rpms/selinux-policy/F-10 policy-20080710.patch, 1.170, 1.171 selinux-policy.spec, 1.797, 1.798
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 11 11:11:50 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3438
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
- Allow rpcd to send signals to automount
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.170
retrieving revision 1.171
diff -u -p -r1.170 -r1.171
--- policy-20080710.patch 3 Jun 2009 13:26:03 -0000 1.170
+++ policy-20080710.patch 11 Jun 2009 11:11:46 -0000 1.171
@@ -6875,8 +6875,17 @@ diff --exclude-from=exclude -N -u -r nsa
+wm_domain_template(user,xdm)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-06-03 07:57:01.000000000 +0200
-@@ -73,10 +73,16 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-06-08 16:02:14.000000000 +0200
+@@ -65,6 +65,8 @@
+
+ /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
++/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
+
+
+@@ -73,10 +75,16 @@
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0)
@@ -6897,7 +6906,7 @@ diff --exclude-from=exclude -N -u -r nsa
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
-@@ -123,12 +129,18 @@
+@@ -123,12 +131,18 @@
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6916,7 +6925,7 @@ diff --exclude-from=exclude -N -u -r nsa
#
# /usr
#
-@@ -176,6 +188,8 @@
+@@ -176,6 +190,8 @@
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
@@ -6925,7 +6934,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -184,10 +198,8 @@
+@@ -184,10 +200,8 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -6938,7 +6947,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -202,6 +214,7 @@
+@@ -202,6 +216,7 @@
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -6946,7 +6955,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-@@ -222,14 +235,15 @@
+@@ -222,14 +237,15 @@
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -6964,7 +6973,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-@@ -292,3 +306,14 @@
+@@ -292,3 +308,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -11249,6 +11258,18 @@ diff --exclude-from=exclude -N -u -r nsa
## All of the rules required to administrate
## an amavis environment
## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.5.13/policy/modules/services/amavis.te
+--- nsaserefpolicy/policy/modules/services/amavis.te 2008-10-17 14:49:13.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/amavis.te 2009-06-11 12:21:57.000000000 +0200
+@@ -103,6 +103,8 @@
+ kernel_dontaudit_read_proc_symlinks(amavis_t)
+ kernel_dontaudit_read_system_state(amavis_t)
+
++fs_getattr_xattr_fs(amavis_t)
++
+ # find perl
+ corecmd_exec_bin(amavis_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.13/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-06-03 08:00:14.000000000 +0200
@@ -12921,6 +12942,34 @@ diff --exclude-from=exclude -N -u -r nsa
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.5.13/policy/modules/services/automount.if
+--- nsaserefpolicy/policy/modules/services/automount.if 2008-10-17 14:49:13.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/automount.if 2009-06-08 16:14:26.000000000 +0200
+@@ -107,6 +107,24 @@
+ dontaudit $1 automount_tmp_t:dir getattr;
+ ')
+
++######################################
++## <summary>
++## Send signal to automount process
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`automount_signal',`
++ gen_require(`
++ type automount_t;
++ ')
++
++ allow $1 automount_t:process signal;
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.13/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/automount.te 2009-02-10 15:07:15.000000000 +0100
@@ -16137,7 +16186,7 @@ diff --exclude-from=exclude -N -u -r nsa
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.13/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/dcc.te 2009-03-30 16:36:54.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/dcc.te 2009-06-11 12:19:36.000000000 +0200
@@ -105,6 +105,8 @@
files_read_etc_files(cdcc_t)
files_read_etc_runtime_files(cdcc_t)
@@ -16168,7 +16217,13 @@ diff --exclude-from=exclude -N -u -r nsa
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
-@@ -141,6 +136,7 @@
+@@ -136,11 +131,12 @@
+
+ # Access files in /var/dcc. The map file can be updated
+ allow dcc_client_t dcc_var_t:dir list_dir_perms;
+-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
++manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
corenet_all_recvfrom_unlabeled(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
@@ -16176,10 +16231,12 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
-@@ -148,6 +144,10 @@
+@@ -148,6 +144,12 @@
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
++fs_getattr_xattr_fs(dcc_client_t)
++
+kernel_read_system_state(dcc_client_t)
+
+auth_use_nsswitch(dcc_client_t)
@@ -16187,20 +16244,23 @@ diff --exclude-from=exclude -N -u -r nsa
libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)
-@@ -155,11 +155,8 @@
+@@ -155,11 +157,12 @@
miscfiles_read_localization(dcc_client_t)
-sysnet_read_config(dcc_client_t)
-sysnet_dns_name_resolve(dcc_client_t)
--
++optional_policy(`
++ amavis_read_spool_files(dcc_client_t)
++')
+
optional_policy(`
- nscd_socket_use(dcc_client_t)
+ spamassassin_read_spamd_tmp_files(dcc_client_t)
')
########################################
-@@ -191,6 +188,8 @@
+@@ -191,6 +194,8 @@
files_read_etc_files(dcc_dbclean_t)
files_read_etc_runtime_files(dcc_dbclean_t)
@@ -16209,7 +16269,7 @@ diff --exclude-from=exclude -N -u -r nsa
libs_use_ld_so(dcc_dbclean_t)
libs_use_shared_libs(dcc_dbclean_t)
-@@ -198,13 +197,6 @@
+@@ -198,13 +203,6 @@
miscfiles_read_localization(dcc_dbclean_t)
@@ -16223,7 +16283,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# Server daemon local policy
-@@ -262,6 +254,8 @@
+@@ -262,6 +260,8 @@
fs_getattr_all_fs(dccd_t)
fs_search_auto_mountpoints(dccd_t)
@@ -16232,7 +16292,7 @@ diff --exclude-from=exclude -N -u -r nsa
libs_use_ld_so(dccd_t)
libs_use_shared_libs(dccd_t)
-@@ -277,10 +271,6 @@
+@@ -277,10 +277,6 @@
sysadm_dontaudit_search_home_dirs(dccd_t)
optional_policy(`
@@ -16243,7 +16303,7 @@ diff --exclude-from=exclude -N -u -r nsa
seutil_sigchld_newrole(dccd_t)
')
-@@ -336,6 +326,8 @@
+@@ -336,6 +332,8 @@
fs_getattr_all_fs(dccifd_t)
fs_search_auto_mountpoints(dccifd_t)
@@ -16252,7 +16312,7 @@ diff --exclude-from=exclude -N -u -r nsa
libs_use_ld_so(dccifd_t)
libs_use_shared_libs(dccifd_t)
-@@ -343,18 +335,10 @@
+@@ -343,18 +341,10 @@
miscfiles_read_localization(dccifd_t)
@@ -16271,7 +16331,7 @@ diff --exclude-from=exclude -N -u -r nsa
seutil_sigchld_newrole(dccifd_t)
')
-@@ -409,6 +393,8 @@
+@@ -409,6 +399,8 @@
fs_getattr_all_fs(dccm_t)
fs_search_auto_mountpoints(dccm_t)
@@ -16280,7 +16340,7 @@ diff --exclude-from=exclude -N -u -r nsa
libs_use_ld_so(dccm_t)
libs_use_shared_libs(dccm_t)
-@@ -416,18 +402,10 @@
+@@ -416,18 +408,10 @@
miscfiles_read_localization(dccm_t)
@@ -25664,7 +25724,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.13/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/pyzor.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/pyzor.te 2009-06-11 12:20:09.000000000 +0200
@@ -6,6 +6,38 @@
# Declarations
#
@@ -25728,7 +25788,16 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# Pyzor local policy
-@@ -68,6 +108,8 @@
+@@ -46,6 +86,8 @@
+ kernel_read_kernel_sysctls(pyzor_t)
+ kernel_read_system_state(pyzor_t)
+
++fs_getattr_xattr_fs(pyzor_t)
++
+ corecmd_list_bin(pyzor_t)
+ corecmd_getattr_bin_files(pyzor_t)
+
+@@ -68,6 +110,8 @@
miscfiles_read_localization(pyzor_t)
@@ -25737,7 +25806,7 @@ diff --exclude-from=exclude -N -u -r nsa
sysadm_dontaudit_search_home_dirs(pyzor_t)
optional_policy(`
-@@ -76,8 +118,13 @@
+@@ -76,8 +120,13 @@
')
optional_policy(`
@@ -26271,7 +26340,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-05-05 14:18:33.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-06-08 16:17:53.000000000 +0200
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -26302,7 +26371,18 @@ diff --exclude-from=exclude -N -u -r nsa
selinux_dontaudit_read_fs(rpcd_t)
miscfiles_read_certs(rpcd_t)
-@@ -101,6 +105,7 @@
+@@ -85,6 +89,10 @@
+ seutil_dontaudit_search_config(rpcd_t)
+
+ optional_policy(`
++ automount_signal(rpcd_t)
++')
++
++optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
+ ')
+
+@@ -101,6 +109,7 @@
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
@@ -26310,7 +26390,7 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -116,6 +121,7 @@
+@@ -116,6 +125,7 @@
# cjp: this should really have its own type
files_manage_mounttab(rpcd_t)
@@ -26318,7 +26398,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
-@@ -123,6 +129,7 @@
+@@ -123,6 +133,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -26326,7 +26406,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -133,13 +140,22 @@
+@@ -133,13 +144,22 @@
')
tunable_policy(`nfs_export_all_rw',`
@@ -26350,7 +26430,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -162,6 +178,7 @@
+@@ -162,6 +182,7 @@
corecmd_exec_bin(gssd_t)
@@ -26358,7 +26438,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_list_rpc(gssd_t)
fs_read_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-@@ -170,9 +187,14 @@
+@@ -170,9 +191,14 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@@ -26373,7 +26453,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
-@@ -180,8 +202,7 @@
+@@ -180,8 +206,7 @@
')
optional_policy(`
@@ -26458,7 +26538,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.13/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/rsync.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/rsync.te 2009-06-11 12:35:05.000000000 +0200
@@ -45,7 +45,7 @@
# Local policy
#
@@ -26468,10 +26548,14 @@ diff --exclude-from=exclude -N -u -r nsa
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
-@@ -122,5 +122,10 @@
