rpms/selinux-policy/F-10 policy-20080710.patch,1.142,1.143
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Mar 5 13:36:31 UTC 2009
- Previous message (by thread): rpms/cups/devel .cvsignore, 1.44, 1.45 cups-avahi.patch, 1.3, 1.4 cups-lspp.patch, 1.40, 1.41 cups-no-export-ssllibs.patch, 1.1, 1.2 cups-no-gzip-man.patch, 1.1, 1.2 cups-serverbin-compat.patch, 1.5, 1.6 cups.spec, 1.463, 1.464 sources, 1.47, 1.48 cups-local-protocols.patch, 1.1, NONE cups-str3059.patch, 1.1, NONE cups-str3077.patch, 1.1, NONE cups-str3078.patch, 1.1, NONE
- Next message (by thread): rpms/eclipse-systemtapgui/devel eclipse-systemtapgui.spec, 1.3, 1.4 import.log, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12476
Modified Files:
policy-20080710.patch
Log Message:
- Fix pcscd policy
- Allow alsa to read hardware state information
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.142
retrieving revision 1.143
diff -u -r1.142 -r1.143
--- policy-20080710.patch 26 Feb 2009 15:04:20 -0000 1.142
+++ policy-20080710.patch 5 Mar 2009 13:35:59 -0000 1.143
@@ -492,6 +492,17 @@
# No MLS restrictions: x_drawable { show hide override }
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.13/policy/modules/admin/alsa.te
+--- nsaserefpolicy/policy/modules/admin/alsa.te 2008-10-17 14:49:14.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/admin/alsa.te 2009-03-05 13:26:46.000000000 +0100
+@@ -43,6 +43,7 @@
+
+ dev_read_sound(alsa_t)
+ dev_write_sound(alsa_t)
++dev_read_sysfs(alsa_t)
+
+ corecmd_exec_bin(alsa_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.13/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/anaconda.te 2009-02-10 15:07:15.000000000 +0100
@@ -10816,7 +10827,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.13/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-02-26 15:55:33.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-02-27 09:31:08.000000000 +0100
@@ -1,16 +1,18 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -14198,7 +14209,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/cron.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/cron.te 2009-03-05 13:23:48.000000000 +0100
@@ -12,14 +12,6 @@
## <desc>
@@ -14284,11 +14295,12 @@
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
-@@ -142,13 +147,16 @@
+@@ -142,13 +147,17 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
-+init_spec_domtrans_script(crond_t)
++#init_spec_domtrans_script(crond_t)
++init_domtrans_script(system_crond_t)
auth_use_nsswitch(crond_t)
@@ -14301,7 +14313,7 @@
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -161,6 +169,7 @@
+@@ -161,6 +170,7 @@
userdom_list_all_users_home_dirs(crond_t)
mta_send_mail(crond_t)
@@ -14309,7 +14321,7 @@
ifdef(`distro_debian',`
# pam_limits is used
-@@ -180,21 +189,45 @@
+@@ -180,21 +190,45 @@
')
')
@@ -14356,7 +14368,7 @@
')
optional_policy(`
-@@ -236,6 +269,9 @@
+@@ -236,6 +270,9 @@
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t, cron_var_lib_t, file)
@@ -14366,7 +14378,7 @@
allow system_crond_t system_cron_spool_t:file read_file_perms;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
-@@ -267,9 +303,13 @@
+@@ -267,9 +304,13 @@
filetrans_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t, { file lnk_file })
files_tmp_filetrans(system_crond_t, system_crond_tmp_t, file)
@@ -14381,7 +14393,7 @@
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
-@@ -323,7 +363,8 @@
+@@ -323,7 +364,8 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -14391,7 +14403,7 @@
auth_use_nsswitch(system_crond_t)
-@@ -333,6 +374,7 @@
+@@ -333,6 +375,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
@@ -14399,7 +14411,7 @@
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-@@ -348,18 +390,6 @@
+@@ -348,18 +391,6 @@
')
')
@@ -14418,7 +14430,7 @@
optional_policy(`
# Needed for certwatch
apache_exec_modules(system_crond_t)
-@@ -383,11 +413,20 @@
+@@ -383,11 +414,20 @@
')
optional_policy(`
@@ -14439,7 +14451,7 @@
')
optional_policy(`
-@@ -415,8 +454,7 @@
+@@ -415,8 +455,7 @@
')
optional_policy(`
@@ -14449,7 +14461,7 @@
')
optional_policy(`
