rpms/selinux-policy/devel modules-minimum.conf, 1.17, 1.18 modules-mls.conf, 1.51, 1.52 modules-targeted.conf, 1.119, 1.120 policy-20090105.patch, 1.56, 1.57
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Mar 9 21:17:54 UTC 2009
- Previous message (by thread): rpms/wpa_supplicant/devel wpa_supplicant.spec, 1.55, 1.56 wpa_supplicant-0.6.7-no-unrequested-reply.patch, 1.1, NONE
- Next message (by thread): rpms/kernel/devel linux-2.6.29-sparc-IOC_TYPECHECK.patch, NONE, 1.1 config-sparc64-generic, 1.21, 1.22 kernel.spec, 1.1399, 1.1400
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv17354
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-20090105.patch
Log Message:
* Sat Mar 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.8-2
- Add pulseaudio context
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- modules-minimum.conf 9 Mar 2009 16:18:51 -0000 1.17
+++ modules-minimum.conf 9 Mar 2009 21:17:23 -0000 1.18
@@ -1273,6 +1273,13 @@
#
ssh = base
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+#
+sssd = module
+
# Layer: kernel
# Module: storage
#
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -r1.51 -r1.52
--- modules-mls.conf 9 Mar 2009 16:18:51 -0000 1.51
+++ modules-mls.conf 9 Mar 2009 21:17:23 -0000 1.52
@@ -1266,6 +1266,13 @@
#
ssh = base
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+#
+sssd = module
+
# Layer: kernel
# Module: storage
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.119
retrieving revision 1.120
diff -u -r1.119 -r1.120
--- modules-targeted.conf 9 Mar 2009 16:18:51 -0000 1.119
+++ modules-targeted.conf 9 Mar 2009 21:17:23 -0000 1.120
@@ -1273,6 +1273,13 @@
#
ssh = base
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+#
+sssd = module
+
# Layer: kernel
# Module: storage
#
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- policy-20090105.patch 9 Mar 2009 16:18:51 -0000 1.56
+++ policy-20090105.patch 9 Mar 2009 21:17:23 -0000 1.57
@@ -3553,8 +3553,8 @@
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if 2009-03-08 08:48:02.000000000 -0400
-@@ -0,0 +1,85 @@
++++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if 2009-03-09 16:50:20.000000000 -0400
+@@ -0,0 +1,86 @@
+
+## <summary>policy for pulseaudio</summary>
+
@@ -3631,19 +3631,20 @@
+ ps_process_pattern($2, pulseaudio_t)
+
+ allow pulseaudio_t $2:process { signal signull };
++ allow $2 pulseaudio_t:process { signal signull };
+ ps_process_pattern(pulseaudio_t, $2)
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
+
-+ userdom_manage_home_role($1, $2)
-+ userdom_manage_tmp_role($1, $2)
-+ userdom_manage_tmpfs_role($1, $2)
++ userdom_manage_home_role($1, pulseaudio_t)
++ userdom_manage_tmp_role($1, pulseaudio_t)
++ userdom_manage_tmpfs_role($1, pulseaudio_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te 2009-03-08 08:48:02.000000000 -0400
-@@ -0,0 +1,82 @@
++++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te 2009-03-09 16:49:50.000000000 -0400
+@@ -0,0 +1,88 @@
+policy_module(pulseaudio,1.0.0)
+
+########################################
@@ -3687,10 +3688,13 @@
+files_read_usr_files(pulseaudio_t)
+
+fs_rw_anon_inodefs_files(pulseaudio_t)
++fs_getattr_tmpfs(pulseaudio_t)
+
+term_use_all_user_ttys(pulseaudio_t)
+term_use_all_user_ptys(pulseaudio_t)
+
++auth_use_nsswitch(pulseaudio_t)
++
+miscfiles_read_localization(pulseaudio_t)
+
+logging_send_syslog_msg(pulseaudio_t)
@@ -3718,6 +3722,8 @@
+
+optional_policy(`
+ xserver_common_app(pulseaudio_t)
++ xserver_read_xdm_pid(pulseaudio_t)
++ xserver_stream_connect(pulseaudio_t)
+')
+
+tunable_policy(`pulseaudio_network',`
@@ -3726,6 +3732,7 @@
+#FALSE
+')
+
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.8/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/apps/qemu.fc 2009-03-07 12:11:40.000000000 -0500
@@ -12684,7 +12691,7 @@
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.8/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/hal.if 2009-03-09 12:17:13.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/hal.if 2009-03-09 16:17:22.000000000 -0400
@@ -20,6 +20,24 @@
########################################
@@ -12777,7 +12784,7 @@
+#
+interface(`hal_create_log',`
+ gen_require(`
-+ type hald_logd_t;
++ type hald_log_t;
+ ')
+
+ # log files for hald
@@ -21256,6 +21263,328 @@
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.8/policy/modules/services/sssd.fc
+--- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/services/sssd.fc 2009-03-09 15:47:38.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
++
++/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
++/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
++/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.8/policy/modules/services/sssd.if
+--- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/services/sssd.if 2009-03-09 15:49:56.000000000 -0400
+@@ -0,0 +1,249 @@
++
++## <summary>policy for sssd</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run sssd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sssd_domtrans',`
++ gen_require(`
