rpms/selinux-policy/devel modules-mls.conf, 1.63, 1.64 policy-F13.patch, 1.18, 1.19 selinux-policy.spec, 1.946, 1.947
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Dec 22 17:16:13 UTC 2009
Author: dwalsh
Update of /cvs/pkgs/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11028
Modified Files:
modules-mls.conf policy-F13.patch selinux-policy.spec
Log Message:
* Tue Dec 22 2009 Dan Walsh <dwalsh at redhat.com> 3.7.5-3
- Add back xserver_manage_home_fonts
Index: modules-mls.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -p -r1.63 -r1.64
--- modules-mls.conf 17 Dec 2009 19:34:18 -0000 1.63
+++ modules-mls.conf 22 Dec 2009 17:16:12 -0000 1.64
@@ -32,6 +32,13 @@ alsa = base
#
ada = module
+# Layer: services
+# Module: cgroup
+#
+# Tools and libraries to control and monitor control groups
+#
+cgroup = module
+
# Layer: apps
# Module: cpufreqselector
#
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 2
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.te | 5
policy/modules/admin/logrotate.te | 27
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 78 +
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 344 ++++++
policy/modules/admin/rpm.te | 98 +
policy/modules/admin/shorewall.fc | 5
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 12
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 35
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86 +
policy/modules/apps/chrome.te | 83 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 42
policy/modules/apps/execmem.if | 103 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 64 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 13
policy/modules/apps/gnome.if | 197 +++
policy/modules/apps/gnome.te | 113 +-
policy/modules/apps/java.fc | 23
policy/modules/apps/java.if | 113 +-
policy/modules/apps/java.te | 18
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 67 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 27
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 27
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 321 +++++
policy/modules/apps/nsplugin.te | 296 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 92 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 2
policy/modules/apps/ptchown.if | 24
policy/modules/apps/pulseaudio.fc | 3
policy/modules/apps/pulseaudio.if | 42
policy/modules/apps/pulseaudio.te | 19
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +++
policy/modules/apps/qemu.te | 83 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 60 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 222 +++
policy/modules/apps/sandbox.te | 340 ++++++
policy/modules/apps/screen.if | 1
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.if | 2
policy/modules/apps/seunshare.te | 3
policy/modules/apps/slocate.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 114 ++
policy/modules/apps/wine.te | 32
policy/modules/kernel/corecommands.fc | 32
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 44
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.if | 54
policy/modules/kernel/domain.if | 174 ++-
policy/modules/kernel/domain.te | 91 +
policy/modules/kernel/files.fc | 5
policy/modules/kernel/files.if | 370 ++++++
policy/modules/kernel/files.te | 3
policy/modules/kernel/filesystem.if | 236 ++++
policy/modules/kernel/filesystem.te | 8
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 27
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 1
policy/modules/kernel/terminal.if | 27
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 124 --
policy/modules/roles/sysadm.te | 125 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 +++++++++++
policy/modules/roles/unconfineduser.te | 443 +++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 69 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 139 ++
policy/modules/services/abrt.te | 121 +-
policy/modules/services/afs.fc | 2
policy/modules/services/afs.te | 2
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 112 ++
policy/modules/services/apache.fc | 55
policy/modules/services/apache.if | 466 +++++---
policy/modules/services/apache.te | 457 ++++++--
policy/modules/services/apm.te | 4
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 41
policy/modules/services/asterisk.te | 35
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 13
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 12
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.fc | 1
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 +++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 7
policy/modules/services/cgroup.if | 52
policy/modules/services/cgroup.te | 88 +
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 +
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 19
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 44
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 22
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 110 +
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74 +
policy/modules/services/cron.te | 84 +
policy/modules/services/cups.fc | 14
policy/modules/services/cups.te | 51
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 3
policy/modules/services/dbus.if | 53
policy/modules/services/dbus.te | 31
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 91 +
policy/modules/services/denyhosts.te | 71 +
policy/modules/services/devicekit.fc | 3
policy/modules/services/devicekit.if | 20
policy/modules/services/devicekit.te | 25
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.te | 31
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.if | 40
policy/modules/services/fetchmail.te | 3
policy/modules/services/fprintd.te | 5
policy/modules/services/ftp.te | 64 +
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 ++
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 50
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ksmtuned.fc | 5
policy/modules/services/ksmtuned.if | 76 +
policy/modules/services/ksmtuned.te | 46
policy/modules/services/ktalk.te | 1
policy/modules/services/ldap.fc | 2
policy/modules/services/ldap.if | 38
policy/modules/services/lircd.fc | 2
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 24
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 31
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 6
policy/modules/services/mysql.if | 38
policy/modules/services/mysql.te | 18
policy/modules/services/nagios.fc | 46
policy/modules/services/nagios.if | 126 ++
policy/modules/services/nagios.te | 192 ++-
