rpms/selinux-policy/F-10 policy-20080710.patch,1.144,1.145
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 11 10:11:06 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6121
Modified Files:
policy-20080710.patch
Log Message:
- Add gpsd policy
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.144
retrieving revision 1.145
diff -u -r1.144 -r1.145
--- policy-20080710.patch 6 Mar 2009 11:17:04 -0000 1.144
+++ policy-20080710.patch 11 Mar 2009 10:11:03 -0000 1.145
@@ -6850,7 +6850,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2009-03-10 13:22:11.000000000 +0100
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.10.0)
@@ -6872,7 +6872,7 @@
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
-@@ -79,26 +82,33 @@
+@@ -79,26 +82,34 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -6903,12 +6903,13 @@
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
++network_port(gpsd,tcp,2947,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
-@@ -109,6 +119,7 @@
+@@ -109,6 +120,7 @@
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
@@ -6916,7 +6917,7 @@
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
-@@ -117,6 +128,8 @@
+@@ -117,6 +129,8 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -6925,7 +6926,7 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -126,6 +139,7 @@
+@@ -126,6 +140,7 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -6933,7 +6934,7 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -136,12 +150,21 @@
+@@ -136,12 +151,21 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -6955,7 +6956,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -159,9 +182,11 @@
+@@ -159,9 +183,11 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -6968,7 +6969,7 @@
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,14 +195,17 @@
+@@ -170,14 +196,17 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -10834,7 +10835,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.13/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-02-27 09:31:08.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-03-11 10:38:02.000000000 +0100
@@ -1,16 +1,18 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -10899,7 +10900,7 @@
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -64,11 +76,23 @@
+@@ -64,11 +76,24 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -10915,6 +10916,7 @@
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
@@ -17267,6 +17269,165 @@
+ polkit_read_lib(gnomeclock_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.5.13/policy/modules/services/gpsd.fc
+--- nsaserefpolicy/policy/modules/services/gpsd.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/gpsd.fc 2009-03-10 13:22:11.000000000 +0100
+@@ -0,0 +1,3 @@
++
++/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.5.13/policy/modules/services/gpsd.if
+--- nsaserefpolicy/policy/modules/services/gpsd.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/gpsd.if 2009-03-10 13:22:11.000000000 +0100
+@@ -0,0 +1,89 @@
++## <summary>gpsd monitor daemon</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run gpsd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gpsd_domtrans',`
++ gen_require(`
++ type gpsd_t, gpsd_exec_t;
++ ')
++
++ domtrans_pattern($1, gpsd_exec_t, gpsd_t)
++')
++
++########################################
++## <summary>
++## Execute gpsd in the gpsd domain, and
++## allow the specified role the gpsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the gpsd domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the role's terminal.
++## </summary>
++## </param>
++#
++interface(`gpsd_run',`
++ gen_require(`
++ type gpsd_t;
++ ')
++
++ gpsd_domtrans($1)
++ role $2 types gpsd_t;
++ allow gpsd_t $3:chr_file rw_term_perms;
++')
++
++########################################
++## <summary>
++## Read and write to gpsd shared memory.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`gpsd_rw_shm',`
++ gen_require(`
++ type gpsd_t;
++ ')
++
++ allow $1 gpsd_t:shm rw_shm_perms;
++')
++
++########################################
++## <summary>
++## Read/write gpsd tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`gpsd_rw_tmpfs_files',`
++ gen_require(`
++ type gpsd_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ allow $1 gpsd_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
++ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.5.13/policy/modules/services/gpsd.te
+--- nsaserefpolicy/policy/modules/services/gpsd.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/gpsd.te 2009-03-10 13:22:11.000000000 +0100
+@@ -0,0 +1,55 @@
++policy_module(gpsd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gpsd_t;
++type gpsd_exec_t;
++application_domain(gpsd_t, gpsd_exec_t)
++role system_r types gpsd_t;
++
++type gpsd_tmpfs_t;
++files_tmpfs_file(gpsd_tmpfs_t)
++
++########################################
++#
++# gpsd local policy
++#
++
++allow gpsd_t self:capability { setuid sys_nice setgid fowner };
++allow gpsd_t self:process setsched;
++allow gpsd_t self:shm create_shm_perms;
++allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow gpsd_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
++manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
++fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
++
++corenet_tcp_bind_all_nodes(gpsd_t)
++corenet_tcp_bind_gpsd_port(gpsd_t)
++
++term_use_unallocated_ttys(gpsd_t)
++term_setattr_unallocated_ttys(gpsd_t)
++
++auth_use_nsswitch(gpsd_t)
++
++libs_use_ld_so(gpsd_t)
++libs_use_shared_libs(gpsd_t)
++
++logging_send_syslog_msg(gpsd_t)
++
++miscfiles_read_localization(gpsd_t)
++
++optional_policy(`
++ ntpd_rw_shm(gpsd_t)
++ ntpd_rw_tmpfs_files(gpsd_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client_template(gpsd, gpsd_t)
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.13/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/hal.fc 2009-02-10 15:07:15.000000000 +0100