+@@ -121,6 +121,13 @@
+ ')
tunable_policy(`rsync_export_all_ro',`
- fs_read_noxattr_fs_files(rsync_t)
+- fs_read_noxattr_fs_files(rsync_t)
++ fs_read_noxattr_fs_files(rsync_t)
++ fs_read_nfs_files(rsync_t)
++ fs_read_cifs_files(rsync_t)
+ auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
+ auth_read_all_symlinks_except_shadow(rsync_t)
@@ -28814,7 +28898,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2009-04-27 10:20:11.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2009-06-11 12:21:25.000000000 +0200
@@ -21,16 +21,24 @@
gen_tunable(spamd_enable_home_dirs, true)
@@ -28998,7 +29082,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -211,5 +261,142 @@
+@@ -211,5 +261,144 @@
')
optional_policy(`
@@ -29055,6 +29139,8 @@ diff --exclude-from=exclude -N -u -r nsa
+files_list_var_lib(spamc_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
++fs_getattr_xattr_fs(spamc_t)
++
+fs_search_auto_mountpoints(spamc_t)
+fs_list_inotifyfs(spamc_t)
+
@@ -33504,7 +33590,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.13/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/ipsec.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/ipsec.te 2009-06-11 12:49:17.000000000 +0200
@@ -55,11 +55,12 @@
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
@@ -33561,7 +33647,7 @@ diff --exclude-from=exclude -N -u -r nsa
seutil_sigchld_newrole(ipsec_t)
')
-@@ -160,9 +162,9 @@
+@@ -160,10 +162,11 @@
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
allow ipsec_mgmt_t self:process { signal setrlimit };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
@@ -33569,11 +33655,14 @@ diff --exclude-from=exclude -N -u -r nsa
+allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-allow ipsec_mgmt_t self:key_socket { create setopt };
+-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:key_socket create_socket_perms;
- allow ipsec_mgmt_t self:fifo_file rw_file_perms;
++allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
++
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
-@@ -171,6 +173,8 @@
+ files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
+@@ -171,6 +174,8 @@
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
@@ -33582,7 +33671,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
-@@ -226,6 +230,7 @@
+@@ -226,6 +231,7 @@
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
corecmd_exec_bin(ipsec_mgmt_t)
@@ -33590,7 +33679,12 @@ diff --exclude-from=exclude -N -u -r nsa
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
-@@ -283,7 +288,7 @@
+@@ -279,11 +285,12 @@
+ #
+
+ allow racoon_t self:capability { net_admin net_bind_service };
++allow racoon_t self:fifo_file rw_fifo_file_perms;
+ allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
@@ -33599,7 +33693,18 @@ diff --exclude-from=exclude -N -u -r nsa
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
-@@ -305,6 +310,7 @@
+@@ -301,10 +308,18 @@
+ kernel_read_system_state(racoon_t)
+ kernel_read_network_state(racoon_t)
+
++can_exec(racoon_t, racoon_exec_t)
++
++corecmd_exec_shell(racoon_t)
++corecmd_exec_bin(racoon_t)
++
++sysnet_exec_ifconfig(racoon_t)
++
+ corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
@@ -33607,7 +33712,7 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_udp_bind_ipsecnat_port(racoon_t)
dev_read_urand(racoon_t)
-@@ -319,6 +325,8 @@
+@@ -319,6 +334,8 @@
ipsec_setcontext_default_spd(racoon_t)
@@ -33616,7 +33721,7 @@ diff --exclude-from=exclude -N -u -r nsa
libs_use_ld_so(racoon_t)
libs_use_shared_libs(racoon_t)
-@@ -335,7 +343,7 @@
+@@ -335,7 +352,7 @@
#
allow setkey_t self:capability net_admin;
@@ -33718,7 +33823,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-04-03 10:47:07.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-06-11 12:23:47.000000000 +0200
@@ -60,12 +60,15 @@
#
# /opt
@@ -33880,7 +33985,15 @@ diff --exclude-from=exclude -N -u -r nsa
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +320,8 @@
+@@ -283,6 +312,7 @@
+ /usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -291,6 +321,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -33889,7 +34002,7 @@ diff --exclude-from=exclude -N -u -r nsa
') dnl end distro_redhat
#
-@@ -307,6 +338,36 @@
+@@ -307,6 +339,36 @@
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.797
retrieving revision 1.798
diff -u -p -r1.797 -r1.798
--- selinux-policy.spec 3 Jun 2009 14:00:25 -0000 1.797
+++ selinux-policy.spec 11 Jun 2009 11:11:48 -0000 1.798
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 63%{?dist}
+Release: 64%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@ exit 0
%endif
%changelog
+* Wed Jun 11 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-64
+- Allow rpcd to send signals to automount
+
* Wed Jun 3 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-63
- Allow sendmail to transition to postfix_postqueue domain
More information about the fedora-extras-commits
mailing list