rpms/selinux-policy/devel policy-F12.patch, 1.6, 1.7 selinux-policy.spec, 1.860, 1.861
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Jun 11 21:26:43 UTC 2009
- Previous message (by thread): rpms/wine/devel .cvsignore, 1.73, 1.74 adding-pulseaudio-to-winecfg.patch, 1.1, 1.2 sources, 1.74, 1.75 wine.spec, 1.105, 1.106
- Next message (by thread): rpms/gdb/F-10 gdb-bz505163-unbound-array-deref.patch, NONE, 1.1 gdb.spec, 1.312, 1.313
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2392
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Thu Jun 11 2009 Dan Walsh <dwalsh at redhat.com> 3.6.14-3
- Allow NetworkManager to read inotifyfs
policy-F12.patch:
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -p -r1.6 -r1.7
--- policy-F12.patch 10 Jun 2009 17:50:55 -0000 1.6
+++ policy-F12.patch 11 Jun 2009 21:26:42 -0000 1.7
@@ -5325,7 +5325,7 @@ diff -b -B --ignore-all-space --exclude-
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.14/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-06-08 15:22:17.000000000 -0400
-+++ serefpolicy-3.6.14/policy/modules/kernel/devices.if 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/kernel/devices.if 2009-06-11 08:31:29.000000000 -0400
@@ -1655,6 +1655,78 @@
########################################
@@ -5780,7 +5780,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.14/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/kernel/files.if 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/kernel/files.if 2009-06-11 11:53:08.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5855,10 +5855,15 @@ diff -b -B --ignore-all-space --exclude-
## Mount a filesystem on a directory with the default file type.
## </summary>
## <param name="domain">
-@@ -1915,6 +1957,26 @@
-
- ########################################
- ## <summary>
+@@ -1911,6 +1953,27 @@
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, etc_t)
+ read_lnk_files_pattern($1, etc_t, etc_t)
++ files_read_etc_runtime_files($1)
++')
++
++########################################
++## <summary>
+## Read config files in /etc.
+## </summary>
+## <param name="domain">
@@ -5875,14 +5880,10 @@ diff -b -B --ignore-all-space --exclude-
+ allow $1 etcfile:dir list_dir_perms;
+ read_files_pattern($1, etcfile, etcfile)
+ read_lnk_files_pattern($1, etcfile, etcfile)
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to write generic files in /etc.
- ## </summary>
- ## <param name="domain">
-@@ -2250,6 +2312,49 @@
+ ')
+
+ ########################################
+@@ -2250,6 +2313,49 @@
########################################
## <summary>
@@ -5932,7 +5933,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -2820,6 +2925,7 @@
+@@ -2820,6 +2926,7 @@
')
allow $1 modules_object_t:dir search_dir_perms;
@@ -5940,7 +5941,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3390,6 +3496,24 @@
+@@ -3390,6 +3497,24 @@
########################################
## <summary>
@@ -5965,7 +5966,7 @@ diff -b -B --ignore-all-space --exclude-
## Read all tmp files.
## </summary>
## <param name="domain">
-@@ -3456,6 +3580,8 @@
+@@ -3456,6 +3581,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -5974,7 +5975,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3546,7 +3672,7 @@
+@@ -3546,7 +3673,7 @@
type usr_t;
')
@@ -5983,7 +5984,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3564,7 +3690,12 @@
+@@ -3564,7 +3691,12 @@
type usr_t;
')
@@ -5997,7 +5998,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -4413,6 +4544,28 @@