-@@ -424,15 +462,12 @@
+@@ -424,15 +463,12 @@
')
optional_policy(`
@@ -16809,7 +16821,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.13/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2009-02-18 14:36:11.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2009-03-05 13:32:40.000000000 +0100
@@ -26,7 +26,7 @@
## <desc>
## <p>
@@ -16854,7 +16866,7 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
-@@ -226,8 +236,15 @@
+@@ -226,8 +236,16 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -16865,12 +16877,13 @@
+ auth_read_all_symlinks_except_shadow(ftpd_t)
')
-+unprivuser_home_dir_filetrans_home_content(ftpd_t, { file dir lnk_file })
++# Needed for permissive mode, to make sure everything gets labeled correctly
++userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
+
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
fs_manage_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
-@@ -238,6 +255,11 @@
+@@ -238,6 +256,11 @@
fs_read_cifs_symlinks(ftpd_t)
')
@@ -16882,7 +16895,7 @@
optional_policy(`
tunable_policy(`ftp_home_dir',`
apache_search_sys_content(ftpd_t)
-@@ -245,6 +267,18 @@
+@@ -245,6 +268,18 @@
')
optional_policy(`
@@ -16901,7 +16914,7 @@
corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t)
-@@ -261,7 +295,9 @@
+@@ -261,7 +296,9 @@
')
optional_policy(`
@@ -16912,7 +16925,7 @@
')
optional_policy(`
-@@ -273,6 +309,14 @@
+@@ -273,6 +310,14 @@
')
optional_policy(`
@@ -20351,9 +20364,18 @@
+optional_policy(`
+ prelude_manage_spool(pads_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.5.13/policy/modules/services/pcscd.fc
+--- nsaserefpolicy/policy/modules/services/pcscd.fc 2008-10-17 14:49:11.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/pcscd.fc 2009-03-05 13:06:23.000000000 +0100
+@@ -1,4 +1,5 @@
+ /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
++/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.13/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/pcscd.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/pcscd.te 2009-03-05 13:00:11.000000000 +0100
@@ -10,6 +10,7 @@
type pcscd_exec_t;
domain_type(pcscd_t)
@@ -20362,7 +20384,19 @@
# pid files
type pcscd_var_run_t;
-@@ -60,6 +61,14 @@
+@@ -27,9 +28,10 @@
+ allow pcscd_t self:unix_dgram_socket create_socket_perms;
+ allow pcscd_t self:tcp_socket create_stream_socket_perms;
+
++manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+-files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file })
++files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file dir sock_file })
+
+ corenet_all_recvfrom_unlabeled(pcscd_t)
+ corenet_all_recvfrom_netlabel(pcscd_t)
+@@ -60,6 +62,14 @@
sysnet_dns_name_resolve(pcscd_t)
optional_policy(`
@@ -22097,7 +22131,7 @@
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.13/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2009-03-05 13:42:04.000000000 +0100
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -22106,7 +22140,15 @@
can_exec(postfix_$1_t, postfix_$1_exec_t)
-@@ -211,9 +212,8 @@
+@@ -78,6 +79,7 @@
+ files_read_etc_runtime_files(postfix_$1_t)
+ files_read_usr_symlinks(postfix_$1_t)
+ files_search_spool(postfix_$1_t)
++ files_search_all_mountpoints(postfix_$1_t)
+ files_getattr_tmp_dirs(postfix_$1_t)
+
+ init_dontaudit_use_fds(postfix_$1_t)
+@@ -211,9 +213,8 @@
type postfix_etc_t;
')
@@ -22118,7 +22160,7 @@
files_search_etc($1)
')
-@@ -267,6 +267,25 @@
+@@ -267,6 +268,25 @@
dontaudit $1 postfix_local_t:tcp_socket { read write };
')
@@ -22144,7 +22186,7 @@
########################################
## <summary>
## Allow domain to read postfix local process state
-@@ -421,7 +440,7 @@
+@@ -421,7 +441,7 @@
## </summary>
## </param>
#
@@ -22153,7 +22195,7 @@
gen_require(`
type postfix_private_t;
')
-@@ -432,6 +451,25 @@
+@@ -432,6 +452,25 @@
########################################
## <summary>
@@ -22179,7 +22221,7 @@
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
-@@ -461,10 +499,10 @@
+@@ -461,10 +500,10 @@
#
interface(`postfix_search_spool',`
gen_require(`
@@ -22192,7 +22234,7 @@
files_search_spool($1)
')