++ type sssd_t;
++ type sssd_exec_t;
++ ')
++
++ domtrans_pattern($1,sssd_exec_t,sssd_t)
++')
++
++
++########################################
++## <summary>
++## Execute sssd server in the sssd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`sssd_initrc_domtrans',`
++ gen_require(`
++ type sssd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1,sssd_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Read sssd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_read_pid_files',`
++ gen_require(`
++ type sssd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 sssd_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Manage sssd var_run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_manage_var_run',`
++ gen_require(`
++ type sssd_var_run_t;
++ ')
++
++ manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t)
++ manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
++ manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
++')
++
++
++########################################
++## <summary>
++## Search sssd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_search_lib',`
++ gen_require(`
++ type sssd_var_lib_t;
++ ')
++
++ allow $1 sssd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read sssd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_read_lib_files',`
++ gen_require(`
++ type sssd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## sssd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_manage_lib_files',`
++ gen_require(`
++ type sssd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage sssd var_lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_manage_var_lib',`
++ gen_require(`
++ type sssd_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
++ manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
++ manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Send and receive messages from
++## sssd over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_dbus_chat',`
++ gen_require(`
++ type sssd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 sssd_t:dbus send_msg;
++ allow sssd_t $1:dbus send_msg;
++')
++
++
++########################################
++## <summary>
++## Connect to sssd over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_stream_connect',`
++ gen_require(`
++ type sssd_t, sssd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 sssd_var_run_t:sock_file write;
++ allow $1 sssd_t:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an sssd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the sssd domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`sssd_admin',`
++ gen_require(`
++ type sssd_t;
++ ')
++
++ allow $1 sssd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, sssd_t, sssd_t)
++
++
++ gen_require(`
++ type sssd_initrc_exec_t;
++ ')
++
++ # Allow sssd_t to restart the apache service
++ sssd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 sssd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ sssd_manage_var_run($1)
++
++ sssd_manage_var_lib($1)
++
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.8/policy/modules/services/sssd.te
+--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/services/sssd.te 2009-03-09 15:47:36.000000000 -0400
+@@ -0,0 +1,55 @@
++policy_module(sssd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sssd_t;
++type sssd_exec_t;
++init_daemon_domain(sssd_t, sssd_exec_t)
++
++permissive sssd_t;
++
++type sssd_initrc_exec_t;
++init_script_file(sssd_initrc_exec_t)
++
++type sssd_var_run_t;
++files_pid_file(sssd_var_run_t)
++
++type sssd_var_lib_t;
++files_type(sssd_var_lib_t)
++
++########################################
++#
++# sssd local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(sssd_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow sssd_t self:fifo_file rw_file_perms;
++allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
++manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
++files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir })
++
++manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
++manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
++manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
++files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
++
++corecmd_exec_bin(sssd_t)
++
++dev_read_urand(sssd_t)
++
++files_read_etc_files(sssd_t)
++
++miscfiles_read_localization(sssd_t)
++
++optional_policy(`
++ dbus_system_bus_client(sssd_t)
++ dbus_connect_system_bus(sssd_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.6.8/policy/modules/services/stunnel.fc
--- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/stunnel.fc 2009-03-07 12:11:40.000000000 -0500
@@ -22706,7 +23035,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/xserver.te 2009-03-07 12:11:40.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/services/xserver.te 2009-03-09 16:07:15.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -23121,7 +23450,7 @@
hostname_exec(xdm_t)
')
-@@ -542,6 +639,19 @@
+@@ -542,6 +639,23 @@
')
optional_policy(`
