rpms/selinux-policy/devel policy-F12.patch, 1.2, 1.3 selinux-policy.spec, 1.858, 1.859
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Jun 8 21:47:05 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12776
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Mon Jun 8 2009 Dan Walsh <dwalsh at redhat.com> 3.6.14-1
- Update to upstream
policy-F12.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -p -N -r 1.2 -r 1.3 policy-F12.patch
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- policy-F12.patch 26 May 2009 16:57:59 -0000 1.2
+++ policy-F12.patch 8 Jun 2009 21:47:03 -0000 1.3
@@ -45,6 +45,16 @@ diff -b -B --ignore-all-space --exclude-
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.13/config/appconfig-mcs/securetty_types
+--- nsaserefpolicy/config/appconfig-mcs/securetty_types 2009-06-08 15:22:18.000000000 -0400
++++ serefpolicy-3.6.13/config/appconfig-mcs/securetty_types 2009-05-21 08:43:34.000000000 -0400
+@@ -1 +1,6 @@
++auditadm_tty_device_t
++secadm_tty_device_t
++staff_tty_device_t
++sysadm_tty_device_t
++unconfined_tty_device_t
+ user_tty_device_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.13/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.13/config/appconfig-mcs/seusers 2009-05-21 09:48:23.000000000 -0400
@@ -164,16 +174,6 @@ diff -b -B --ignore-all-space --exclude-
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/securetty_types serefpolicy-3.6.13/config/appconfig-mls/securetty_types
---- nsaserefpolicy/config/appconfig-mls/securetty_types 2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.6.13/config/appconfig-mls/securetty_types 2009-05-21 09:48:23.000000000 -0400
-@@ -1,6 +1 @@
--auditadm_tty_device_t
--secadm_tty_device_t
--staff_tty_device_t
--sysadm_tty_device_t
--unconfined_tty_device_t
- user_tty_device_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.13/config/appconfig-mls/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mls/virtual_domain_context 2009-05-21 09:48:23.000000000 -0400
@@ -250,114 +250,6 @@ diff -b -B --ignore-all-space --exclude-
$(appdir)/%: $(appconf)/%
@mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.13/man/man8/httpd_selinux.8
---- nsaserefpolicy/man/man8/httpd_selinux.8 2009-03-05 09:22:34.000000000 -0500
-+++ serefpolicy-3.6.13/man/man8/httpd_selinux.8 2009-05-21 09:48:23.000000000 -0400
-@@ -22,7 +22,7 @@
- .EX
- httpd_sys_content_t
- .EE
--- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon.
-+- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
- .EX
- httpd_sys_script_exec_t
- .EE
-@@ -30,11 +30,11 @@
- .EX
- httpd_sys_content_rw_t
- .EE
--- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
-+- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
- .EX
- httpd_sys_content_ra_t
- .EE
--- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
-+- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
- .EX
- httpd_unconfined_script_exec_t
- .EE
-@@ -57,8 +57,7 @@
- .EE
-
- .SH BOOLEANS
--SELinux policy is customizable based on least access required. So by
--default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
-+SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
- .PP
- httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
-
-@@ -67,7 +66,7 @@
- .EE
-
- .PP
--httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
-+SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
-
- .EX
- setsebool -P httpd_enable_homedirs 1
-@@ -75,7 +74,7 @@
- .EE
-
- .PP
--httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
-+SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
-
- .EX
- setsebool -P httpd_tty_comm 1
-@@ -89,7 +88,7 @@
- .EE
-
- .PP
--httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
-+SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
-
- .EX
- setsebool -P httpd_can_sendmail 1
-@@ -102,7 +101,7 @@
- .EE
-
- .PP
--httpd scripts by default are not allowed to connect out to the network.