policy/modules/services/networkmanager.fc | 16
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 118 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 23
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 34
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 16
policy/modules/services/nut.if | 58 +
policy/modules/services/nut.te | 188 +++
policy/modules/services/nx.fc | 10
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/openvpn.te | 6
policy/modules/services/pcscd.if | 38
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 322 +++++
policy/modules/services/plymouth.te | 102 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 66 -
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 142 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 60 +
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rdisc.if | 19
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 187 +++
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 367 ++++++
policy/modules/services/rhcs.te | 410 +++++++
policy/modules/services/ricci.te | 31
policy/modules/services/rpc.fc | 4
policy/modules/services/rpc.if | 45
policy/modules/services/rpc.te | 27
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 91 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 83 +
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 1
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 139 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 207 +++
policy/modules/services/ssh.te | 154 ++
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 80 +
policy/modules/services/sssd.te | 17
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/tgtd.if | 17
policy/modules/services/tor.te | 13
policy/modules/services/tuned.te | 1
policy/modules/services/uucp.te | 10
policy/modules/services/vhostmd.fc | 6
policy/modules/services/vhostmd.if | 228 ++++
policy/modules/services/vhostmd.te | 86 +
policy/modules/services/virt.fc | 13
policy/modules/services/virt.if | 210 +++
policy/modules/services/virt.te | 284 ++++-
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 40
policy/modules/services/xserver.if | 325 +++++
policy/modules/services/xserver.te | 364 +++++-
policy/modules/services/zebra.if | 20
policy/modules/system/application.te | 7
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 210 +++
policy/modules/system/authlogin.te | 11
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 5
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 163 ++
policy/modules/system/init.te | 300 ++++-
policy/modules/system/ipsec.fc | 4
policy/modules/system/ipsec.if | 65 -
policy/modules/system/ipsec.te | 27
policy/modules/system/iptables.fc | 8
policy/modules/system/iptables.te | 8
policy/modules/system/iscsi.te | 7
policy/modules/system/kdump.te | 2
policy/modules/system/libraries.fc | 194 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 20
policy/modules/system/logging.te | 38
policy/modules/system/lvm.te | 10
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 33
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.te | 20
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 57 +
policy/modules/system/mount.te | 87 +
policy/modules/system/raid.te | 2
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 +++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/sysnetwork.fc | 12
policy/modules/system/sysnetwork.if | 114 +-
policy/modules/system/sysnetwork.te | 79 +
policy/modules/system/udev.if | 1
policy/modules/system/udev.te | 12
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 -------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 1677 +++++++++++++++++++++++-------
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.if | 19
policy/modules/system/xen.te | 10
policy/support/obj_perm_sets.spt | 20
policy/users | 15
377 files changed, 20009 insertions(+), 2756 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/policy-F13.patch,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -p -r1.18 -r1.19
--- policy-F13.patch 21 Dec 2009 22:53:06 -0000 1.18
+++ policy-F13.patch 22 Dec 2009 17:16:12 -0000 1.19
@@ -1536,7 +1536,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.5/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/admin/tmpreaper.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/admin/tmpreaper.te 2009-12-22 10:55:03.000000000 -0500
@@ -42,6 +42,7 @@
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
@@ -1545,20 +1545,21 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_delete_user_home_content_dirs(tmpreaper_t)
userdom_delete_user_home_content_files(tmpreaper_t)
userdom_delete_user_home_content_symlinks(tmpreaper_t)
-@@ -52,6 +53,12 @@
+@@ -52,6 +53,13 @@
')
optional_policy(`
+ apache_delete_sys_content_rw(tmpreaper_t)
+ apache_list_cache(tmpreaper_t)
+ apache_delete_cache(tmpreaper_t)
++ apache_setattr_cache_dirs(tmpreaper_t)
+')
+
+optional_policy(`
kismet_manage_log(tmpreaper_t)
')
-@@ -60,5 +67,9 @@
+@@ -60,5 +68,9 @@
')
optional_policy(`
@@ -3722,8 +3723,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.5/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/nsplugin.te 2009-12-21 13:07:09.000000000 -0500
-@@ -0,0 +1,295 @@
++++ serefpolicy-3.7.5/policy/modules/apps/nsplugin.te 2009-12-22 10:16:59.000000000 -0500
+@@ -0,0 +1,296 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3917,6 +3918,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ ')
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+ xserver_rw_shm(nsplugin_t)
++ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_user_xauth(nsplugin_t)
+ xserver_read_user_iceauth(nsplugin_t)
@@ -4253,7 +4255,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.5/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/pulseaudio.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/apps/pulseaudio.te 2009-12-22 09:44:29.000000000 -0500
@@ -11,6 +11,9 @@
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
@@ -4311,6 +4313,15 @@ diff --exclude-from=exclude -N -u -r nsa
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
+@@ -98,6 +111,8 @@
+ ')
+
+ optional_policy(`
++ xserver_stream_connect(pulseaudio_t)
+ xserver_manage_xdm_tmp_files(pulseaudio_t)
+ xserver_read_xdm_lib_files(pulseaudio_t)
++ xserver_read_xdm_pid(pulseaudio_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.5/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/qemu.fc 2009-12-21 13:07:09.000000000 -0500
@@ -4715,8 +4726,8 @@ diff --exclude-from=exclude -N -u -r nsa
