rpms/selinux-policy/F-12 modules-minimum.conf, 1.38, 1.39 modules-targeted.conf, 1.147, 1.148 policy-F12.patch, 1.101, 1.102 selinux-policy.spec, 1.938, 1.939
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Oct 7 20:56:22 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3231
Modified Files:
modules-minimum.conf modules-targeted.conf policy-F12.patch
selinux-policy.spec
Log Message:
* Wed Oct 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-22
- Allow polickit to read meminfo
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-minimum.conf,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -p -r1.38 -r1.39
--- modules-minimum.conf 2 Oct 2009 15:01:06 -0000 1.38
+++ modules-minimum.conf 7 Oct 2009 20:56:21 -0000 1.39
@@ -1022,6 +1022,13 @@ nscd = base
ntp = module
# Layer: services
+# Module: nut
+#
+# nut - Network UPS Tools
+#
+nut = module
+
+# Layer: services
# Module: nx
#
# NX Remote Desktop
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-targeted.conf,v
retrieving revision 1.147
retrieving revision 1.148
diff -u -p -r1.147 -r1.148
--- modules-targeted.conf 2 Oct 2009 15:01:06 -0000 1.147
+++ modules-targeted.conf 7 Oct 2009 20:56:21 -0000 1.148
@@ -1022,6 +1022,13 @@ nscd = base
ntp = module
# Layer: services
+# Module: nut
+#
+# nut - Network UPS Tools
+#
+nut = module
+
+# Layer: services
# Module: nx
#
# NX Remote Desktop
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 1
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 +++
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 1
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 18
policy/modules/admin/rpm.if | 264 +++++
policy/modules/admin/rpm.te | 95 +-
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 2
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 67 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 5
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 5
policy/modules/admin/usermanage.te | 31
policy/modules/admin/vbetool.te | 16
policy/modules/admin/vpn.te | 1
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 85 +
policy/modules/apps/chrome.te | 57 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 33
policy/modules/apps/execmem.if | 70 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 63 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 ++
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 18
policy/modules/apps/java.if | 112 ++
policy/modules/apps/java.te | 14
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 65 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50 +
policy/modules/apps/livecd.te | 26
policy/modules/apps/loadkeys.te | 4
policy/modules/apps/mono.if | 101 ++
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 32
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 12
policy/modules/apps/nsplugin.if | 323 ++++++
policy/modules/apps/nsplugin.te | 295 ++++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 7
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 190 ++++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 56 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 183 +++
policy/modules/apps/sandbox.te | 330 ++++++
policy/modules/apps/screen.if | 5
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 45
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 28
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 34
policy/modules/kernel/devices.fc | 8
policy/modules/kernel/devices.if | 183 +++
policy/modules/kernel/devices.te | 19
policy/modules/kernel/domain.if | 151 ++-
policy/modules/kernel/domain.te | 84 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 298 ++++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 211 ++++
policy/modules/kernel/filesystem.te | 8
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 --
policy/modules/roles/sysadm.te | 124 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 638 +++++++++++++
policy/modules/roles/unconfineduser.te | 401 ++++++++
policy/modules/roles/unprivuser.te | 131 --
policy/modules/roles/xguest.te | 21
policy/modules/services/abrt.fc | 2
policy/modules/services/abrt.if | 21
policy/modules/services/abrt.te | 21
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 ++
policy/modules/services/aisexec.te | 112 ++
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 38
policy/modules/services/apache.if | 410 +++++---
policy/modules/services/apache.te | 438 +++++++--
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.te | 9
policy/modules/services/ccs.fc | 5
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 ++
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 16
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 24
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 18
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 109 ++
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 4
policy/modules/services/cron.if | 72 +
policy/modules/services/cron.te | 82 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 35
