@
+@@ -37,26 +37,28 @@
allow ntop_t self:fifo_file rw_fifo_file_perms;
allow ntop_t self:tcp_socket create_stream_socket_perms;
allow ntop_t self:udp_socket create_socket_perms;
+allow ntop_t self:unix_dgram_socket create_socket_perms;
++allow ntop_t self:unix_stream_socket create_stream_socket_perms;
allow ntop_t self:packet_socket create_socket_perms;
+allow ntop_t self:socket create_socket_perms;
@@ -19377,7 +19192,13 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
-@@ -57,6 +53,8 @@
+
+-create_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
++manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+ manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+-files_var_lib_filetrans(ntop_t, ntop_var_lib_t, file)
++files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
+
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
@@ -19386,7 +19207,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_network_state(ntop_t)
kernel_read_kernel_sysctls(ntop_t)
kernel_list_proc(ntop_t)
-@@ -72,12 +70,17 @@
+@@ -72,26 +74,36 @@
corenet_raw_sendrecv_generic_node(ntop_t)
corenet_tcp_sendrecv_all_ports(ntop_t)
corenet_udp_sendrecv_all_ports(ntop_t)
@@ -19404,15 +19225,17 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
-@@ -85,6 +88,7 @@
+
++auth_use_nsswitch(ntop_t)
++
logging_send_syslog_msg(ntop_t)
miscfiles_read_localization(ntop_t)
+-
+-sysnet_read_config(ntop_t)
+miscfiles_read_fonts(ntop_t)
- sysnet_read_config(ntop_t)
-
-@@ -92,6 +96,10 @@
+ userdom_dontaudit_use_unpriv_user_fds(ntop_t)
userdom_dontaudit_search_user_home_dirs(ntop_t)
optional_policy(`
@@ -20162,7 +19985,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.32/policy/modules/services/plymouth.if
--- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-12-21 12:06:57.000000000 -0500
@@ -0,0 +1,304 @@
+## <summary>policy for plymouthd</summary>
+
@@ -20186,7 +20009,7 @@ diff -b -B --ignore-all-space --exclude-
+
+########################################
+## <summary>
-+## Execute a plymoth in the current domain
++## Execute a plymoth command in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
@@ -20194,12 +20017,12 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`plymouth_exec', `
++interface(`plymouth_exec_plymouth', `
+ gen_require(`
-+ type plymouthd_exec_t;
++ type plymouth_exec_t;
+ ')
+
-+ can_exec($1, plymouthd_exec_t)
++ can_exec($1, plymouth_exec_t)
+')
+
+########################################
@@ -23437,7 +23260,7 @@ diff -b -B --ignore-all-space --exclude-
## Read NFS exported content.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-12-18 15:32:53.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-12-21 17:41:53.000000000 -0500
@@ -37,8 +37,14 @@
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
@@ -23528,7 +23351,7 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-@@ -199,10 +219,13 @@
+@@ -199,10 +219,14 @@
mount_signal(gssd_t)
@@ -23539,6 +23362,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
+ userdom_dontaudit_write_user_tmp_files(gssd_t)
++ files_read_generic_tmp_files(gssd_t)
')
optional_policy(`
@@ -26593,8 +26417,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-12-17 11:20:47.000000000 -0500
-@@ -0,0 +1,59 @@
++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-12-21 10:30:27.000000000 -0500
+@@ -0,0 +1,60 @@
+
+policy_module(tuned,1.0.0)
+
@@ -26627,6 +26451,7 @@ diff -b -B --ignore-all-space --exclude-
+files_pid_filetrans(tuned_t, tuned_var_run_t, { file })
+
+corecmd_exec_shell(tuned_t)
++corecmd_exec_bin(tuned_t)
+
+kernel_read_network_state(tuned_t)
+kernel_read_system_state(tuned_t)
@@ -28718,7 +28543,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-17 11:20:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-21 17:51:39.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -29251,7 +29076,7 @@ diff -b -B --ignore-all-space --exclude-
+
+optional_policy(`
+ plymouth_search_spool(xdm_t)
-+ plymouth_exec(xdm_t)
++ plymouth_exec_plymouth(xdm_t)
+')
+
+optional_policy(`
@@ -29401,15 +29226,16 @@ diff -b -B --ignore-all-space --exclude-
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +926,7 @@
+@@ -721,6 +926,8 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
++miscfiles_dontaudit_write_fonts(xserver_t)
+miscfiles_read_hwdata(xserver_t)
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +949,7 @@
+@@ -743,7 +950,7 @@
')
ifdef(`enable_mls',`
@@ -29418,7 +29244,7 @@ diff -b -B --ignore-all-space --exclude-
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +981,20 @@
+@@ -775,12 +982,20 @@
')
optional_policy(`
@@ -29440,7 +29266,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domtrans(xserver_t)
')
-@@ -807,12 +1021,12 @@
+@@ -807,12 +1022,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -29457,7 +29283,7 @@ diff -b -B --ignore-all-space --exclude-