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.5/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.if 2009-12-21 13:07:09.000000000 -0500
-@@ -0,0 +1,186 @@
++++ serefpolicy-3.7.5/policy/modules/apps/sandbox.if 2009-12-22 11:04:52.000000000 -0500
+@@ -0,0 +1,222 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -4903,6 +4914,42 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
++
++########################################
++## <summary>
++## allow domain to delete sandbox files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`sandbox_delete_files',`
++ gen_require(`
++ attribute sandbox_file_type;
++ ')
++
++ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
++')
++
++########################################
++## <summary>
++## allow domain to delete sandbox files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`sandbox_delete_dirs',`
++ gen_require(`
++ attribute sandbox_file_type;
++ ')
++
++ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.5/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te 2009-12-21 14:43:49.000000000 -0500
@@ -5249,17 +5296,12 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.5/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/screen.if 2009-12-21 14:51:54.000000000 -0500
-@@ -141,6 +141,12 @@
++++ serefpolicy-3.7.5/policy/modules/apps/screen.if 2009-12-22 11:38:41.000000000 -0500
+@@ -141,6 +141,7 @@
userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
userdom_setattr_user_ptys($1_screen_t)
+ userdom_setattr_user_ttys($1_screen_t)
-+
-+ optional_policy(`
-+ dbus_system_bus_client($1_screen_t)
-+ fprintd_dbus_chat($1_screen_t)
-+ ')
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
@@ -5710,7 +5752,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.5/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.if 2009-12-22 08:22:45.000000000 -0500
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -6927,7 +6969,7 @@ diff --exclude-from=exclude -N -u -r nsa
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.5/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-22 10:30:40.000000000 -0500
@@ -906,7 +906,7 @@
type cifs_t;
')
@@ -6972,13 +7014,53 @@ diff --exclude-from=exclude -N -u -r nsa
#########################################
## <summary>
## Read named sockets on a NFS filesystem.
-@@ -4181,3 +4200,60 @@
+@@ -4181,3 +4200,216 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
+
+########################################
+## <summary>
++## Search dirs on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_search_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ allow $1 cgroup_t:dir search;
++')
++
++########################################
++## <summary>
++## list dirs on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_list_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ list_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+## </summary>
@@ -6998,6 +7080,25 @@ diff --exclude-from=exclude -N -u -r nsa
+
+########################################
+## <summary>
++## create dirs on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_create_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ create_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++## <summary>
+## Manage dirs on cgroup file systems.
+## </summary>
+## <param name="domain">
@@ -7033,6 +7134,103 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ rw_files_pattern($1, cgroup_t, cgroup_t)
+')
++########################################
++## <summary>
++## Mount a cgroup filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem mount;
++')
++
++########################################
++## <summary>
++## Remount a cgroup filesystem This allows
++## some mount options to be changed.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_remount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem remount;
++')
++
++########################################
++## <summary>
++## Unmount a cgroup file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_unmount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem unmount;
++')
++
++########################################
++## <summary>
++## Set attributes of files on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_setattr_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ setattr_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_cgroup_dirs($1)
++')
++
++########################################
++## <summary>
++## Write files on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_write_cgroup_files', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ write_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_cgroup_dirs($1)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.5/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.te 2009-12-21 13:07:09.000000000 -0500
@@ -9518,7 +9716,7 @@ diff --exclude-from=exclude -N -u -r nsa
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.5/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-22 08:42:16.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -9566,7 +9764,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,18 +90,33 @@
+@@ -75,18 +90,34 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -9585,6 +9783,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
++files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
+files_read_kernel_modules(abrt_t)
@@ -9600,7 +9799,7 @@ diff --exclude-from=exclude -N -u -r nsa
sysnet_read_config(abrt_t)
-@@ -96,22 +126,92 @@
+@@ -96,22 +127,92 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10093,7 +10292,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.5/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/apache.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/apache.if 2009-12-22 10:55:59.000000000 -0500
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -10441,7 +10640,7 @@ diff --exclude-from=exclude -N -u -r nsa
## TCP sockets.
## </summary>
## <param name="domain">
-@@ -503,6 +480,86 @@
+@@ -503,6 +480,105 @@
########################################
## <summary>
@@ -10484,6 +10683,25 @@ diff --exclude-from=exclude -N -u -r nsa
+
+########################################
+## <summary>
++## Allow domain to set the attributes
++## of the APACHE cache directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_setattr_cache_dirs',`
++ gen_require(`
++ type httpd_cache_t;
++ ')
++
++ allow $1 httpd_cache_t:dir setattr;
++')
++
++########################################
++## <summary>
+## Allow the specified domain to read
+## apache tmp files.