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49 -
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 54 +
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.te | 11
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 1
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 60 +
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 48 -
policy/modules/services/howl.te | 2
policy/modules/services/inetd.te | 2
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.te | 11
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 7
policy/modules/services/mta.te | 35
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 +
policy/modules/services/nagios.te | 55 -
policy/modules/services/networkmanager.fc | 14
policy/modules/services/networkmanager.if | 64 +
policy/modules/services/networkmanager.te | 115 ++
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.te | 10
policy/modules/services/nslcd.if | 8
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 15
policy/modules/services/nut.if | 82 +
policy/modules/services/nut.te | 140 ++
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 19
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 286 ++++++
policy/modules/services/plymouth.te | 86 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48 +
policy/modules/services/policykit.te | 64 +
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++-
policy/modules/services/postfix.te | 140 ++
policy/modules/services/postgresql.fc | 1
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 1
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 6
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 58 +
policy/modules/services/rhcs.fc | 21
policy/modules/services/rhcs.if | 309 ++++++
policy/modules/services/rhcs.te | 340 +++++++
policy/modules/services/ricci.te | 21
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 16
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 2
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 ++
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 102 ++
policy/modules/services/setroubleshoot.te | 80 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 137 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 183 +++
policy/modules/services/ssh.te | 77 +
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 43
policy/modules/services/sssd.te | 6
policy/modules/services/sysstat.te | 5
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 12
policy/modules/services/virt.if | 127 ++
policy/modules/services/virt.te | 283 +++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 31
policy/modules/services/xserver.if | 534 ++++++++++-
policy/modules/services/xserver.te | 318 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 205 +++-
policy/modules/system/authlogin.te | 9
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 158 +++
policy/modules/system/init.te | 277 ++++-
policy/modules/system/ipsec.fc | 3
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 55 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 ++
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/libraries.fc | 159 ++-
policy/modules/system/libraries.if | 4
policy/modules/system/libraries.te | 17
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 38
policy/modules/system/lvm.te | 25
policy/modules/system/miscfiles.if | 38
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 46
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 76 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 ++++++
policy/modules/system/selinuxutil.te | 226 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 76 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 21
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 ---------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1418 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 50 -
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
346 files changed, 16403 insertions(+), 2618 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -p -r1.101 -r1.102
--- policy-F12.patch 5 Oct 2009 21:16:35 -0000 1.101
+++ policy-F12.patch 7 Oct 2009 20:56:21 -0000 1.102
@@ -139,6 +139,17 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
apache_exec_modules(certwatch_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.32/policy/modules/admin/consoletype.te
+--- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/consoletype.te 2009-10-07 14:44:15.000000000 -0400
+@@ -84,6 +84,7 @@
+ optional_policy(`
+ hal_dontaudit_use_fds(consoletype_t)
+ hal_dontaudit_rw_pipes(consoletype_t)
++ hal_dontaudit_rw_dgram_sockets(consoletype_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.32/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/admin/dmesg.fc 2009-09-30 16:12:48.000000000 -0400
@@ -149,7 +160,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.32/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/dmesg.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/dmesg.te 2009-10-06 09:52:38.000000000 -0400
