rpms/selinux-policy/devel policy-20090105.patch,1.70,1.71

Fri Mar 27 18:37:19 UTC 2009

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19585

Modified Files:
	policy-20090105.patch 
Log Message:
* Thu Mar 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.10-3
- Fixes for svirt


policy-20090105.patch:

Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71

--- policy-20090105.patch	27 Mar 2009 01:39:14 -0000	1.70
+++ policy-20090105.patch	27 Mar 2009 18:37:18 -0000	1.71
@@ -1536,6 +1536,18 @@
 +	xserver_write_pid(vbetool_t)
 +')
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.10/policy/modules/apps/awstats.te
+--- nsaserefpolicy/policy/modules/apps/awstats.te	2009-02-16 08:44:12.000000000 -0500
++++ serefpolicy-3.6.10/policy/modules/apps/awstats.te	2009-03-27 09:09:07.000000000 -0400
+@@ -51,6 +51,8 @@
+ 
+ libs_read_lib_files(awstats_t)
+ 
++logging_read_generic_logs(awstats_t)
++
+ miscfiles_read_localization(awstats_t)
+ 
+ sysnet_dns_name_resolve(awstats_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc
 --- nsaserefpolicy/policy/modules/apps/cdrecord.fc	2008-08-07 11:15:03.000000000 -0400
 +++ serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc	2009-03-24 09:03:48.000000000 -0400
@@ -4771,7 +4783,7 @@
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/kernel/files.if	2009-03-26 21:12:48.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/kernel/files.if	2009-03-27 09:36:29.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -5121,8 +5133,33 @@
 +/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.10/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-03-04 16:49:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.if	2009-03-24 09:03:48.000000000 -0400
-@@ -754,6 +754,7 @@
++++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.if	2009-03-27 13:53:56.000000000 -0400
+@@ -723,6 +723,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Dont audit attempts to write to all noxattrfs files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_write_noxattr_fs_files',`
++	gen_require(`
++		attribute noxattrfs;
++	')
++
++	dontaudit $1 noxattrfs:file write;
++')
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete all noxattrfs directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -754,6 +772,7 @@
  		attribute noxattrfs;
  	')
  
@@ -5130,7 +5167,7 @@
  	read_files_pattern($1, noxattrfs, noxattrfs)
  ')
  
-@@ -2173,6 +2174,7 @@
+@@ -2173,6 +2192,7 @@
  		type removable_t;
  	')
  
@@ -5138,7 +5175,7 @@
  	rw_blk_files_pattern($1, removable_t, removable_t)
  ')
  
-@@ -3322,6 +3324,7 @@
+@@ -3322,6 +3342,7 @@
  		type tmpfs_t;
  	')
  
@@ -5146,7 +5183,7 @@
  	dontaudit $1 tmpfs_t:file rw_file_perms;
  ')
  
-@@ -3643,6 +3646,7 @@
+@@ -3643,6 +3664,7 @@
  	')
  
  	allow $1 filesystem_type:filesystem getattr;
@@ -8278,6 +8315,18 @@
  ')
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.10/policy/modules/services/bitlbee.te
+--- nsaserefpolicy/policy/modules/services/bitlbee.te	2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.10/policy/modules/services/bitlbee.te	2009-03-27 10:19:31.000000000 -0400
+@@ -75,6 +75,8 @@
+ # grant read-only access to the user help files
+ files_read_usr_files(bitlbee_t)
+ 
++kernel_read_system_state(bitlbee_t)
++
+ libs_legacy_use_shared_libs(bitlbee_t)
+ 
+ miscfiles_read_localization(bitlbee_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.10/policy/modules/services/certmaster.fc
 --- nsaserefpolicy/policy/modules/services/certmaster.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.10/policy/modules/services/certmaster.fc	2009-03-24 09:03:48.000000000 -0400
@@ -10570,6 +10619,17 @@
 +
 +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
 +allow session_bus_type dbusd_unconfined:dbus send_msg;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.10/policy/modules/services/dcc.fc
+--- nsaserefpolicy/policy/modules/services/dcc.fc	2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/dcc.fc	2009-03-27 08:55:46.000000000 -0400
+@@ -11,6 +11,7 @@
+ /usr/libexec/dcc/dccm		--	gen_context(system_u:object_r:dccm_exec_t,s0)
+ 
+ /var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
++/var/lib/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_t,s0)
+ /var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+ 
+ /var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.10/policy/modules/services/dcc.te
 --- nsaserefpolicy/policy/modules/services/dcc.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.10/policy/modules/services/dcc.te	2009-03-24 09:03:48.000000000 -0400
@@ -12833,8 +12893,8 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.10/policy/modules/services/lircd.te
 --- nsaserefpolicy/policy/modules/services/lircd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/lircd.te	2009-03-24 09:03:48.000000000 -0400
-@@ -0,0 +1,51 @@
++++ serefpolicy-3.6.10/policy/modules/services/lircd.te	2009-03-27 09:36:23.000000000 -0400
+@@ -0,0 +1,55 @@
 +policy_module(lircd,1.0.0)
 +
 +########################################
@@ -12883,8 +12943,12 @@
 +
 +logging_send_syslog_msg(lircd_t)
 +
-+miscfiles_read_localization(lircd_t)
++files_read_etc_files(lircd_t)
++files_list_var(lircd_t)
++files_manage_generic_locks(lircd_t)
++files_read_all_locks(lircd_t)
 +
++miscfiles_read_localization(lircd_t)
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.10/policy/modules/services/mailman.fc
 --- nsaserefpolicy/policy/modules/services/mailman.fc	2008-08-07 11:15:11.000000000 -0400
@@ -13062,7 +13126,7 @@
 -#')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.10/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/mta.if	2009-03-24 09:03:48.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/mta.if	2009-03-27 09:50:44.000000000 -0400
 @@ -130,6 +130,15 @@
  		sendmail_create_log($1_mail_t)
  	')
@@ -13130,6 +13194,14 @@
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
+@@ -806,6 +818,7 @@
+ 	')
+ 
+ 	files_search_spool($1)
++	manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ 	manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.10/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.10/policy/modules/services/mta.te	2009-03-24 09:03:48.000000000 -0400
@@ -21169,7 +21241,7 @@
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.10/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/virt.if	2009-03-24 09:03:48.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/virt.if	2009-03-27 13:53:49.000000000 -0400
 @@ -2,28 +2,6 @@
  
  ########################################
@@ -21264,7 +21336,7 @@
  ##	All of the rules required to administrate 
  ##	an virt environment
  ## </summary>
-@@ -327,3 +341,50 @@
+@@ -327,3 +341,53 @@
  
  	virt_manage_log($1)
  ')
@@ -21310,6 +21382,9 @@
 +	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
 +	fs_getattr_tmpfs($1_t)
 +
++	fs_read_noxattr_fs_files($1_t)
++	fs_dontaudit_write_noxattr_fs_files($1_t)
++
 +	optional_policy(`
 +		xserver_common_app($1_t)
 +	')
@@ -24700,7 +24775,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.10/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/logging.if	2009-03-24 09:03:48.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/logging.if	2009-03-27 09:08:50.000000000 -0400
 @@ -623,7 +623,7 @@
  	')
  


