rpms/selinux-policy/F-10 modules-minimum.conf, 1.10, 1.11 modules-mls.conf, 1.42, 1.43 modules-targeted.conf, 1.115, 1.116 policy-20080710.patch, 1.149, 1.150 selinux-policy.spec, 1.781, 1.782
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 23 12:37:02 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8227
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-20080710.patch selinux-policy.spec
Log Message:
- Add LIRC policy
- Xenner fixes
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-minimum.conf,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- modules-minimum.conf 20 Mar 2009 09:32:47 -0000 1.10
+++ modules-minimum.conf 23 Mar 2009 12:36:29 -0000 1.11
@@ -700,6 +700,13 @@
#
lpd = module
+# Layer: services
+# Module: lircd
+#
+# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
+#
+lircd = module
+
# Layer: system
# Module: lvm
#
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-mls.conf,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- modules-mls.conf 20 Mar 2009 09:32:47 -0000 1.42
+++ modules-mls.conf 23 Mar 2009 12:36:29 -0000 1.43
@@ -566,6 +566,14 @@
lpd = module
# Layer: services
+# Module: lircd
+#
+# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
+#
+lircd = module
+
+
+# Layer: services
# Module: cyrus
#
# Cyrus is an IMAP service intended to be run on sealed servers
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-targeted.conf,v
retrieving revision 1.115
retrieving revision 1.116
diff -u -r1.115 -r1.116
--- modules-targeted.conf 20 Mar 2009 09:32:47 -0000 1.115
+++ modules-targeted.conf 23 Mar 2009 12:36:29 -0000 1.116
@@ -713,6 +713,13 @@
#
lpd = module
+# Layer: services
+# Module: lircd
+#
+# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
+#
+lircd = module
+
# Layer: system
# Module: lvm
#
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.149
retrieving revision 1.150
diff -u -r1.149 -r1.150
--- policy-20080710.patch 20 Mar 2009 09:32:47 -0000 1.149
+++ policy-20080710.patch 23 Mar 2009 12:36:29 -0000 1.150
@@ -18066,6 +18066,180 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.5.13/policy/modules/services/lircd.fc
+--- nsaserefpolicy/policy/modules/services/lircd.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/lircd.fc 2009-03-23 11:39:14.000000000 +0100
+@@ -0,0 +1,9 @@
++
++/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0)
++
++/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
++/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
++
++/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
++
++/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.5.13/policy/modules/services/lircd.if
+--- nsaserefpolicy/policy/modules/services/lircd.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/lircd.if 2009-03-22 16:10:11.000000000 +0100
+@@ -0,0 +1,100 @@
++## <summary>Lirc daemon</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run lircd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`lircd_domtrans',`
++ gen_require(`
++ type lircd_t, lircd_exec_t;
++ ')
++
++ domain_auto_trans($1,lircd_exec_t,lircd_t)
++
++')
++
++#######################################
++## <summary>
++## Read lircd etc file
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`lircd_read_etc',`
++ gen_require(`
++ type lircd_etc_t;
++ ')
++
++ read_files_pattern($1, lircd_etc_t, lircd_etc_t)
++')
++
++######################################
++## <summary>
++## Connect to lircd over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lircd_stream_connect',`
++ gen_require(`
++ type lircd_var_run_t, lircd_t;
++ ')
++
++ allow $1 lircd_t:unix_stream_socket connectto;
++ allow $1 lircd_sock_t:sock_file { getattr write };
++ files_search_pids($1)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an lircd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`lircd_admin',`
++ gen_require(`
++ type lircd_t, lircd_var_run_t, lircd_sock_t;
++ type lircd_initrc_exec_t, lircd_etc_t;
++ ')
++
++ allow $1 lircd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, lircd_t)
++
++ init_labeled_script_domtrans($1, lircd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 lircd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_etc($1)