-+SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
- This would prevent a hacker from breaking into you httpd server and attacking
- other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-3.6.13/man/man8/kerberos_selinux.8
---- nsaserefpolicy/man/man8/kerberos_selinux.8 2009-03-05 09:22:34.000000000 -0500
-+++ serefpolicy-3.6.13/man/man8/kerberos_selinux.8 2009-05-21 09:48:23.000000000 -0400
-@@ -12,7 +12,7 @@
- .SH "DESCRIPTION"
-
- Security-Enhanced Linux secures the system via flexible mandatory access
--control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
-+control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
- .SH BOOLEANS
- .PP
- You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.13/man/man8/nfs_selinux.8
---- nsaserefpolicy/man/man8/nfs_selinux.8 2009-03-05 09:22:34.000000000 -0500
-+++ serefpolicy-3.6.13/man/man8/nfs_selinux.8 2009-05-21 09:48:23.000000000 -0400
-@@ -6,7 +6,7 @@
- Security Enhanced Linux secures the NFS server via flexible mandatory access
- control.
- .SH BOOLEANS
--SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
-+SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
-
- .TP
- setsebool -P nfs_export_all_ro 1
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ypbind_selinux.8 serefpolicy-3.6.13/man/man8/ypbind_selinux.8
---- nsaserefpolicy/man/man8/ypbind_selinux.8 2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.6.13/man/man8/ypbind_selinux.8 2009-05-21 09:48:23.000000000 -0400
-@@ -4,7 +4,7 @@
- .SH "DESCRIPTION"
-
- Security-Enhanced Linux secures the system via flexible mandatory access
--control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network.
-+control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
- .SH BOOLEANS
- .TP
- You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.13/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.13/policy/global_tunables 2009-05-21 09:48:23.000000000 -0400
@@ -441,18 +333,6 @@ diff -b -B --ignore-all-space --exclude-
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.6.13/policy/modules/admin/brctl.te
---- nsaserefpolicy/policy/modules/admin/brctl.te 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/admin/brctl.te 2009-05-21 09:48:23.000000000 -0400
-@@ -21,6 +21,8 @@
- allow brctl_t self:unix_dgram_socket create_socket_perms;
- allow brctl_t self:tcp_socket create_socket_perms;
-
-+corenet_rw_tun_tap_dev(brctl_t)
-+
- kernel_load_module(brctl_t)
- kernel_read_network_state(brctl_t)
- kernel_read_sysctl(brctl_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.13/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/admin/certwatch.te 2009-05-21 09:48:23.000000000 -0400
@@ -736,7 +616,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.13/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/admin/prelink.te 2009-05-21 09:48:23.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/admin/prelink.te 2009-05-29 11:07:55.000000000 -0400
@@ -21,12 +21,15 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -778,16 +658,17 @@ diff -b -B --ignore-all-space --exclude-
corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
-@@ -65,6 +71,8 @@
+@@ -65,6 +71,9 @@
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
+files_manage_usr_files(prelink_t)
++files_manage_var_files(prelink_t)
+files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
[...2350 lines suppressed...]
-@@ -246,12 +266,13 @@
+@@ -247,12 +267,13 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26380,7 +26567,7 @@ diff -b -B --ignore-all-space --exclude-
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +288,9 @@
+@@ -268,6 +289,9 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26390,7 +26577,7 @@ diff -b -B --ignore-all-space --exclude-
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +315,8 @@
+@@ -292,6 +316,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26399,7 +26586,7 @@ diff -b -B --ignore-all-space --exclude-
') dnl end distro_redhat
#
-@@ -303,6 +329,8 @@
+@@ -304,6 +330,8 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -26408,7 +26595,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
-@@ -310,3 +338,37 @@
+@@ -311,3 +339,37 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -26441,11 +26628,11 @@ diff -b -B --ignore-all-space --exclude-
+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.13/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/system/libraries.if 2009-05-21 09:48:24.000000000 -0400
@@ -26477,7 +26664,7 @@ diff -b -B --ignore-all-space --exclude-
read_lnk_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
mmap_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.13/policy/modules/system/libraries.te
---- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500
+--- nsaserefpolicy/policy/modules/system/libraries.te 2009-06-08 15:22:18.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/system/libraries.te 2009-05-21 09:48:24.000000000 -0400