+## </summary>
@@ -10528,7 +10746,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -579,7 +636,7 @@
+@@ -579,7 +655,7 @@
## </param>
## <param name="role">
## <summary>
@@ -10537,7 +10755,7 @@ diff --exclude-from=exclude -N -u -r nsa
## </summary>
## </param>
## <rolecap/>
-@@ -715,6 +772,7 @@
+@@ -715,6 +791,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -10545,7 +10763,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -782,6 +840,32 @@
+@@ -782,6 +859,32 @@
########################################
## <summary>
@@ -10578,7 +10796,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Execute all web scripts in the system
## script domain.
## </summary>
-@@ -791,16 +875,18 @@
+@@ -791,16 +894,18 @@
## </summary>
## </param>
#
@@ -10601,7 +10819,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -859,6 +945,8 @@
+@@ -859,6 +964,8 @@
## </summary>
## </param>
#
@@ -10610,7 +10828,7 @@ diff --exclude-from=exclude -N -u -r nsa
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
-@@ -884,7 +972,7 @@
+@@ -884,7 +991,7 @@
type httpd_squirrelmail_t;
')
@@ -10619,7 +10837,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1043,6 +1131,44 @@
+@@ -1043,6 +1150,44 @@
########################################
## <summary>
@@ -10664,7 +10882,7 @@ diff --exclude-from=exclude -N -u -r nsa
## All of the rules required to administrate an apache environment
## </summary>
## <param name="prefix">
-@@ -1072,11 +1198,17 @@
+@@ -1072,11 +1217,17 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -10682,7 +10900,7 @@ diff --exclude-from=exclude -N -u -r nsa
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
-@@ -1096,12 +1228,57 @@
+@@ -1096,12 +1247,57 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -12396,6 +12614,165 @@ diff --exclude-from=exclude -N -u -r nsa
+optional_policy(`
+ unconfined_dbus_send(certmonger_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.5/policy/modules/services/cgroup.fc
+--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cgroup.fc 2009-12-22 11:06:28.000000000 -0500
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
++/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
++
++/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t, s0)
++/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
++
++/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.5/policy/modules/services/cgroup.if
+--- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cgroup.if 2009-12-22 11:07:12.000000000 -0500
+@@ -0,0 +1,52 @@
++## <summary>Control group rules engine daemon.</summary>
++## <desc>
++## <p>
++## cgrulesengd is a daemon, which distributes processes
++## to control groups. When any process changes its
++## effective UID or GID, cgred inspects list of
++## rules loaded from cgrules.conf file and moves the
++## process to the appropriate control group.
++## </p>
++## <p>
++## The list of rules is read during the daemon startup and
++## are cached in daemon’s memory. The daemon reloads the
++## list of rules when it receives SIGUSR2 signal.
++## </p>
++## </desc>
++
++########################################
++## <summary>
++## Read and write cgred sock file in /var/run.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cgroup_cgred_rw_pid_sock_file', `
++ gen_require(`
++ type cgred_var_run_t;
++ ')
++
++ rw_sock_files_pattern($1, cgred_var_run_t, cgred_var_run_t)
++ files_search_pids($1)
++')
++
++########################################
++## <summary>
++## Unix stream socket connect to cgred.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cgroup_cgred_stream_connect', `
++ gen_require(`
++ type cgred_t;
++ ')
++
++ allow $1 cgred_t:unix_stream_socket connectto;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.5/policy/modules/services/cgroup.te
+--- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cgroup.te 2009-12-22 11:05:59.000000000 -0500
+@@ -0,0 +1,88 @@
++policy_module(cgroup, 1.0.0)
++
++########################################
++#
++# cgred personal declarations.
++#
++
++type cgred_t;
++type cgred_exec_t;
++init_daemon_domain(cgred_t, cgred_exec_t)
++
++type cgred_initrc_exec_t;
++init_script_file(cgred_initrc_exec_t)
++
++type cgred_var_run_t;
++files_pid_file(cgred_var_run_t)
++
++permissive cgred_t;
++
++########################################
++#
++# cgconfig personal declarations.
++#
++
++type cgconfigparser_t;
++type cgconfigparser_exec_t;
++init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
++
++type cgconfig_initrc_exec_t;
++init_script_file(cgconfig_initrc_exec_t)
++
++permissive cgconfigparser_t;
++
++########################################
++#
++# cgred personal policy.
++#
++
++allow cgred_t self:capability { net_admin sys_ptrace dac_override };
++allow cgred_t self:netlink_socket { write bind create read };
++allow cgred_t self:unix_dgram_socket { write create connect };
++
++manage_sock_files_pattern(cgred_t, cgred_var_run_t,
++cgred_var_run_t)
++files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
++
++domain_read_all_domains_state(cgred_t)
++
++files_read_etc_files(cgred_t)
++
++files_search_all(cgred_t)
++files_getattr_all_files(cgred_t)
++files_getattr_all_dirs(cgred_t)
++files_getattr_all_sockets(cgred_t)
++files_getattr_all_pipes(cgred_t)
++files_getattr_all_symlinks(cgred_t)
++# read all link files.
