rpms/selinux-policy/devel policy-20090105.patch,1.29,1.30
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Feb 3 20:23:13 UTC 2009
- Previous message (by thread): rpms/python-rope/devel import.log, NONE, 1.1 python-rope.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/museek+/devel museek+.spec,1.8,1.9 sources,1.5,1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10983
Modified Files:
policy-20090105.patch
Log Message:
* Mon Feb 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-13
- Add boolean to disallow unconfined_t login
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- policy-20090105.patch 3 Feb 2009 15:26:10 -0000 1.29
+++ policy-20090105.patch 3 Feb 2009 20:23:12 -0000 1.30
@@ -2875,7 +2875,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-02 09:39:29.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-03 10:55:18.000000000 -0500
@@ -0,0 +1,288 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -2897,7 +2897,7 @@
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
-+gen_tunable(nsplugin_can_network, True)
++gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
@@ -12453,7 +12453,7 @@
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.3/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te 2009-02-03 14:14:11.000000000 -0500
@@ -69,21 +69,22 @@
# allow access to dnsmasq.conf
@@ -12480,6 +12480,12 @@
')
optional_policy(`
+@@ -96,4 +97,5 @@
+
+ optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
++ virt_read_pid_files(dnsmasq_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.3/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/dovecot.fc 2009-01-19 13:10:02.000000000 -0500
@@ -13022,7 +13028,25 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.3/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/ftp.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/ftp.te 2009-02-03 11:10:55.000000000 -0500
+@@ -26,7 +26,7 @@
+ ## <desc>
+ ## <p>
+ ## Allow ftp servers to use cifs
+-## used for public file transfer services.
++## for public file transfer services.
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_ftpd_use_cifs, false)
+@@ -34,7 +34,7 @@
+ ## <desc>
+ ## <p>
+ ## Allow ftp servers to use nfs
+-## used for public file transfer services.
++## for public file transfer services.
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_ftpd_use_nfs, false)
@@ -160,6 +160,7 @@
fs_search_auto_mountpoints(ftpd_t)
@@ -22512,7 +22536,7 @@
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-01-30 09:30:42.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-02-03 14:14:04.000000000 -0500
@@ -293,6 +293,41 @@
########################################
@@ -23335,7 +23359,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-02 14:36:35.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-03 10:52:31.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -23735,7 +23759,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,9 +651,11 @@
+@@ -550,8 +651,9 @@
')
optional_policy(`
@@ -23745,11 +23769,17 @@
+ unconfined_signal(xdm_t)
+')
-+optional_policy(`
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
+@@ -560,7 +662,6 @@
+ ifdef(`distro_rhel4',`
+ allow xdm_t self:process { execheap execmem };
')
-@@ -571,6 +674,10 @@
+-')
+
+ optional_policy(`
+ userhelper_dontaudit_search_config(xdm_t)
+@@ -571,6 +672,10 @@
')
optional_policy(`
@@ -23760,7 +23790,7 @@
xfs_stream_connect(xdm_t)
')
-@@ -587,7 +694,7 @@
+@@ -587,7 +692,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23769,7 +23799,7 @@
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +709,11 @@
+@@ -602,9 +707,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23781,7 +23811,7 @@
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -622,7 +731,7 @@
+@@ -622,7 +729,7 @@
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -23790,7 +23820,7 @@
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,6 +744,15 @@
+@@ -635,6 +742,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23806,7 +23836,7 @@
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -680,9 +798,14 @@
+@@ -680,9 +796,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -23821,7 +23851,7 @@
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +820,13 @@
+@@ -697,8 +818,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23835,7 +23865,7 @@
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -720,6 +848,7 @@
+@@ -720,6 +846,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -23843,7 +23873,7 @@
modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +871,7 @@
+@@ -742,7 +869,7 @@
')
ifdef(`enable_mls',`
@@ -23852,7 +23882,7 @@
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,6 +903,10 @@
+@@ -774,6 +901,10 @@
')
optional_policy(`
@@ -23863,7 +23893,7 @@
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
-@@ -806,7 +939,7 @@
+@@ -806,7 +937,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -23872,7 +23902,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +960,14 @@
+@@ -827,9 +958,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23887,7 +23917,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +982,14 @@
+@@ -844,11 +980,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -23903,7 +23933,7 @@
')
optional_policy(`
-@@ -856,6 +997,11 @@
+@@ -856,6 +995,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -23915,7 +23945,7 @@
########################################
#
# Rules common to all X window domains
-@@ -881,6 +1027,8 @@
+@@ -881,6 +1025,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -23924,7 +23954,7 @@
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1053,8 @@
+@@ -905,6 +1051,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23933,7 +23963,7 @@