@@ -9,6 +9,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -184,6 +195,13 @@ diff -b -B --ignore-all-space --exclude-
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(dmesg_t)
+@@ -57,3 +62,6 @@
+ optional_policy(`
+ udev_read_db(dmesg_t)
+ ')
++
++#mcelog needs
++dev_read_raw_memory(dmesg_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.6.32/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/admin/firstboot.te 2009-09-30 16:12:48.000000000 -0400
@@ -456,7 +474,6 @@ diff -b -B --ignore-all-space --exclude-
+ ntop_manage_var_lib($1)
+
+')
-Binary files nsaserefpolicy/policy/modules/admin/ntop.pp and serefpolicy-3.6.32/policy/modules/admin/ntop.pp differ
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.te serefpolicy-3.6.32/policy/modules/admin/ntop.te
--- nsaserefpolicy/policy/modules/admin/ntop.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/admin/ntop.te 2009-10-01 08:24:35.000000000 -0400
@@ -1792,8 +1809,8 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-05 09:23:28.000000000 -0400
-@@ -0,0 +1,29 @@
++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-06 16:12:55.000000000 -0400
+@@ -0,0 +1,33 @@
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -1823,6 +1840,10 @@ diff -b -B --ignore-all-space --exclude-
+
+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
++/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-02 10:33:33.000000000 -0400
@@ -2464,7 +2485,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-10-07 16:35:17.000000000 -0400
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -2473,7 +2494,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -71,24 +72,128 @@
+@@ -71,24 +72,129 @@
########################################
## <summary>
@@ -2593,6 +2614,7 @@ diff -b -B --ignore-all-space --exclude-
+
+ allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+ allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
++ dontaudit $1_java_t $3:tcp_socket { read write };
+
+ domtrans_pattern($3, java_exec_t, $1_java_t)
+ dev_dontaudit_append_rand($1_java_t)
@@ -3047,7 +3069,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-10-02 11:00:19.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-10-07 13:48:30.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -3073,7 +3095,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t)
-@@ -129,6 +133,7 @@
+@@ -129,21 +133,18 @@
fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -3081,7 +3103,10 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(mozilla_t)
-@@ -138,12 +143,7 @@
++miscfiles_dontaudit_setattr_fonts(mozilla_t)
+ miscfiles_read_fonts(mozilla_t)
+ miscfiles_read_localization(mozilla_t)
+
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -3095,7 +3120,7 @@ diff -b -B --ignore-all-space --exclude-
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -231,11 +231,15 @@
+@@ -231,11 +232,15 @@
optional_policy(`
dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t)
@@ -3111,7 +3136,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -256,5 +260,10 @@
+@@ -256,5 +261,10 @@
')
optional_policy(`
@@ -4331,8 +4356,8 @@ diff -b -B --ignore-all-space --exclude-
+# No types are sandbox_exec_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-09-30 16:12:48.000000000 -0400
-@@ -0,0 +1,182 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-10-06 16:58:56.000000000 -0400
+@@ -0,0 +1,183 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -4384,7 +4409,8 @@ diff -b -B --ignore-all-space --exclude-
+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ allow $1 sandbox_file_type:dir relabelto;
++ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
++ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
@@ -4517,8 +4543,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-09-30 16:12:48.000000000 -0400
-@@ -0,0 +1,329 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-10-06 17:01:45.000000000 -0400
+@@ -0,0 +1,330 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -4658,6 +4684,7 @@ diff -b -B --ignore-all-space --exclude-
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_tmp(sandbox_x_domain)
+
++kernel_read_network_state(sandbox_x_domain)
+kernel_read_system_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
@@ -5045,8 +5072,8 @@ diff -b -B --ignore-all-space --exclude-
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2009-09-30 16:12:48.000000000 -0400
-@@ -43,3 +43,62 @@
++++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2009-10-07 16:38:13.000000000 -0400
+@@ -43,3 +43,118 @@
wine_domtrans($1)
role $2 types wine_t;
')
@@ -5109,9 +5136,65 @@ diff -b -B --ignore-all-space --exclude-
+ relabel_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+')
++
++#######################################
++## <summary>
++## The role template for the wine module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for wine applications.
++## </p>
++## </desc>
++## <param name="role_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++template(`wine_role_template',`
++ gen_require(`
++ type wine_exec_t;