++
++kernel_read_system_state(cgred_t)
++
++logging_send_syslog_msg(cgred_t)
++
++miscfiles_read_localization(cgred_t)
++
++optional_policy(`
++ fs_write_cgroup_files(cgred_t)
++')
++
++########################################
++#
++# cgconfig personal policy.
++#
++
++optional_policy(`
++ fs_manage_cgroup_dirs(cgconfigparser_t)
++ fs_rw_cgroup_files(cgconfigparser_t)
++ fs_setattr_cgroup_files(cgconfigparser_t)
++ fs_mount_cgroup_fs(cgconfigparser_t)
++')
++
++files_mounton_mnt(cgconfigparser_t)
++files_manage_mnt_dirs(cgconfigparser_t)
++
++files_read_etc_files(cgconfigparser_t)
++
++# /mnt/cgroups/cpu
++kernel_list_unlabeled(cgconfigparser_t)
++kernel_read_system_state(cgconfigparser_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.5/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/chronyd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -13731,7 +14108,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.5/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/cups.fc 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cups.fc 2009-12-22 09:33:25.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -13755,7 +14132,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-@@ -52,6 +57,8 @@
+@@ -52,13 +57,22 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13764,7 +14141,10 @@ diff --exclude-from=exclude -N -u -r nsa
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-@@ -61,4 +68,10 @@
+ /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -14000,7 +14380,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/dbus.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/dbus.if 2009-12-22 09:48:30.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -14052,18 +14432,24 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_read_user_home_content_files($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
-@@ -153,6 +159,10 @@
+@@ -153,13 +159,13 @@
')
optional_policy(`
+- hal_dbus_chat($1_dbusd_t)
+ gnome_read_gconf_home_files($1_dbusd_t)
-+ ')
-+
-+ optional_policy(`
- hal_dbus_chat($1_dbusd_t)
')
-@@ -178,10 +188,12 @@
+ optional_policy(`
+- xserver_use_xdm_fds($1_dbusd_t)
+- xserver_rw_xdm_pipes($1_dbusd_t)
++ hal_dbus_chat($1_dbusd_t)
+ ')
++
+ ')
+
+ #######################################
+@@ -178,10 +184,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -14076,7 +14462,7 @@ diff --exclude-from=exclude -N -u -r nsa
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -256,7 +268,7 @@
+@@ -256,7 +264,7 @@
########################################
## <summary>
@@ -14085,7 +14471,7 @@ diff --exclude-from=exclude -N -u -r nsa
## for service (acquire_svc).
## </summary>
## <param name="domain">
-@@ -364,6 +376,16 @@
+@@ -364,6 +372,16 @@
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
@@ -14102,7 +14488,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
-@@ -405,3 +427,24 @@
+@@ -405,3 +423,24 @@
typeattribute $1 dbusd_unconfined;
')
@@ -14129,7 +14515,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.5/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/dbus.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/dbus.te 2009-12-22 09:49:03.000000000 -0500
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
@@ -14163,7 +14549,7 @@ diff --exclude-from=exclude -N -u -r nsa
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')
-@@ -156,5 +168,18 @@
+@@ -156,5 +168,24 @@
#
# Unconfined access to this module
#
@@ -14182,6 +14568,12 @@ diff --exclude-from=exclude -N -u -r nsa
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
++
++optional_policy(`
++ xserver_use_xdm_fds(session_bus_type)
++ xserver_rw_xdm_pipes(session_bus_type)
++ xserver_append_xdm_home_files(session_bus_type)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.5/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/dcc.te 2009-12-21 13:07:09.000000000 -0500
@@ -14246,6 +14638,187 @@ diff --exclude-from=exclude -N -u -r nsa
## All of the rules required to administrate
## an ddclient environment
## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.5/policy/modules/services/denyhosts.fc
+--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/denyhosts.fc 2009-12-22 10:13:51.000000000 -0500
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0)
++
++/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t, s0)
++
++/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0)
++/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0)
++/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.5/policy/modules/services/denyhosts.if
+--- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if 2009-12-22 10:13:51.000000000 -0500
+@@ -0,0 +1,91 @@
++## <summary>Deny Hosts.</summary>
++## <desc>
++## <p>
++## DenyHosts is a script intended to be run by Linux
++## system administrators to help thwart SSH server attacks
++## (also known as dictionary based attacks and brute force
++## attacks).
++## </p>
++## </desc>
++
++########################################
++## <summary>
++## Execute a domain transition to run denyhosts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`denyhosts_domtrans', `
++ gen_require(`
++ type denyhosts_t, denyhosts_exec_t;
++ ')
++
++ domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
++')
++
++########################################
++## <summary>
++## Execute ksmtuned server in the ksmtuned domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`denyhosts_initrc_domtrans', `
++ gen_require(`
++ type denyhosts_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an denyhosts environment.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`denyhosts_admin', `
++ gen_require(`
++ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
++ type denyhosts_var_log_t;
++ ')
++
++ allow $1 denyhosts_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, denyhosts_t, denyhosts_t)
++
++ files_list_pids($1)
++ admin_pattern($1, denyhosts_var_run_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, denyhosts_var_log_t)
++
++ files_search_locks($1)
++ admin_pattern($1, denyhosts_var_lock_t)
++
++ denyhosts_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 denyhosts_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ kernel_search_proc($1)
++ allow $1 denyhosts_t:dir list_dir_perms;
++ ps_process_pattern($1, denyhosts_t)
++ read_lnk_files_pattern($1, denyhosts_t, denyhosts_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.5/policy/modules/services/denyhosts.te
+--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te 2009-12-22 10:34:58.000000000 -0500
+@@ -0,0 +1,71 @@
++
++policy_module(denyhosts, 1.0.0)
++
++########################################
++#
++# DenyHosts personal declarations.