+@@ -4413,6 +4545,28 @@
########################################
## <summary>
@@ -6026,7 +6027,7 @@ diff -b -B --ignore-all-space --exclude-
## Create an object in the locks directory, with a private
## type using a type transition.
## </summary>
-@@ -4532,7 +4685,8 @@
+@@ -4532,7 +4686,8 @@
type var_t, var_run_t;
')
@@ -6036,7 +6037,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -4873,7 +5027,7 @@
+@@ -4873,7 +5028,7 @@
selinux_compute_member($1)
# Need sys_admin capability for mounting
@@ -6045,7 +6046,7 @@ diff -b -B --ignore-all-space --exclude-
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4895,12 +5049,15 @@
+@@ -4895,12 +5050,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -6062,7 +6063,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -4921,3 +5078,173 @@
+@@ -4921,3 +5079,173 @@
typeattribute $1 files_unconfined_type;
')
@@ -6611,7 +6612,7 @@ diff -b -B --ignore-all-space --exclude-
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.14/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/kernel/terminal.if 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/kernel/terminal.if 2009-06-11 10:02:52.000000000 -0400
@@ -173,7 +173,7 @@
dev_list_all_dev_nodes($1)
@@ -6657,6 +6658,32 @@ diff -b -B --ignore-all-space --exclude-
## ioctl of generic pty devices.
## </summary>
## <param name="domain">
+@@ -552,6 +571,25 @@
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ ')
+
++#######################################
++## <summary>
++## Set the attributes of the tty device
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_setattr_controlling_term',`
++ gen_require(`
++ type devtty_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 devtty_t:chr_file setattr;
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write the controlling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.14/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400
+++ serefpolicy-3.6.14/policy/modules/roles/guest.te 2009-06-08 21:43:15.000000000 -0400
@@ -10170,7 +10197,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.14/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.14/policy/modules/services/avahi.te 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/services/avahi.te 2009-06-11 08:36:56.000000000 -0400
@@ -33,6 +33,7 @@
allow avahi_t self:tcp_socket create_stream_socket_perms;
allow avahi_t self:udp_socket create_socket_perms;
@@ -12318,7 +12345,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.14/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/services/dbus.te 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/services/dbus.te 2009-06-11 11:10:09.000000000 -0400
@@ -9,14 +9,15 @@
#
# Delcarations
@@ -12382,15 +12409,18 @@ diff -b -B --ignore-all-space --exclude-
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-@@ -75,6 +92,7 @@
+@@ -73,8 +90,10 @@
+ dev_read_urand(system_dbusd_t)
+ dev_read_sysfs(system_dbusd_t)
++fs_list_inotifyfs(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
-@@ -91,9 +109,9 @@
+@@ -91,9 +110,9 @@
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -12401,7 +12431,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t)
-@@ -101,6 +119,8 @@
+@@ -101,6 +120,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -12410,7 +12440,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -128,9 +148,38 @@
+@@ -128,9 +149,38 @@
')
optional_policy(`
@@ -12706,8 +12736,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.14/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/services/devicekit.te 2009-06-08 21:43:15.000000000 -0400
-@@ -0,0 +1,233 @@
++++ serefpolicy-3.6.14/policy/modules/services/devicekit.te 2009-06-11 08:32:14.000000000 -0400
+@@ -0,0 +1,234 @@
+policy_module(devicekit,1.0.0)
+
+########################################
@@ -12785,6 +12815,7 @@ diff -b -B --ignore-all-space --exclude-
+kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
+
++dev_read_input(devicekit_power_t)
+dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
+dev_rw_sysfs(devicekit_power_t)
@@ -13511,8 +13542,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.14/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/services/fprintd.te 2009-06-08 21:43:15.000000000 -0400
-@@ -0,0 +1,52 @@
++++ serefpolicy-3.6.14/policy/modules/services/fprintd.te 2009-06-11 09:53:33.000000000 -0400
+@@ -0,0 +1,54 @@
+policy_module(fprintd,1.0.0)
+
+########################################
@@ -13544,6 +13575,8 @@ diff -b -B --ignore-all-space --exclude-
+files_read_etc_files(fprintd_t)
+files_read_usr_files(fprintd_t)
+
++fs_list_inotifyfs(fprintd_t)
++
+kernel_read_system_state(fprintd_t)
+
+auth_use_nsswitch(fprintd_t)
@@ -14373,7 +14406,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.14/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/services/kerneloops.te 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/services/kerneloops.te 2009-06-11 09:54:27.000000000 -0400