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +1042,14 @@
+@@ -828,9 +1043,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29472,7 +29298,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1064,14 @@
+@@ -845,11 +1065,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -29488,7 +29314,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -882,6 +1104,8 @@
+@@ -882,6 +1105,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -29497,7 +29323,7 @@ diff -b -B --ignore-all-space --exclude-
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1130,8 @@
+@@ -906,6 +1131,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -29506,7 +29332,7 @@ diff -b -B --ignore-all-space --exclude-
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1199,49 @@
+@@ -973,17 +1200,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -31607,7 +31433,7 @@ diff -b -B --ignore-all-space --exclude-
+permissive kdump_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-18 08:55:06.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-21 13:42:25.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -31815,7 +31641,7 @@ diff -b -B --ignore-all-space --exclude-
') dnl end distro_redhat
#
-@@ -307,10 +309,113 @@
+@@ -307,10 +309,115 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -31929,6 +31755,8 @@ diff -b -B --ignore-all-space --exclude-
+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/chromium-browser/libsandbox\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-12-17 11:20:47.000000000 -0500
@@ -35412,7 +35240,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-17 11:20:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-21 14:36:02.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -36980,35 +36808,50 @@ diff -b -B --ignore-all-space --exclude-
fs_search_tmpfs($1)
')
--########################################
-+######################################
+ ########################################
## <summary>
-## Read user tmpfs files.
-+## Manage user tmpfs files.
++## Read/Write user tmpfs files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2419,15 +2695,14 @@
+@@ -2419,7 +2695,7 @@
## </summary>
## </param>
#
-interface(`userdom_rw_user_tmpfs_files',`
-+interface(`userdom_manage_user_tmpfs_files',`
++interface(`userdom_rw_inherited_user_tmpfs_files',`
gen_require(`
type user_tmpfs_t;
')
+@@ -2430,6 +2706,26 @@
+ fs_search_tmpfs($1)
+ ')
-- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
++######################################
++## <summary>
++## Manage user tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
+ manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- ')
-
++')
++
########################################
-@@ -2749,7 +3024,7 @@
+ ## <summary>
+ ## Get the attributes of a user domain tty.
+@@ -2749,7 +3045,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -37017,7 +36860,7 @@ diff -b -B --ignore-all-space --exclude-
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +3040,33 @@
+@@ -2765,11 +3061,33 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -37053,7 +36896,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,7 +3194,43 @@
+@@ -2897,7 +3215,43 @@
type user_tmp_t;
')
@@ -37098,7 +36941,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2934,6 +3267,7 @@
+@@ -2934,6 +3288,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -37106,7 +36949,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3398,656 @@
+@@ -3064,3 +3419,656 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.984
retrieving revision 1.985
diff -u -p -r1.984 -r1.985
--- selinux-policy.spec 18 Dec 2009 21:25:51 -0000 1.984
+++ selinux-policy.spec 21 Dec 2009 22:53:30 -0000 1.985
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 60%{?dist}
+Release: 61%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,12 @@ exit 0
%endif
%changelog
+* Mon Dec 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-61
+- Fixes for sandbox_x_server
+- Fix ntop policy
+- Allow screen to use fprintd
+- Sandbox fixes
+
* Fri Dec 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-60
- Fixs for cluster policy
- mysql_safe fixes
@@ -456,10 +462,6 @@ exit 0
- Cgroup access for virtd
- Dontaudit fail2ban leaks
-* Wed Dec 16 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-59
-- Fixes for sandbox_x_server
--
-
* Tue Dec 15 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-59
- Dontaudit udp_socket leaks for xauth_t
- Dontaudit rules for iceauth_t
- Previous message (by thread): rpms/selinux-policy/devel modules-minimum.conf, 1.43, 1.44 modules-targeted.conf, 1.152, 1.153 policy-F13.patch, 1.17, 1.18 selinux-policy.spec, 1.945, 1.946
- Next message (by thread): rpms/gbirthday/F-11 gbirthday.spec,1.7,1.8
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list