++ ')
++
++ type $1_wine_t;
++ domain_type($1_wine_t)
++ domain_entry_file($1_wine_t, wine_exec_t)
++ role $2 types $1_wine_t;
++
++ userdom_unpriv_usertype($1, $1_wine_t)
++ userdom_manage_tmpfs_role($2, $1_wine_t)
++
++ domain_mmap_low_type($1_wine_t)
++ tunable_policy(`mmap_low_allowed',`
++ domain_mmap_low($1_wine_t)
++ ')
++
++ allow $1_wine_t self:process { execmem execstack };
++ allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
++ domtrans_pattern($3, wine_exec_t, $1_wine_t)
++ corecmd_bin_domtrans($1_wine_t, $1_t)
++
++ optional_policy(`
++ xserver_common_app($1_wine_t)
++ xserver_role($1_r, $1_wine_t)
++ ')
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2009-10-07 16:37:55.000000000 -0400
@@ -9,20 +9,46 @@
type wine_t;
type wine_exec_t;
@@ -5284,7 +5367,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-10-05 17:13:25.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-10-07 16:06:40.000000000 -0400
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5350,7 +5433,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -173,27 +186,33 @@
+@@ -173,27 +186,34 @@
network_port(sap, tcp,9875,s0, udp,9875,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -5374,6 +5457,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
++network_port(ups, tcp,3493,s0)
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
+network_port(virt_migration, tcp,49152,s0)
+portcon tcp 49153-49216 gen_context(system_u:object_r:virt_migration_port_t,s0)
@@ -5387,7 +5471,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -222,6 +241,8 @@
+@@ -222,6 +242,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -8863,7 +8947,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-10-06 15:49:56.000000000 -0400
@@ -36,11 +36,17 @@
# Local policy
#
@@ -8882,7 +8966,15 @@ diff -b -B --ignore-all-space --exclude-
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -67,7 +73,11 @@
+@@ -49,6 +55,7 @@
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
++ fs_mount_fusefs(xguest_t)
+
+ auth_list_pam_console_data(xguest_t)
+
+@@ -67,7 +74,11 @@
')
optional_policy(`
@@ -8895,7 +8987,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -75,9 +85,13 @@
+@@ -75,9 +86,15 @@
')
optional_policy(`
@@ -8905,6 +8997,8 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
++ corenet_tcp_connect_pulseaudio_port(xguest_t)
++ corenet_tcp_connect_ipp_port(xguest_t)
')
')
@@ -8955,7 +9049,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-06 10:15:23.000000000 -0400
@@ -75,6 +75,7 @@
corecmd_exec_bin(abrt_t)
@@ -8964,7 +9058,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_http_port(abrt_t)
-@@ -105,13 +106,22 @@
+@@ -105,13 +106,29 @@
dbus_system_bus_client(abrt_t)
')
@@ -8972,6 +9066,13 @@ diff -b -B --ignore-all-space --exclude-
+ nsplugin_read_rw_files(abrt_t)
+')
+
++optional_policy(`
++ policykit_dbus_chat(abrt_t)
++ policykit_domtrans_auth(abrt_t)
++ policykit_read_lib(abrt_t)
++ policykit_read_reload(abrt_t)
++')
++
# to install debuginfo packages
optional_policy(`
- rpm_manage_db(abrt_t)
@@ -11256,7 +11357,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-10-06 10:15:04.000000000 -0400
@@ -62,12 +62,15 @@
init_telinit(consolekit_t)
@@ -12049,7 +12150,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-10-06 10:24:14.000000000 -0400
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -12116,7 +12217,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
-+userdom_read_user_tmp_files(cupsd_config_t)
++userdom_rw_user_tmp_files(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
@@ -12158,7 +12259,15 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -601,6 +622,9 @@
+@@ -556,6 +577,7 @@
+ miscfiles_read_fonts(cups_pdf_t)
+
+ userdom_home_filetrans_user_home_dir(cups_pdf_t)
++userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
+ userdom_manage_user_home_content_dirs(cups_pdf_t)
+ userdom_manage_user_home_content_files(cups_pdf_t)
+
+@@ -601,6 +623,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -13050,7 +13159,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/hal.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/hal.if 2009-10-07 14:43:47.000000000 -0400
@@ -413,3 +413,21 @@
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
@@ -13224,7 +13333,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.6.32/policy/modules/services/howl.te
--- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/howl.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/howl.te 2009-10-06 15:44:07.000000000 -0400
@@ -30,7 +30,7 @@
kernel_read_network_state(howl_t)
@@ -13387,7 +13496,7 @@ diff -b -B --ignore-all-space --exclude-
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-10-07 16:49:03.000000000 -0400
@@ -311,6 +311,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -13404,10 +13513,12 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -471,6 +473,7 @@
+@@ -470,7 +472,8 @@
+ type etc_mail_t;
')
- write_files_pattern($1, etc_mail_t, etc_mail_t)
+- write_files_pattern($1, etc_mail_t, etc_mail_t)