++ admin_pattern($1, lircd_etc_t)
++
++ files_search_pids($1)
++ admin_pattern($1, lircd_var_run_t)
++
++ admin_pattern($1, lircd_sock_t)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.5.13/policy/modules/services/lircd.te
+--- nsaserefpolicy/policy/modules/services/lircd.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/lircd.te 2009-03-22 16:10:02.000000000 +0100
+@@ -0,0 +1,53 @@
++policy_module(lircd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type lircd_t;
++type lircd_exec_t;
++init_daemon_domain(lircd_t, lircd_exec_t)
++
++type lircd_initrc_exec_t;
++init_script_file(lircd_initrc_exec_t)
++
++# pid files
++type lircd_var_run_t;
++files_pid_file(lircd_var_run_t)
++
++# etc file
++type lircd_etc_t;
++files_config_file(lircd_etc_t)
++
++# type for lircd /dev/ sock file
++type lircd_sock_t;
++files_type(lircd_sock_t)
++
++########################################
++#
++# lircd local policy
++#
++
++allow lircd_t self:process signal;
++allow lircd_t self:unix_dgram_socket create_socket_perms;
++
++# etc file
++read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
++
++# pid file
++manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
++manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
++files_pid_filetrans(lircd_t,lircd_var_run_t, { dir file })
++
++# /dev/lircd socket
++manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
++dev_filetrans(lircd_t, lircd_sock_t, sock_file )
++
++logging_send_syslog_msg(lircd_t)
++
++libs_use_ld_so(lircd_t)
++libs_use_shared_libs(lircd_t)
++miscfiles_read_localization(lircd_t)
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.13/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/lpd.fc 2009-02-10 15:07:15.000000000 +0100
@@ -19299,7 +19473,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.13/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2009-03-20 09:39:54.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2009-03-23 10:41:48.000000000 +0100
@@ -10,6 +10,10 @@
type mysqld_exec_t;
init_daemon_domain(mysqld_t, mysqld_exec_t)
@@ -19345,7 +19519,7 @@
domain_use_interactive_fds(mysqld_t)
-@@ -120,3 +129,39 @@
+@@ -120,3 +129,42 @@
optional_policy(`
udev_read_db(mysqld_t)
')
@@ -19360,6 +19534,9 @@
+allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
++allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
++logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
++
+mysql_append_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
@@ -32883,7 +33060,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-03-18 14:31:14.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-03-23 10:46:25.000000000 +0100
@@ -60,12 +60,15 @@
#
# /opt
@@ -33039,7 +33216,7 @@
') dnl end distro_redhat
#
-@@ -307,6 +336,33 @@
+@@ -307,6 +336,36 @@
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
@@ -33065,7 +33242,10 @@
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++# google-earth
++/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -33758,8 +33938,8 @@
#################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.5.13/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/mount.fc 2009-02-10 15:07:15.000000000 +0100
-@@ -1,4 +1,6 @@
++++ serefpolicy-3.5.13/policy/modules/system/mount.fc 2009-03-23 11:00:41.000000000 +0100
+@@ -1,4 +1,10 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
@@ -33767,6 +33947,10 @@
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
++
++/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.5.13/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/system/mount.if 2009-02-10 15:07:15.000000000 +0100
@@ -33804,8 +33988,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2009-02-10 15:07:15.000000000 +0100
-@@ -18,17 +18,18 @@
++++ serefpolicy-3.5.13/policy/modules/system/mount.te 2009-03-23 11:00:12.000000000 +0100
+@@ -18,17 +18,21 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -33824,23 +34008,31 @@
type unconfined_mount_t;
application_domain(unconfined_mount_t,mount_exec_t)
+role system_r types unconfined_mount_t;