@@ -13,6 +13,9 @@
type kerneloops_initrc_exec_t;
init_script_file(kerneloops_initrc_exec_t)
@@ -14395,10 +14428,12 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_ring_buffer(kerneloops_t)
-@@ -38,14 +43,13 @@
+@@ -38,14 +43,15 @@
files_read_etc_files(kerneloops_t)
++fs_list_inotifyfs(kerneloops_t)
++
+auth_use_nsswitch(kerneloops_t)
+
logging_send_syslog_msg(kerneloops_t)
@@ -15516,7 +15551,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.14/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/services/networkmanager.te 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/services/networkmanager.te 2009-06-11 08:40:45.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -15561,7 +15596,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,10 +88,14 @@
+@@ -81,13 +88,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
@@ -15576,7 +15611,11 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -98,15 +109,19 @@
++fs_list_inotifyfs(NetworkManager_t)
+
+ mls_file_read_all_levels(NetworkManager_t)
+
+@@ -98,15 +110,19 @@
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
@@ -15597,7 +15636,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +131,40 @@
+@@ -116,25 +132,40 @@
seutil_read_config(NetworkManager_t)
@@ -15645,7 +15684,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -146,8 +176,25 @@
+@@ -146,8 +177,25 @@
')
optional_policy(`
@@ -15673,7 +15712,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -155,23 +202,50 @@
+@@ -155,23 +203,50 @@
')
optional_policy(`
@@ -15726,7 +15765,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -179,12 +253,15 @@
+@@ -179,12 +254,15 @@
')
optional_policy(`
@@ -20645,7 +20684,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-10 11:22:43.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-11 08:41:02.000000000 -0400
@@ -11,6 +11,9 @@
domain_type(setroubleshootd_t)
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -20680,7 +20719,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +76,23 @@
+@@ -68,16 +76,24 @@
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
@@ -20702,10 +20741,11 @@ diff -b -B --ignore-all-space --exclude-
+fs_read_fusefs_symlinks(setroubleshootd_t)
+fs_dontaudit_read_nfs_files(setroubleshootd_t)
+fs_dontaudit_read_cifs_files(setroubleshootd_t)
++fs_list_inotifyfs(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,22 +109,28 @@
+@@ -94,22 +110,28 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -22436,8 +22476,17 @@ diff -b -B --ignore-all-space --exclude-
## Allow the specified domain to append to ulogd's log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.14/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.14/policy/modules/services/uucp.te 2009-06-08 21:43:15.000000000 -0400
-@@ -129,6 +129,7 @@
++++ serefpolicy-3.6.14/policy/modules/services/uucp.te 2009-06-11 09:57:39.000000000 -0400
+@@ -95,6 +95,8 @@
+ files_search_home(uucpd_t)
+ files_search_spool(uucpd_t)
+
++term_setattr_controlling_term(uucpd_t)
++
+ auth_use_nsswitch(uucpd_t)
+
+ logging_send_syslog_msg(uucpd_t)
+@@ -129,6 +131,7 @@
optional_policy(`
mta_send_mail(uux_t)
mta_read_queue(uux_t)
@@ -24065,7 +24114,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.14/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/services/xserver.te 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/services/xserver.te 2009-06-11 09:54:56.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -24268,7 +24317,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -329,22 +362,37 @@
+@@ -329,22 +362,39 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -24281,7 +24330,9 @@ diff -b -B --ignore-all-space --exclude-
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
++
+fs_getattr_all_fs(xdm_t)
++fs_list_inotifyfs(xdm_t)
+fs_read_noxattr_fs_files(xdm_t)
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
@@ -24309,7 +24360,7 @@ diff -b -B --ignore-all-space --exclude-
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +406,7 @@
+@@ -358,6 +408,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -24317,7 +24368,7 @@ diff -b -B --ignore-all-space --exclude-
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
-@@ -366,10 +415,14 @@
+@@ -366,10 +417,14 @@
delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
@@ -24333,7 +24384,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -389,11 +442,13 @@
+@@ -389,11 +444,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -24347,7 +24398,7 @@ diff -b -B --ignore-all-space --exclude-
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +456,7 @@
+@@ -401,6 +458,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -24355,7 +24406,7 @@ diff -b -B --ignore-all-space --exclude-