++#
++
++type denyhosts_t;
++type denyhosts_exec_t;
++init_daemon_domain(denyhosts_t, denyhosts_exec_t)
++
++type denyhosts_initrc_exec_t;
++init_script_file(denyhosts_initrc_exec_t)
++
++type denyhosts_var_lib_t;
++files_type(denyhosts_var_lib_t)
++
++type denyhosts_var_lock_t;
++files_lock_file(denyhosts_var_lock_t)
++
++type denyhosts_var_log_t;
++logging_log_file(denyhosts_var_log_t)
++
++########################################
++#
++# DenyHosts personal policy.
++#
++
++allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
++allow denyhosts_t self:tcp_socket create_socket_perms;
++allow denyhosts_t self:udp_socket create_socket_perms;
++
++manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
++files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
++
++manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
++manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
++files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
++
++append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
++create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
++read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
++setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
++logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
++
++corecmd_list_bin(denyhosts_t)
++corecmd_read_bin_symlinks(denyhosts_t)
++
++corenet_all_recvfrom_unlabeled(denyhosts_t)
++corenet_all_recvfrom_netlabel(denyhosts_t)
++corenet_tcp_sendrecv_generic_if(denyhosts_t)
++corenet_tcp_sendrecv_generic_node(denyhosts_t)
++corenet_tcp_bind_generic_node(denyhosts_t)
++corenet_sendrecv_smtp_client_packets(denyhosts_t)
++corenet_tcp_connect_smtp_port(denyhosts_t)
++
++dev_read_urand(denyhosts_t)
++
++kernel_read_system_state(denyhosts_t)
++
++# /var/log/secure
++logging_read_generic_logs(denyhosts_t)
++
++miscfiles_read_localization(denyhosts_t)
++
++sysnet_manage_config(denyhosts_t)
++
++optional_policy(`
++ cron_system_entry(denyhosts_t, denyhosts_exec_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.5/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/devicekit.fc 2009-12-21 13:07:09.000000000 -0500
@@ -18972,7 +19545,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.5/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/portreserve.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/portreserve.te 2009-12-22 08:23:05.000000000 -0500
@@ -21,6 +21,7 @@
# Portreserve local policy
#
@@ -18981,6 +19554,15 @@ diff --exclude-from=exclude -N -u -r nsa
allow portreserve_t self:fifo_file rw_fifo_file_perms;
allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -37,6 +38,8 @@
+ manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
+
++corecmd_getattr_bin_files(portreserve_t)
++
+ corenet_all_recvfrom_unlabeled(portreserve_t)
+ corenet_all_recvfrom_netlabel(portreserve_t)
+ corenet_tcp_bind_generic_node(portreserve_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.5/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/postfix.fc 2009-12-21 13:07:09.000000000 -0500
@@ -21471,7 +22053,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Read NFS exported content.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.5/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/rpc.te 2009-12-21 17:42:16.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/rpc.te 2009-12-22 08:26:50.000000000 -0500
@@ -37,8 +37,14 @@
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
@@ -21497,7 +22079,15 @@ diff --exclude-from=exclude -N -u -r nsa
allow rpcd_t self:fifo_file rw_fifo_file_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
-@@ -91,14 +98,21 @@
+@@ -67,6 +74,7 @@
+ kernel_read_network_state(rpcd_t)
+ # for rpc.rquotad
+ kernel_read_sysctl(rpcd_t)
++kernel_request_load_module(gssd_t)
+ kernel_rw_fs_sysctls(rpcd_t)
+ kernel_dontaudit_getattr_core_if(rpcd_t)
+ kernel_signal(rpcd_t)
+@@ -91,14 +99,21 @@
seutil_dontaudit_search_config(rpcd_t)
@@ -21519,7 +22109,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# NFSD local policy
-@@ -127,6 +141,7 @@
+@@ -127,6 +142,7 @@
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
@@ -21527,7 +22117,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
-@@ -135,6 +150,7 @@
+@@ -135,6 +151,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -21535,7 +22125,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -151,6 +167,7 @@
+@@ -151,6 +168,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -21543,7 +22133,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -182,6 +199,7 @@
+@@ -182,6 +200,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -21551,7 +22141,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_bin(gssd_t)
-@@ -189,8 +207,10 @@
+@@ -189,8 +208,10 @@
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -21562,7 +22152,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-@@ -199,10 +219,14 @@
+@@ -199,10 +220,14 @@
mount_signal(gssd_t)
@@ -25515,7 +26105,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/xserver.if 2009-12-21 14:42:35.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/xserver.if 2009-12-22 09:50:42.000000000 -0500
@@ -56,6 +56,13 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
@@ -25592,7 +26182,15 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -774,7 +786,7 @@
+@@ -567,6 +579,7 @@
+
+ allow $1 xauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
++ xserver_read_xdm_pid($1)
+ ')
+
+ ########################################
+@@ -774,7 +787,7 @@
')
files_search_pids($1)