++
++type mount_var_run_t;
++files_pid_file(mount_var_run_t)
########################################
#
-@@ -36,7 +37,8 @@
+@@ -36,7 +40,8 @@
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
-+allow mount_t self:process ptrace;
++allow mount_t self:process { ptrace signal };
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,12 +49,18 @@
+@@ -47,12 +52,24 @@
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++files_pid_filetrans(mount_t,mount_var_run_t,dir)
++files_var_filetrans(mount_t,mount_var_run_t,dir)
++
+# In order to mount reiserfs_t
+kernel_list_unlabeled(mount_t)
kernel_read_system_state(mount_t)
@@ -33853,10 +34045,11 @@
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
++dev_read_rand(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +70,19 @@
+@@ -62,16 +79,19 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -33879,7 +34072,7 @@
term_use_all_terms(mount_t)
-@@ -79,6 +90,7 @@
+@@ -79,6 +99,7 @@
corecmd_exec_bin(mount_t)
domain_use_interactive_fds(mount_t)
@@ -33887,7 +34080,7 @@
files_search_all(mount_t)
files_read_etc_files(mount_t)
-@@ -87,7 +99,7 @@
+@@ -87,7 +108,7 @@
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
@@ -33896,7 +34089,7 @@
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -100,6 +112,8 @@
+@@ -100,6 +121,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -33905,7 +34098,7 @@
auth_use_nsswitch(mount_t)
-@@ -119,6 +133,8 @@
+@@ -119,6 +142,8 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -33914,7 +34107,7 @@
ifdef(`distro_redhat',`
optional_policy(`
-@@ -136,7 +152,7 @@
+@@ -136,7 +161,7 @@
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
@@ -33923,7 +34116,7 @@
files_mounton_non_security(mount_t)
')
-@@ -167,6 +183,8 @@
+@@ -167,6 +192,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -33932,7 +34125,7 @@
')
optional_policy(`
-@@ -174,6 +192,14 @@
+@@ -174,6 +201,14 @@
')
optional_policy(`
@@ -33947,7 +34140,7 @@
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -181,6 +207,11 @@
+@@ -181,6 +216,11 @@
')
')
@@ -33959,7 +34152,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -188,6 +219,7 @@
+@@ -188,6 +228,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -33967,13 +34160,13 @@
')
########################################
-@@ -198,4 +230,26 @@
+@@ -198,4 +239,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
+ optional_policy(`
+ hal_dbus_chat(unconfined_mount_t)
- ')
++')
+')
+
+########################################
@@ -33992,7 +34185,7 @@
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_rw_pipes(mount_t)
-+')
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.13/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2008-10-17 14:49:13.000000000 +0200
@@ -39115,7 +39308,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.13/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/xen.if 2009-03-19 18:01:20.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/xen.if 2009-03-22 15:59:01.000000000 +0100
@@ -155,7 +155,7 @@
stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t)
')
@@ -39141,7 +39334,7 @@
')
########################################
-@@ -191,3 +194,25 @@
+@@ -191,3 +194,46 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
@@ -39167,9 +39360,30 @@
+ rw_files_pattern($1, xen_image_t, xen_image_t)
+')
+
++#######################################
++## <summary>
++## Connect to evtchnd over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`evtchnd_stream_connect',`
++ gen_require(`
++ type evtchnd_var_run_t, evtchnd_t;
++ ')
++
++ allow $1 evtchnd_t:unix_stream_socket connectto;
++ allow $1 evtchnd_var_run_t:sock_file { getattr write };
++ files_search_pids($1)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2009-03-19 18:04:54.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/xen.te 2009-03-22 15:55:30.000000000 +0100
@@ -6,6 +6,13 @@
# Declarations
#
@@ -39221,7 +39435,26 @@
role system_r types xenconsoled_t;
# pid files
-@@ -95,7 +108,7 @@
+@@ -72,6 +85,18 @@
+ domain_type(xm_t)
+ init_system_domain(xm_t, xm_exec_t)
+
++type evtchnd_t;
++type evtchnd_exec_t;
++init_daemon_domain(evtchnd_t, evtchnd_exec_t)