-@@ -480,15 +518,34 @@
+@@ -480,15 +519,34 @@
#
interface(`postfix_list_spool',`
gen_require(`
@@ -22229,7 +22271,7 @@
## Read postfix mail spool files.
## </summary>
## <param name="domain">
-@@ -499,11 +556,30 @@
+@@ -499,11 +557,30 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -22262,7 +22304,7 @@
')
########################################
-@@ -524,3 +600,23 @@
+@@ -524,3 +601,23 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -23023,7 +23065,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2009-03-05 13:10:12.000000000 +0100
@@ -37,8 +37,8 @@
type pppd_etc_rw_t;
files_type(pppd_etc_rw_t)
@@ -23044,7 +23086,15 @@
kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
kernel_rw_net_sysctls(pppd_t)
-@@ -197,6 +199,8 @@
+@@ -161,6 +163,7 @@
+
+ init_read_utmp(pppd_t)
+ init_dontaudit_write_utmp(pppd_t)
++init_signal_script(pppd_t)
+
+ auth_use_nsswitch(pppd_t)
+
+@@ -197,6 +200,8 @@
optional_policy(`
mta_send_mail(pppd_t)
@@ -23053,7 +23103,7 @@
')
optional_policy(`
-@@ -220,7 +224,7 @@
+@@ -220,7 +225,7 @@
# PPTP Local policy
#
@@ -23062,7 +23112,7 @@
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
-@@ -228,14 +232,16 @@
+@@ -228,14 +233,16 @@
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:rawip_socket create_socket_perms;
allow pptp_t self:tcp_socket create_socket_perms;
@@ -23081,7 +23131,7 @@
can_exec(pptp_t, pppd_etc_rw_t)
# Allow pptp to append to pppd log files
-@@ -251,9 +257,13 @@
+@@ -251,9 +258,13 @@
kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
kernel_read_proc_symlinks(pptp_t)
@@ -23095,7 +23145,7 @@
corenet_all_recvfrom_unlabeled(pptp_t)
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_all_if(pptp_t)
-@@ -269,12 +279,16 @@
+@@ -269,12 +280,16 @@
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
@@ -23112,7 +23162,7 @@
libs_use_ld_so(pptp_t)
libs_use_shared_libs(pptp_t)
-@@ -282,7 +296,7 @@
+@@ -282,7 +297,7 @@
miscfiles_read_localization(pptp_t)
@@ -23121,7 +23171,7 @@
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -293,11 +307,15 @@
+@@ -293,11 +308,15 @@
')
optional_policy(`
@@ -23139,7 +23189,7 @@
')
optional_policy(`
-@@ -311,6 +329,3 @@
+@@ -311,6 +330,3 @@
optional_policy(`
postfix_read_config(pppd_t)
')
@@ -32215,7 +32265,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-02-19 09:45:25.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-03-05 13:40:41.000000000 +0100
@@ -60,12 +60,15 @@
#
# /opt
@@ -32361,7 +32411,7 @@
') dnl end distro_redhat
#
-@@ -307,6 +333,28 @@
+@@ -307,6 +333,33 @@
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
@@ -32390,6 +32440,11 @@
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/Komodo/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/system/libraries.te 2009-02-10 15:07:15.000000000 +0100
@@ -35403,7 +35458,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-02-18 10:13:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-03-05 13:30:03.000000000 +0100
@@ -28,10 +28,14 @@
class context contains;
')
@@ -36796,7 +36851,7 @@
')
########################################
-@@ -1993,11 +1994,47 @@
+@@ -1993,11 +1994,72 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -36812,6 +36867,31 @@
+
+########################################
+## <summary>
++## Create objects in a user home directory
++## with an automatic type transition to
++## the user home file type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`userdom_user_home_dir_filetrans_pattern',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ type_transition $1 user_home_dir_t:$2 user_home_t;
++')
++
++########################################
++## <summary>
+## dontaudit attemps to Create files
+## in a user home subdirectory.