@@ -25601,7 +26199,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1219,3 +1231,278 @@
+@@ -1219,3 +1232,301 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -25880,9 +26478,32 @@ diff --exclude-from=exclude -N -u -r nsa
+ xserver_domtrans_xauth($1)
+ role $2 types xauth_t;
+')
++########################################
++## <summary>
++## Read user homedir fonts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`xserver_manage_home_fonts',`
++ gen_require(`
++ type user_fonts_t;
++ type user_fonts_config_t;
++ ')
++
++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ manage_files_pattern($1, user_fonts_t, user_fonts_t)
++ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.5/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/xserver.te 2009-12-21 17:52:12.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/xserver.te 2009-12-22 09:44:04.000000000 -0500
@@ -36,6 +36,13 @@
## <desc>
@@ -26343,7 +26964,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -520,12 +633,47 @@
+@@ -520,12 +633,48 @@
')
optional_policy(`
@@ -26352,6 +26973,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
+ xserver_xdm_append_log(xdm_dbusd_t)
++ xserver_read_xdm_pid(xdm_dbusd_t)
+
+ corecmd_bin_entry_type(xdm_t)
+
@@ -26391,7 +27013,7 @@ diff --exclude-from=exclude -N -u -r nsa
hostname_exec(xdm_t)
')
-@@ -543,9 +691,42 @@
+@@ -543,9 +692,42 @@
')
optional_policy(`
@@ -26434,7 +27056,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
-@@ -555,8 +736,9 @@
+@@ -555,8 +737,9 @@
')
optional_policy(`
@@ -26446,7 +27068,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +747,6 @@
+@@ -565,7 +748,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -26454,7 +27076,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +757,10 @@
+@@ -576,6 +758,10 @@
')
optional_policy(`
@@ -26465,7 +27087,7 @@ diff --exclude-from=exclude -N -u -r nsa
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +785,9 @@
+@@ -600,10 +786,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -26477,7 +27099,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +799,18 @@
+@@ -615,6 +800,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -26496,7 +27118,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +830,19 @@
+@@ -634,12 +831,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -26518,7 +27140,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +876,6 @@
+@@ -673,7 +877,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -26526,7 +27148,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +885,12 @@
+@@ -683,9 +886,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -26540,7 +27162,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +905,12 @@
+@@ -700,8 +906,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -26553,7 +27175,7 @@ diff --exclude-from=exclude -N -u -r nsa
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,6 +932,7 @@
+@@ -723,6 +933,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -26561,7 +27183,7 @@ diff --exclude-from=exclude -N -u -r nsa
modutils_domtrans_insmod(xserver_t)
-@@ -779,12 +989,20 @@
+@@ -779,12 +990,20 @@
')
optional_policy(`
@@ -26583,7 +27205,7 @@ diff --exclude-from=exclude -N -u -r nsa
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1029,7 @@
+@@ -811,7 +1030,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -26592,7 +27214,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1050,14 @@
+@@ -832,9 +1051,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -26607,7 +27229,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1072,14 @@
+@@ -849,11 +1073,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -26624,7 +27246,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -1000,17 +1226,32 @@
+@@ -1000,17 +1227,32 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -27418,7 +28040,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/system/init.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/init.te 2009-12-22 10:22:45.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -27566,7 +28188,7 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -272,16 +317,63 @@
+@@ -272,16 +317,66 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -27598,6 +28220,9 @@ diff --exclude-from=exclude -N -u -r nsa
+fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
++fs_rw_cgroup_files(initrc_t)
++fs_setattr_cgroup_files(initrc_t)
++fs_manage_cgroup_dirs(initrc_t)
+
+# initrc_t needs to do a pidof which requires ptrace
+mcs_ptrace_all(initrc_t)
@@ -27631,7 +28256,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -291,7 +383,7 @@
+@@ -291,7 +386,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -27640,7 +28265,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -306,14 +398,15 @@
+@@ -306,14 +401,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -27658,7 +28283,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -324,48 +417,16 @@
+@@ -324,48 +420,16 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -27711,7 +28336,7 @@ diff --exclude-from=exclude -N -u -r nsa
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -374,19 +435,22 @@
+@@ -374,19 +438,22 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -27735,7 +28360,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -422,16 +486,12 @@
+@@ -422,16 +489,12 @@
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
@@ -27753,7 +28378,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
arpwatch_manage_data_files(initrc_t)
-@@ -450,11 +510,9 @@
+@@ -450,11 +513,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -27766,7 +28391,7 @@ diff --exclude-from=exclude -N -u -r nsa