++
++# log files
++type evtchnd_var_log_t;
++logging_log_file(evtchnd_var_log_t)
++
++# pid files
++type evtchnd_var_run_t;
++files_pid_file(evtchnd_var_run_t)
++
+ ########################################
+ #
+ # xend local policy
+@@ -95,7 +120,7 @@
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
@@ -39230,7 +39463,7 @@
dev_filetrans(xend_t, xenctl_t, fifo_file)
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
-@@ -103,14 +116,14 @@
+@@ -103,14 +128,14 @@
files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
# pid file
@@ -39248,7 +39481,7 @@
manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
-@@ -122,12 +135,13 @@
+@@ -122,12 +147,13 @@
manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
@@ -39264,7 +39497,7 @@
kernel_read_kernel_sysctls(xend_t)
kernel_read_system_state(xend_t)
-@@ -173,6 +187,7 @@
+@@ -173,6 +199,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
@@ -39272,7 +39505,7 @@
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
-@@ -204,11 +219,15 @@
+@@ -204,11 +231,15 @@
sysnet_read_dhcpc_pid(xend_t)
sysnet_rw_dhcp_config(xend_t)
@@ -39289,7 +39522,7 @@
optional_policy(`
consoletype_exec(xend_t)
-@@ -242,6 +261,8 @@
+@@ -242,6 +273,8 @@
files_read_usr_files(xenconsoled_t)
@@ -39298,7 +39531,7 @@
term_create_pty(xenconsoled_t,xen_devpts_t);
term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
-@@ -254,7 +275,7 @@
+@@ -254,7 +287,7 @@
miscfiles_read_localization(xenconsoled_t)
@@ -39307,7 +39540,7 @@
xen_stream_connect_xenstore(xenconsoled_t)
########################################
-@@ -262,15 +283,25 @@
+@@ -262,21 +295,34 @@
# Xen store local policy
#
@@ -39334,7 +39567,16 @@
# var/lib files for xenstored
manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
-@@ -321,18 +352,21 @@
+ manage_sock_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
+ files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
+
++# write and connect to evtchnd socket
++evtchnd_stream_connect(xenstored_t)
++
+ kernel_write_xen_state(xenstored_t)
+ kernel_read_xen_state(xenstored_t)
+
+@@ -321,18 +367,21 @@
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
@@ -39357,7 +39599,7 @@
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -348,8 +382,11 @@
+@@ -348,8 +397,11 @@
storage_raw_read_fixed_disk(xm_t)
@@ -39369,7 +39611,7 @@
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
-@@ -358,8 +395,30 @@
+@@ -358,8 +410,51 @@
miscfiles_read_localization(xm_t)
@@ -39401,6 +39643,27 @@
+optional_policy(`
+ unconfined_domain(xend_t)
+')
++
++#######################################
++#
++# evtchnd local policy
++#
++
++# pid file
++manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
++manage_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
++manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
++files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
++
++# log files
++manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
++manage_files_pattern(evtchnd_t,evtchnd_var_log_t,evtchnd_var_log_t)
++logging_log_filetrans(evtchnd_t,evtchnd_var_log_t,{ file dir })
++
++libs_use_ld_so(evtchnd_t)
++libs_use_shared_libs(evtchnd_t)
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/policy_capabilities serefpolicy-3.5.13/policy/policy_capabilities
--- nsaserefpolicy/policy/policy_capabilities 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/policy_capabilities 2009-02-10 15:07:15.000000000 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.781
retrieving revision 1.782
diff -u -r1.781 -r1.782
--- selinux-policy.spec 20 Mar 2009 09:32:48 -0000 1.781
+++ selinux-policy.spec 23 Mar 2009 12:36:31 -0000 1.782
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 50%{?dist}
+Release: 51%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,10 @@
%endif
%changelog
+* Mon Mar 23 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-51
+- Add LIRC policy
+- Xenner fixes
+
* Fri Mar 20 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-50
- Add gitosis policy
- Allow mdadm to read/write mls override
More information about the fedora-extras-commits
mailing list