@@ -23130,6 +23459,10 @@
+ polkit_read_reload(xdm_t)
+')
+
++optional_policy(`
++ pulseaudio_role(system_r, xdm_t)
++')
++
+# On crash gdm execs gdb to dump stack
+optional_policy(`
+ rpm_exec(xdm_t)
@@ -23141,7 +23474,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +660,9 @@
+@@ -550,8 +664,9 @@
')
optional_policy(`
@@ -23153,7 +23486,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +671,6 @@
+@@ -560,7 +675,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -23161,7 +23494,7 @@
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +681,10 @@
+@@ -571,6 +685,10 @@
')
optional_policy(`
@@ -23172,7 +23505,7 @@
xfs_stream_connect(xdm_t)
')
-@@ -587,7 +701,7 @@
+@@ -587,7 +705,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23181,7 +23514,7 @@
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +716,11 @@
+@@ -602,9 +720,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23193,7 +23526,7 @@
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -622,7 +738,7 @@
+@@ -622,7 +742,7 @@
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -23202,7 +23535,7 @@
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +751,19 @@
+@@ -635,9 +755,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23222,7 +23555,7 @@
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +806,14 @@
+@@ -680,9 +810,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -23237,7 +23570,7 @@
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +828,13 @@
+@@ -697,8 +832,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23251,7 +23584,7 @@
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -720,6 +856,7 @@
+@@ -720,6 +860,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -23259,7 +23592,7 @@
modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +879,7 @@
+@@ -742,7 +883,7 @@
')
ifdef(`enable_mls',`
@@ -23268,7 +23601,7 @@
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,6 +911,10 @@
+@@ -774,6 +915,10 @@
')
optional_policy(`
@@ -23279,7 +23612,7 @@
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
-@@ -806,7 +947,7 @@
+@@ -806,7 +951,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -23288,7 +23621,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +968,14 @@
+@@ -827,9 +972,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23303,7 +23636,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +990,14 @@
+@@ -844,11 +994,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -23319,7 +23652,7 @@
')
optional_policy(`
-@@ -856,6 +1005,11 @@
+@@ -856,6 +1009,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -23331,7 +23664,7 @@
########################################
#
# Rules common to all X window domains
-@@ -881,6 +1035,8 @@
+@@ -881,6 +1039,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -23340,7 +23673,7 @@
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1061,8 @@
+@@ -905,6 +1065,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23349,7 +23682,7 @@
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1130,51 @@
+@@ -972,17 +1134,51 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -23559,7 +23892,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/authlogin.if 2009-03-07 12:11:40.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/system/authlogin.if 2009-03-09 15:51:16.000000000 -0400
@@ -43,20 +43,38 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -23607,7 +23940,7 @@
init_rw_utmp($1)
-@@ -100,9 +119,38 @@
+@@ -100,11 +119,40 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -23627,9 +23960,9 @@
+ optional_policy(`
+ oddjob_dbus_chat($1)
+ oddjob_domtrans_mkhomedir($1)
-+ ')
-+ ')
-+
+ ')
+ ')
+
+ optional_policy(`
+ corecmd_exec_bin($1)
+ storage_getattr_fixed_disk_dev($1)
@@ -23638,16 +23971,18 @@
+
+ optional_policy(`
+ nis_authenticate($1)
- ')
++ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
+ userdom_read_user_home_content_files($1)
+ ')
+
- ')
-
++')
++
########################################
+ ## <summary>
+ ## Use the login program as an entry point program.
@@ -197,8 +245,11 @@
interface(`auth_domtrans_chk_passwd',`
gen_require(`
@@ -23780,15 +24115,21 @@
nis_use_ypbind($1)
')
-@@ -1307,6 +1413,7 @@
+@@ -1305,8 +1411,13 @@
+ ')
+
optional_policy(`
++ sssd_stream_connect($1)
++ ')
++
++ optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
+ samba_dontaudit_write_var_files($1)
')
')
-@@ -1341,3 +1448,99 @@
+@@ -1341,3 +1452,99 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -27942,7 +28283,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/userdomain.if 2009-03-07 12:36:20.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/system/userdomain.if 2009-03-09 16:06:34.000000000 -0400
@@ -30,8 +30,9 @@
')
- Previous message (by thread): rpms/wpa_supplicant/devel wpa_supplicant.spec, 1.55, 1.56 wpa_supplicant-0.6.7-no-unrequested-reply.patch, 1.1, NONE
- Next message (by thread): rpms/kernel/devel linux-2.6.29-sparc-IOC_TYPECHECK.patch, NONE, 1.1 config-sparc64-generic, 1.21, 1.22 kernel.spec, 1.1399, 1.1400
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list