+## </summary>
@@ -36846,7 +36926,7 @@
')
########################################
-@@ -2029,10 +2066,10 @@
+@@ -2029,10 +2091,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -36859,7 +36939,7 @@
')
########################################
-@@ -2062,11 +2099,11 @@
+@@ -2062,11 +2124,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -36873,7 +36953,7 @@
')
########################################
-@@ -2096,11 +2133,11 @@
+@@ -2096,11 +2158,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -36888,7 +36968,7 @@
')
########################################
-@@ -2130,10 +2167,14 @@
+@@ -2130,10 +2192,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -36905,7 +36985,7 @@
')
########################################
-@@ -2163,11 +2204,11 @@
+@@ -2163,11 +2229,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -36919,7 +36999,7 @@
')
########################################
-@@ -2197,11 +2238,11 @@
+@@ -2197,11 +2263,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -36933,7 +37013,7 @@
')
########################################
-@@ -2231,10 +2272,37 @@
+@@ -2231,10 +2297,37 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -36973,7 +37053,7 @@
')
########################################
-@@ -2266,12 +2334,12 @@
+@@ -2266,12 +2359,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -36989,7 +37069,7 @@
')
########################################
-@@ -2303,10 +2371,10 @@
+@@ -2303,10 +2396,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -37002,7 +37082,7 @@
')
########################################
-@@ -2338,12 +2406,12 @@
+@@ -2338,12 +2431,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -37018,7 +37098,7 @@
')
########################################
-@@ -2375,12 +2443,12 @@
+@@ -2375,12 +2468,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -37034,7 +37114,7 @@
')
########################################
-@@ -2412,12 +2480,12 @@
+@@ -2412,12 +2505,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -37050,7 +37130,7 @@
')
########################################
-@@ -2462,11 +2530,11 @@
+@@ -2462,11 +2555,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -37064,7 +37144,7 @@
')
########################################
-@@ -2511,11 +2579,11 @@
+@@ -2511,11 +2604,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -37078,7 +37158,7 @@
')
########################################
-@@ -2555,11 +2623,11 @@
+@@ -2555,11 +2648,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -37092,7 +37172,7 @@
')
########################################
-@@ -2589,11 +2657,11 @@
+@@ -2589,11 +2682,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -37106,7 +37186,7 @@
')
########################################
-@@ -2623,11 +2691,11 @@
+@@ -2623,11 +2716,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -37120,7 +37200,7 @@
')
########################################
-@@ -2659,10 +2727,10 @@
+@@ -2659,10 +2752,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -37133,7 +37213,7 @@
')
########################################
-@@ -2694,10 +2762,10 @@
+@@ -2694,10 +2787,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -37146,7 +37226,7 @@
')
########################################
-@@ -2727,12 +2795,12 @@
+@@ -2727,12 +2820,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -37162,7 +37242,7 @@
')
########################################
-@@ -2764,10 +2832,10 @@
+@@ -2764,10 +2857,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -37175,7 +37255,7 @@
')
########################################
-@@ -2799,10 +2867,10 @@
+@@ -2799,10 +2892,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -37188,7 +37268,7 @@
')
########################################
-@@ -2832,12 +2900,12 @@
+@@ -2832,12 +2925,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -37204,7 +37284,7 @@
')
########################################
-@@ -2869,10 +2937,10 @@
+@@ -2869,10 +2962,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -37217,7 +37297,7 @@
')
########################################
-@@ -2904,12 +2972,12 @@
+@@ -2904,12 +2997,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -37233,7 +37313,7 @@
')
########################################
-@@ -2941,11 +3009,11 @@
+@@ -2941,11 +3034,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -37247,7 +37327,7 @@
')
########################################
-@@ -2977,11 +3045,11 @@
+@@ -2977,11 +3070,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -37261,7 +37341,7 @@
')
########################################
-@@ -3013,11 +3081,11 @@
+@@ -3013,11 +3106,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -37275,7 +37355,7 @@
')
########################################
-@@ -3049,11 +3117,11 @@
+@@ -3049,11 +3142,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -37289,7 +37369,7 @@