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,6 +1122,37 @@
+@@ -972,6 +1120,37 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -23971,7 +24001,7 @@
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1167,12 @@
+@@ -986,3 +1165,12 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@@ -24810,7 +24840,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-28 09:55:56.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-02-03 14:13:10.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -24988,7 +25018,7 @@
+domain_dontaudit_use_interactive_fds(daemon)
+
-+userdom_dontaudit_search_admin_dir(daemon)
++userdom_dontaudit_list_admin_dir(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
@@ -25292,7 +25322,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-01-26 13:53:03.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-02-03 14:11:21.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -25322,7 +25352,15 @@
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -115,9 +119,17 @@
+@@ -103,6 +107,7 @@
+ #
+ /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+@@ -115,9 +120,17 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25340,7 +25378,7 @@
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -127,12 +139,14 @@
+@@ -127,12 +140,14 @@
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25355,7 +25393,7 @@
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -168,7 +182,8 @@
+@@ -168,7 +183,8 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25365,7 +25403,7 @@
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -187,6 +202,7 @@
+@@ -187,6 +203,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25373,7 +25411,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,12 +262,13 @@
+@@ -246,12 +263,13 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25389,7 +25427,7 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +284,9 @@
+@@ -267,6 +285,9 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25399,7 +25437,7 @@
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +311,8 @@
+@@ -291,6 +312,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25408,7 +25446,7 @@
') dnl end distro_redhat
#
-@@ -303,6 +325,8 @@
+@@ -303,6 +326,8 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -25417,7 +25455,7 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
-@@ -310,3 +334,20 @@
+@@ -310,3 +335,20 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -27721,7 +27759,7 @@
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-02 14:49:54.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-03 10:47:05.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -27784,14 +27822,14 @@
interface(`unconfined_shell_domtrans',`
gen_require(`
- type unconfined_t;
-+ type unconfined_login_domain;
++ attribute unconfined_login_domain;
')
-
- corecmd_shell_domtrans($1,unconfined_t)
- allow unconfined_t $1:fd use;
- allow unconfined_t $1:fifo_file rw_file_perms;
- allow unconfined_t $1:process sigchld;
-+ typeattribute $1 unconfined_login_domain
++ typeattribute $1 unconfined_login_domain;
')
########################################
@@ -27973,7 +28011,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-02 14:52:21.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-03 15:14:47.000000000 -0500
@@ -5,36 +5,86 @@
#
# Declarations
@@ -28068,7 +28106,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r)
-@@ -42,26 +92,39 @@
+@@ -42,26 +92,46 @@
logging_run_auditctl(unconfined_t, unconfined_r)
mount_run_unconfined(unconfined_t, unconfined_r)
@@ -28084,6 +28122,13 @@
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
++tunable_policy(`unconfined_login',`
++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
++ allow unconfined_t unconfined_login_domain:fd use;
++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
++ allow unconfined_t unconfined_login_domain:process sigchld;
++')
++
+optional_policy(`
+ nsplugin_role_notrans(unconfined_r, unconfined_t)
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
@@ -28110,7 +28155,7 @@
')
optional_policy(`
-@@ -102,12 +165,24 @@
+@@ -102,12 +172,24 @@
')
optional_policy(`
@@ -28135,7 +28180,7 @@
')
optional_policy(`
-@@ -119,31 +194,33 @@
+@@ -119,31 +201,33 @@
')
optional_policy(`
@@ -28176,7 +28221,7 @@
')
optional_policy(`
-@@ -155,36 +232,38 @@
+@@ -155,36 +239,38 @@
')
optional_policy(`
@@ -28227,7 +28272,7 @@
')
optional_policy(`
-@@ -192,7 +271,7 @@
+@@ -192,7 +278,7 @@
')
optional_policy(`
@@ -28236,7 +28281,7 @@
')
optional_policy(`
-@@ -204,11 +283,12 @@
+@@ -204,11 +290,12 @@
')
optional_policy(`
@@ -28251,7 +28296,7 @@
')
########################################
-@@ -218,14 +298,68 @@
+@@ -218,14 +305,61 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -28276,7 +28321,7 @@
+
+optional_policy(`
+ xserver_rw_shm(unconfined_execmem_t)
-+')
+ ')
+
+########################################
+#
@@ -28295,7 +28340,7 @@
+ type mplayer_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
- ')
++')
+
+optional_policy(`
+tunable_policy(`allow_unconfined_nsplugin_transition',`', `
@@ -28314,13 +28359,6 @@
+')
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+
-+tunable_policy(`unconfined_login',`
-+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
-+ allow unconfined_t unconfined_login_domain:fd use;
-+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
-+ allow unconfined_t unconfined_login_domain:process sigchld;
-+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500
- Previous message (by thread): rpms/python-rope/devel import.log, NONE, 1.1 python-rope.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/museek+/devel museek+.spec,1.8,1.9 sources,1.5,1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list