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -413,14 +469,17 @@
+@@ -413,14 +471,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -24375,7 +24426,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +490,13 @@
+@@ -431,9 +492,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -24389,7 +24440,7 @@ diff -b -B --ignore-all-space --exclude-
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +505,7 @@
+@@ -442,6 +507,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24397,7 +24448,7 @@ diff -b -B --ignore-all-space --exclude-
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +514,7 @@
+@@ -450,6 +516,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -24405,7 +24456,7 @@ diff -b -B --ignore-all-space --exclude-
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +525,10 @@
+@@ -460,10 +527,10 @@
logging_read_generic_logs(xdm_t)
@@ -24418,7 +24469,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +537,9 @@
+@@ -472,6 +539,9 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24428,7 +24479,7 @@ diff -b -B --ignore-all-space --exclude-
xserver_rw_session(xdm_t,xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +572,12 @@
+@@ -504,10 +574,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -24441,7 +24492,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -515,12 +585,45 @@
+@@ -515,12 +587,45 @@
')
optional_policy(`
@@ -24487,7 +24538,7 @@ diff -b -B --ignore-all-space --exclude-
hostname_exec(xdm_t)
')
-@@ -542,6 +645,23 @@
+@@ -542,6 +647,23 @@
')
optional_policy(`
@@ -24511,7 +24562,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +670,9 @@
+@@ -550,8 +672,9 @@
')
optional_policy(`
@@ -24523,7 +24574,7 @@ diff -b -B --ignore-all-space --exclude-
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +681,6 @@
+@@ -560,7 +683,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -24531,7 +24582,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +691,10 @@
+@@ -571,6 +693,10 @@
')
optional_policy(`
@@ -24542,7 +24593,7 @@ diff -b -B --ignore-all-space --exclude-
xfs_stream_connect(xdm_t)
')
-@@ -587,7 +711,7 @@
+@@ -587,7 +713,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24551,7 +24602,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +726,11 @@
+@@ -602,9 +728,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -24563,7 +24614,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +742,14 @@
+@@ -616,13 +744,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -24579,7 +24630,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +762,19 @@
+@@ -635,9 +764,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24599,7 +24650,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +817,14 @@
+@@ -680,9 +819,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -24614,7 +24665,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +839,12 @@
+@@ -697,8 +841,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -24627,7 +24678,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -720,6 +866,7 @@
+@@ -720,6 +868,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -24635,7 +24686,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +889,7 @@
+@@ -742,7 +891,7 @@
')
ifdef(`enable_mls',`
@@ -24644,7 +24695,7 @@ diff -b -B --ignore-all-space --exclude-
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,12 +921,16 @@
+@@ -774,12 +923,16 @@
')
optional_policy(`
@@ -24662,7 +24713,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domtrans(xserver_t)
')
-@@ -806,7 +957,7 @@
+@@ -806,7 +959,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -24671,7 +24722,7 @@ diff -b -B --ignore-all-space --exclude-
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +978,14 @@
+@@ -827,9 +980,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24686,7 +24737,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1000,14 @@
+@@ -844,11 +1002,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -24702,7 +24753,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -856,6 +1015,11 @@
+@@ -856,6 +1017,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -24714,7 +24765,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Rules common to all X window domains
-@@ -881,6 +1045,8 @@
+@@ -881,6 +1047,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -24723,7 +24774,7 @@ diff -b -B --ignore-all-space --exclude-
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1071,8 @@
+@@ -905,6 +1073,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24732,7 +24783,7 @@ diff -b -B --ignore-all-space --exclude-
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1140,49 @@