@@ -52,11 +52,11 @@
# ldconfig local policy
@@ -26537,7 +26724,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.13/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/locallogin.te 2009-05-21 09:48:24.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/system/locallogin.te 2009-05-28 21:07:37.000000000 -0400
@@ -67,6 +67,7 @@
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
@@ -26575,7 +26762,15 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -235,17 +240,25 @@
+@@ -206,6 +211,7 @@
+ # Sulogin local policy
+ #
+
++allow sulogin_t self:capability dac_override;
+ allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow sulogin_t self:fd use;
+ allow sulogin_t self:fifo_file rw_file_perms;
+@@ -235,17 +241,28 @@
seutil_read_default_contexts(sulogin_t)
auth_read_shadow(sulogin_t)
@@ -26597,18 +26792,22 @@ diff -b -B --ignore-all-space --exclude-
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
-+ifdef(`distro_redhat',`define(`sulogin_no_pam')')
++ifdef(`distro_redhat',`
++ define(`sulogin_no_pam')
++ selinux_compute_user_contexts(sulogin_t)
++')
ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
-@@ -260,10 +273,4 @@
+@@ -259,11 +276,3 @@
+ selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
-
+-
-optional_policy(`
- nis_use_ypbind(sulogin_t)
-')
-
+-
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
@@ -28302,7 +28501,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.13/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/sysnetwork.te 2009-05-21 09:48:24.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/system/sysnetwork.te 2009-06-01 13:01:25.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -28318,8 +28517,9 @@ diff -b -B --ignore-all-space --exclude-
# DHCP client local policy
#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+-dontaudit dhcpc_t self:capability sys_tty_config;
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
- dontaudit dhcpc_t self:capability sys_tty_config;
++dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process signal_perms;
@@ -29315,7 +29515,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/userdomain.if 2009-05-26 08:16:31.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/system/userdomain.if 2009-06-04 14:43:48.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -30589,7 +30789,7 @@ diff -b -B --ignore-all-space --exclude-
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1)
-+ allow $1 user_home_t:dir delete_file_perms;
++ allow $1 user_home_t:file delete_file_perms;
+')
+
+########################################
@@ -31490,8 +31690,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.13/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/virtual.te 2009-05-21 09:48:24.000000000 -0400
-@@ -0,0 +1,79 @@
++++ serefpolicy-3.6.13/policy/modules/system/virtual.te 2009-06-08 09:20:26.000000000 -0400
+@@ -0,0 +1,80 @@
+
+policy_module(virtualization, 1.1.2)
+
@@ -31531,6 +31731,7 @@ diff -b -B --ignore-all-space --exclude-
+
+dev_read_sound(virtualdomain)
+dev_write_sound(virtualdomain)
++dev_rw_ksm(virtualdomain)
+dev_rw_kvm(virtualdomain)
+dev_rw_qemu(virtualdomain)
+
@@ -31690,7 +31891,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.13/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/xen.te 2009-05-21 09:48:24.000000000 -0400
++++ serefpolicy-3.6.13/policy/modules/system/xen.te 2009-06-04 14:46:24.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -31915,7 +32116,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_runtime_files(xm_t)
files_read_usr_files(xm_t)
-@@ -339,15 +390,67 @@
+@@ -339,15 +390,68 @@
storage_raw_read_fixed_disk(xm_t)
@@ -31949,6 +32150,7 @@ diff -b -B --ignore-all-space --exclude-
+kernel_read_xen_state(xm_ssh_t)
+kernel_write_xen_state(xm_ssh_t)
+
++userdom_search_admin_dir(xm_ssh_t)
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.858
retrieving revision 1.859
diff -u -p -r1.858 -r1.859
--- selinux-policy.spec 26 May 2009 16:57:59 -0000 1.858
+++ selinux-policy.spec 8 Jun 2009 21:47:04 -0000 1.859
@@ -19,8 +19,8 @@
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.6.13
-Release: 2%{?dist}
+Version: 3.6.14
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -183,7 +183,7 @@ fi;
%description
SELinux Reference Policy - modular.
-Based off of reference policy: Checked out revision 2987.
+Based off of reference policy: Checked out revision 2993.
%build
@@ -473,6 +473,15 @@ exit 0
%endif
%changelog
+* Mon Jun 8 2009 Dan Walsh <dwalsh at redhat.com> 3.6.14-1
+- Update to upstream
+
+* Tue Jun 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.13-3
+- Add fish as a shell
+- Allow fprintd to list usbfs_t
+- Allow consolekit to search mountpoints
+- Add proper labeling for shorewall
+
* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.13-2
- New log file for vmware
- Allow xdm to setattr on user_tmp_t
More information about the fedora-extras-commits
mailing list