')
########################################
-@@ -3085,11 +3153,11 @@
+@@ -3085,11 +3178,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -37303,7 +37383,7 @@
')
########################################
-@@ -3134,10 +3202,10 @@
+@@ -3134,10 +3227,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -37316,7 +37396,7 @@
files_search_tmp($2)
')
-@@ -3178,19 +3246,19 @@
+@@ -3178,19 +3271,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -37340,7 +37420,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3211,13 +3279,13 @@
+@@ -3211,13 +3304,13 @@
#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
@@ -37358,7 +37438,7 @@
')
########################################
-@@ -4616,11 +4684,11 @@
+@@ -4616,11 +4709,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -37372,7 +37452,7 @@
')
########################################
-@@ -4640,6 +4708,14 @@
+@@ -4640,6 +4733,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -37387,7 +37467,7 @@
')
########################################
-@@ -4677,6 +4753,8 @@
+@@ -4677,6 +4778,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -37396,7 +37476,7 @@
')
########################################
-@@ -4721,6 +4799,25 @@
+@@ -4721,6 +4824,25 @@
########################################
## <summary>
@@ -37422,7 +37502,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4946,7 +5043,7 @@
+@@ -4946,7 +5068,7 @@
########################################
## <summary>
@@ -37431,7 +37511,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5318,7 +5415,7 @@
+@@ -5318,7 +5440,7 @@
########################################
## <summary>
@@ -37440,7 +37520,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5326,18 +5423,17 @@
+@@ -5326,18 +5448,17 @@
## </summary>
## </param>
#
@@ -37463,7 +37543,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5345,17 +5441,17 @@
+@@ -5345,17 +5466,54 @@
## </summary>
## </param>
#
@@ -37482,49 +37562,25 @@
## <summary>
-## Read the process state of all user domains.
+## Read and write unprivileged user ttys.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5363,18 +5459,18 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`userdom_use_unpriv_users_ttys',`
- gen_require(`
-- attribute userdomain;
-+ attribute user_ttynode;
- ')
-
-- read_files_pattern($1,userdomain,userdomain)
-- kernel_search_proc($1)
-+ allow $1 user_ttynode:chr_file rw_term_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of all user domains.
-+## Do not audit attempts to use unprivileged
-+## user ttys.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5382,7 +5478,44 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
+ gen_require(`
+ attribute user_ttynode;
+ ')
+
-+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
++ allow $1 user_ttynode:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
-+## Read the process state of all user domains.
++## Do not audit attempts to use unprivileged
++## user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -37532,30 +37588,30 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_use_unpriv_users_ttys',`
+ gen_require(`
-+ attribute userdomain;
++ attribute user_ttynode;
+ ')
+
-+ ps_process_pattern($1, userdomain)
-+ kernel_search_proc($1)
++ dontaudit $1 user_ttynode:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
-+## Get the attributes of all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_getattr_all_users',`
- gen_require(`
++## Read the process state of all user domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5368,7 +5526,7 @@
attribute userdomain;
')
-@@ -5447,6 +5580,24 @@
+
+- read_files_pattern($1,userdomain,userdomain)
++ ps_process_pattern($1, userdomain)
+ kernel_search_proc($1)
+ ')
+
+@@ -5447,6 +5605,24 @@
########################################
## <summary>
@@ -37580,7 +37636,7 @@
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -5483,6 +5634,42 @@
+@@ -5483,6 +5659,42 @@
########################################
## <summary>
@@ -37623,7 +37679,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5513,3 +5700,622 @@
+@@ -5513,3 +5725,622 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
- Previous message (by thread): rpms/cups/devel .cvsignore, 1.44, 1.45 cups-avahi.patch, 1.3, 1.4 cups-lspp.patch, 1.40, 1.41 cups-no-export-ssllibs.patch, 1.1, 1.2 cups-no-gzip-man.patch, 1.1, 1.2 cups-serverbin-compat.patch, 1.5, 1.6 cups.spec, 1.463, 1.464 sources, 1.47, 1.48 cups-local-protocols.patch, 1.1, NONE cups-str3059.patch, 1.1, NONE cups-str3077.patch, 1.1, NONE cups-str3078.patch, 1.1, NONE
- Next message (by thread): rpms/eclipse-systemtapgui/devel eclipse-systemtapgui.spec, 1.3, 1.4 import.log, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list