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -464,6 +522,7 @@
+@@ -464,6 +525,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -27774,7 +28399,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -492,15 +551,22 @@
+@@ -492,15 +554,27 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -27782,6 +28407,11 @@ diff --exclude-from=exclude -N -u -r nsa
+ ')
+
+ optional_policy(`
++ cgroup_cgrulesengd_rw_pid_sock_file(initrc_t)
++ cgroup_cgrulesengd_stream_connect(initrc_t)
++ ')
++
++ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
')
@@ -27797,7 +28427,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -515,6 +581,33 @@
+@@ -515,6 +589,33 @@
')
')
@@ -27831,7 +28461,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +660,19 @@
+@@ -567,10 +668,19 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -27851,7 +28481,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -590,6 +692,10 @@
+@@ -590,6 +700,10 @@
')
optional_policy(`
@@ -27862,7 +28492,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +752,20 @@
+@@ -646,20 +760,20 @@
')
optional_policy(`
@@ -27889,7 +28519,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
ifdef(`distro_redhat',`
-@@ -668,6 +774,7 @@
+@@ -668,6 +782,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -27897,7 +28527,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -700,7 +807,6 @@
+@@ -700,7 +815,6 @@
')
optional_policy(`
@@ -27905,7 +28535,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -722,8 +828,6 @@
+@@ -722,8 +836,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -27914,7 +28544,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -736,13 +840,16 @@
+@@ -736,13 +848,16 @@
squid_manage_logs(initrc_t)
')
@@ -27931,7 +28561,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -751,6 +858,7 @@
+@@ -751,6 +866,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -27939,7 +28569,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -758,6 +866,15 @@
+@@ -758,6 +874,15 @@
')
optional_policy(`
@@ -27955,7 +28585,7 @@ diff --exclude-from=exclude -N -u -r nsa
unconfined_domain(initrc_t)
ifdef(`distro_redhat',`
-@@ -768,6 +885,21 @@
+@@ -768,6 +893,21 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -27977,7 +28607,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -793,3 +925,31 @@
+@@ -793,3 +933,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28342,7 +28972,7 @@ diff --exclude-from=exclude -N -u -r nsa
+permissive kdump_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-21 13:42:16.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-22 08:51:29.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -28669,7 +29299,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/chromium-browser/libsandbox\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/libraries.if 2009-12-21 13:07:09.000000000 -0500
@@ -29100,7 +29730,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.5/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/system/miscfiles.if 2009-12-21 17:50:23.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/miscfiles.if 2009-12-22 12:15:10.000000000 -0500
@@ -73,7 +73,8 @@
#
interface(`miscfiles_read_fonts',`
@@ -29126,7 +29756,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_dirs_pattern($1, fonts_t, fonts_t)
manage_files_pattern($1, fonts_t, fonts_t)
manage_lnk_files_pattern($1, fonts_t, fonts_t)
-+ miscfiles_manage_fonts($1)
++ miscfiles_manage_fonts_cache($1)
+')
+
+########################################
@@ -29276,8 +29906,16 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.5/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/mount.if 2009-12-21 13:07:09.000000000 -0500
-@@ -84,9 +84,11 @@
++++ serefpolicy-3.7.5/policy/modules/system/mount.if 2009-12-22 09:40:26.000000000 -0500
+@@ -16,6 +16,7 @@
+ ')
+
+ domtrans_pattern($1, mount_exec_t, mount_t)
++ mount_domtrans_fusermount($1)
+ ')
+
+ ########################################
+@@ -84,9 +85,11 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -29289,7 +29927,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -177,3 +179,57 @@
+@@ -177,3 +180,57 @@
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
')
@@ -30359,12 +30997,14 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc 2009-12-21 13:07:09.000000000 -0500
-@@ -11,15 +11,20 @@
++++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc 2009-12-22 11:49:02.000000000 -0500
+@@ -11,15 +11,22 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
@@ -30382,7 +31022,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
#
-@@ -51,9 +56,12 @@
+@@ -51,9 +58,12 @@
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -30397,7 +31037,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.5/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.if 2009-12-22 10:35:23.000000000 -0500
@@ -43,6 +43,36 @@
sysnet_domtrans_dhcpc($1)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.946
retrieving revision 1.947
diff -u -p -r1.946 -r1.947
--- selinux-policy.spec 21 Dec 2009 22:53:07 -0000 1.946
+++ selinux-policy.spec 22 Dec 2009 17:16:13 -0000 1.947
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.5
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Tue Dec 22 2009 Dan Walsh <dwalsh at redhat.com> 3.7.5-3
+- Add back xserver_manage_home_fonts
+
* Mon Dec 21 2009 Dan Walsh <dwalsh at redhat.com> 3.7.5-2
- Dontaudit sandbox trying to read nscd and sssd
More information about the fedora-extras-commits
mailing list