+@@ -972,17 +1142,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -25621,7 +25672,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.14/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.14/policy/modules/system/init.te 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/system/init.te 2009-06-11 09:54:00.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -25749,7 +25800,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -270,16 +305,20 @@
+@@ -270,17 +305,22 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -25769,9 +25820,11 @@ diff -b -B --ignore-all-space --exclude-
+dev_getattr_all_blk_files(initrc_t)
+dev_getattr_all_chr_files(initrc_t)
++fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -328,7 +367,7 @@
+ fs_write_ramfs_pipes(initrc_t)
+@@ -328,7 +368,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -25780,7 +25833,7 @@ diff -b -B --ignore-all-space --exclude-
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -343,14 +382,14 @@
+@@ -343,14 +383,14 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -25797,7 +25850,7 @@ diff -b -B --ignore-all-space --exclude-
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -366,7 +405,9 @@
+@@ -366,7 +406,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -25807,7 +25860,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -451,7 +492,7 @@
+@@ -451,7 +493,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -25816,7 +25869,7 @@ diff -b -B --ignore-all-space --exclude-
files_dontaudit_read_root_files(initrc_t)
selinux_set_enforce_mode(initrc_t)
-@@ -465,6 +506,7 @@
+@@ -465,6 +507,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -25824,7 +25877,7 @@ diff -b -B --ignore-all-space --exclude-
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -498,6 +540,7 @@
+@@ -498,6 +541,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -25832,7 +25885,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -516,6 +559,33 @@
+@@ -516,6 +560,33 @@
')
')
@@ -25866,7 +25919,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +640,10 @@
+@@ -570,6 +641,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -25877,7 +25930,7 @@ diff -b -B --ignore-all-space --exclude-
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -591,6 +665,10 @@
+@@ -591,6 +666,10 @@
')
optional_policy(`
@@ -25888,7 +25941,7 @@ diff -b -B --ignore-all-space --exclude-
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,20 +725,20 @@
+@@ -647,20 +726,20 @@
')
optional_policy(`
@@ -25915,7 +25968,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
ifdef(`distro_redhat',`
-@@ -719,8 +797,6 @@
+@@ -719,8 +798,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -25924,7 +25977,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -733,10 +809,12 @@
+@@ -733,10 +810,12 @@
squid_manage_logs(initrc_t)
')
@@ -25937,7 +25990,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +832,11 @@
+@@ -754,6 +833,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -25949,7 +26002,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
unconfined_domain(initrc_t)
-@@ -765,6 +848,13 @@
+@@ -765,6 +849,13 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -25963,7 +26016,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -790,3 +880,35 @@
+@@ -790,3 +881,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -26167,7 +26220,7 @@ diff -b -B --ignore-all-space --exclude-
+miscfiles_read_localization(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.14/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-08 15:22:18.000000000 -0400
-+++ serefpolicy-3.6.14/policy/modules/system/libraries.fc 2009-06-08 21:43:15.000000000 -0400
++++ serefpolicy-3.6.14/policy/modules/system/libraries.fc 2009-06-11 11:46:19.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -26327,7 +26380,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
-@@ -311,3 +339,37 @@
+@@ -311,3 +339,39 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -26365,6 +26418,8 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.14/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/system/libraries.if 2009-06-08 21:43:15.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.860
retrieving revision 1.861
diff -u -p -r1.860 -r1.861
--- selinux-policy.spec 10 Jun 2009 17:50:55 -0000 1.860
+++ selinux-policy.spec 11 Jun 2009 21:26:42 -0000 1.861
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.14
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,9 @@ exit 0
%endif
%changelog
+* Thu Jun 11 2009 Dan Walsh <dwalsh at redhat.com> 3.6.14-3
+- Allow NetworkManager to read inotifyfs
+
* Wed Jun 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.14-2
- Allow setroubleshoot to run mlocate
- Previous message (by thread): rpms/wine/devel .cvsignore, 1.73, 1.74 adding-pulseaudio-to-winecfg.patch, 1.1, 1.2 sources, 1.74, 1.75 wine.spec, 1.105, 1.106
- Next message (by thread): rpms/gdb/F-10 gdb-bz505163-unbound-array-deref.patch, NONE, 1.1 gdb.spec, 1.312, 1.313
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list