@@ -20036,8 +20197,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.5.13/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ntp.if 2009-02-10 15:07:15.000000000 +0100
-@@ -56,6 +56,24 @@
++++ serefpolicy-3.5.13/policy/modules/services/ntp.if 2009-03-10 13:22:20.000000000 +0100
+@@ -56,6 +56,63 @@
########################################
## <summary>
@@ -20057,6 +20218,45 @@
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
++#######################################
++## <summary>
++## Read/write ntpdd tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ntpd_rw_tmpfs_files',`
++ gen_require(`
++ type ntpd_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ list_dirs_pattern($1,ntpd_tmpfs_t,ntpd_tmpfs_t)
++ rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
++ read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
++')
++
++########################################
++## <summary>
++## Read and write to ntpd shared memory.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ntpd_rw_shm',`
++ gen_require(`
++ type ntpd_t;
++ ')
++
++ allow $1 ntpd_t:shm rw_shm_perms;
++')
++
+########################################
+## <summary>
## All of the rules required to administrate
@@ -20064,8 +20264,18 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.5.13/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ntp.te 2009-02-10 15:07:15.000000000 +0100
-@@ -38,10 +38,11 @@
++++ serefpolicy-3.5.13/policy/modules/services/ntp.te 2009-03-10 13:22:25.000000000 +0100
+@@ -25,6 +25,9 @@
+ type ntpd_tmp_t;
+ files_tmp_file(ntpd_tmp_t)
+
++type ntpd_tmpfs_t;
++files_tmpfs_file(ntpd_tmpfs_t)
++
+ type ntpd_var_run_t;
+ files_pid_file(ntpd_var_run_t)
+
+@@ -38,10 +41,11 @@
# sys_resource and setrlimit is for locking memory
# ntpdate wants sys_nice
@@ -20078,7 +20288,7 @@
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
-@@ -52,6 +53,7 @@
+@@ -52,6 +56,7 @@
can_exec(ntpd_t,ntpd_exec_t)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
@@ -20086,7 +20296,18 @@
allow ntpd_t ntpd_log_t:dir setattr;
manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
-@@ -89,7 +91,10 @@
+@@ -62,6 +67,10 @@
+ manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
+ files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
+
++manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
++manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
++fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
++
+ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
+ files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+
+@@ -89,7 +98,10 @@
dev_read_urand(ntpd_t)
fs_getattr_all_fs(ntpd_t)
@@ -20097,6 +20318,18 @@
term_use_ptmx(ntpd_t)
+@@ -126,6 +138,11 @@
+ ')
+
+ optional_policy(`
++ gpsd_rw_shm(ntpd_t)
++ gpsd_rw_tmpfs_files(ntpd_t)
++')
++
++optional_policy(`
+ firstboot_dontaudit_use_fds(ntpd_t)
+ firstboot_dontaudit_rw_pipes(ntpd_t)
+ firstboot_dontaudit_rw_stream_sockets(ntpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.5.13/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/oddjob.fc 2009-02-10 15:07:15.000000000 +0100
@@ -26187,8 +26420,16 @@
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.5.13/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/sasl.te 2009-02-10 15:07:15.000000000 +0100
-@@ -111,6 +111,10 @@
++++ serefpolicy-3.5.13/policy/modules/services/sasl.te 2009-03-11 10:34:53.000000000 +0100
+@@ -103,6 +103,7 @@
+
+ optional_policy(`
+ kerberos_keytab_template(saslauthd, saslauthd_t)
++ kerberos_manage_host_rcache(saslauthd_t)
+ ')
+
+ optional_policy(`
+@@ -111,6 +112,10 @@
')
optional_policy(`
@@ -35162,7 +35403,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2009-03-10 13:22:29.000000000 +0100
@@ -6,35 +6,78 @@
# Declarations
#
@@ -35331,48 +35572,54 @@
')
optional_policy(`
-@@ -123,31 +183,33 @@
+@@ -123,79 +183,91 @@
')
optional_policy(`
- inn_domtrans(unconfined_t)
-+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ gpsd_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- java_domtrans(unconfined_t)
-+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- mono_domtrans(unconfined_t)
-+ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
++ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
+- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ mono_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mono_t)
+ role system_r types unconfined_mono_t;
')
optional_policy(`
-@@ -159,43 +221,49 @@
+- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
@@ -35380,20 +35627,22 @@
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
--')
++ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
-
+ optional_policy(`
+- pyzor_per_role_template(unconfined)
+-')
+ qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
-optional_policy(`
-- pyzor_per_role_template(unconfined)
+- qmail_per_role_template(unconfined, unconfined_t, unconfined_r)
+ tunable_policy(`allow_unconfined_qemu_transition',`
+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ',`
+ qemu_runas_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- ')
--
--optional_policy(`
-- qmail_per_role_template(unconfined, unconfined_t, unconfined_r)
++')
+ qemu_role(unconfined_r)
+ qemu_unconfined_role(unconfined_r)
')
@@ -35438,7 +35687,7 @@
')
optional_policy(`
-@@ -203,7 +271,7 @@
+@@ -203,7 +275,7 @@
')
optional_policy(`
@@ -35447,7 +35696,7 @@
')
optional_policy(`
-@@ -215,11 +283,12 @@
+@@ -215,11 +287,12 @@
')
optional_policy(`
@@ -35462,7 +35711,7 @@
')
########################################
-@@ -229,14 +298,61 @@
+@@ -229,14 +302,61 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -35487,7 +35736,7 @@
+
+optional_policy(`
+ xserver_rw_xdm_xserver_shm(unconfined_execmem_t)
- ')
++')
+
+########################################
+#
@@ -35506,7 +35755,7 @@
+ type mplayer_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
-+')
+ ')
+
+
+optional_policy(`
More information about the fedora-extras-commits
mailing list