++ manage_files_pattern($1, etc_mail_t, etc_mail_t)
+ allow $1 etc_mail_t:file setattr;
')
@@ -14519,6 +14630,255 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.6.32/policy/modules/services/nut.fc
+--- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/nut.fc 2009-10-07 16:06:40.000000000 -0400
+@@ -0,0 +1,15 @@
++
++/usr/sbin/upsd -- gen_context(system_u:object_r:upsd_exec_t,s0)
++
++/usr/sbin/upsmon -- gen_context(system_u:object_r:upsmon_exec_t,s0)
++
++/sbin/upsdrvctl -- gen_context(system_u:object_r:upsdrvctl_exec_t,s0)
++
++/var/run/nut/upsdrvctl\.pid -- gen_context(system_u:object_r:upsdrvctl_var_run_t,s0)
++
++/var/run/nut/upsd\.pid -- gen_context(system_u:object_r:upsd_var_run_t,s0)
++
++/var/run/nut/upsmon\.pid -- gen_context(system_u:object_r:upsmon_var_run_t,s0)
++
++/var/run/nut/usbhid-ups-myups\.pid -- gen_context(system_u:object_r:upsdrvctl_var_run_t,s0)
++/var/run/nut/usbhid-ups-myups -s gen_context(system_u:object_r:upsdrvctl_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.6.32/policy/modules/services/nut.if
+--- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/nut.if 2009-10-07 16:06:40.000000000 -0400
+@@ -0,0 +1,82 @@
++## <summary>SELinux policy for nut - Network UPS Tools </summary>
++
++#####################################
++## <summary>
++## Execute a domain transition to run upsd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`upsd_domtrans',`
++ gen_require(`
++ type upsd_t, upsd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,upsd_exec_t,upsd_t)
++
++')
++
++####################################
++## <summary>
++## Execute a domain transition to run upsmon.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`upsmon_domtrans',`
++ gen_require(`
++ type upsmon_t, upsmon_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,upsmon_exec_t,upsmon_t)
++
++')
++
++####################################
++## <summary>
++## Execute a domain transition to run upsdrvctl.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`upsdrvctl_domtrans',`
++ gen_require(`
++ type upsdrvctl_t, upsdrvctl_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,upsdrvctl_exec_t,upsdrvctl_t)
++
++')
++
++####################################
++## <summary>
++## Connect to upsdrvctl over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`upsdrvctl_stream_connect',`
++ gen_require(`
++ type upsdrvctl_t, upsdrvctl_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, upsdrvctl_var_run_t, upsdrvctl_var_run_t, upsdrvctl_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te
+--- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/nut.te 2009-10-07 16:06:40.000000000 -0400
+@@ -0,0 +1,140 @@
++
++policy_module(nut,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type upsd_t;
++type upsd_exec_t;
++init_daemon_domain(upsd_t,upsd_exec_t)
++
++type upsd_var_run_t;
++files_pid_file(upsd_var_run_t)
++
++type upsmon_t;
++type upsmon_exec_t;
++init_daemon_domain(upsmon_t,upsmon_exec_t)
++
++type upsmon_var_run_t;
++files_pid_file(upsmon_var_run_t)
++
++type upsdrvctl_t;
++type upsdrvctl_exec_t;
++init_daemon_domain(upsdrvctl_t, upsdrvctl_exec_t)
++
++type upsdrvctl_var_run_t;
++files_pid_file(upsdrvctl_var_run_t)
++
++permissive upsd_t;
++permissive upsdrvctl_t;
++permissive upsmon_t;
++
++#######################################
++#
++# upsd local policy
++#
++
++allow upsd_t self:capability { setuid setgid };
++
++allow upsd_t self:netlink_route_socket r_netlink_socket_perms;
++allow upsd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow upsd_t self:tcp_socket create_stream_socket_perms;
++
++# pid file
++manage_files_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t)
++manage_dirs_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t)
++manage_sock_files_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t)
++files_pid_filetrans(upsd_t, upsd_var_run_t, { file })
++
++rw_files_pattern(upsd_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t)
++
++corenet_tcp_bind_ups_port(upsd_t)
++corenet_tcp_bind_generic_node(upsd_t)
++
++kernel_read_kernel_sysctls(upsd_t)
++
++files_read_etc_files(upsd_t)
++files_read_usr_files(upsd_t)
++
++sysnet_read_config(upsd_t)
++
++logging_send_syslog_msg(upsd_t)
++
++miscfiles_read_localization(upsd_t)
++
++optional_policy(`
++ upsdrvctl_stream_connect(upsd_t)
++')
++
++######################################
++#
++# upsmon local policy
++#
++
++allow upsmon_t self:capability { dac_override setuid setgid };
++
++allow upsmon_t self:fifo_file rw_fifo_file_perms;
++allow upsmon_t self:netlink_route_socket r_netlink_socket_perms;
++allow upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
++allow upsmon_t self:tcp_socket create_stream_socket_perms;
++
++# pid file
++manage_files_pattern(upsmon_t, upsmon_var_run_t, upsmon_var_run_t)
++manage_dirs_pattern(upsmon_t, upsmon_var_run_t, upsmon_var_run_t)
++files_pid_filetrans(upsmon_t, upsmon_var_run_t, { file })
++
++rw_sock_files_pattern(upsmon_t,upsd_var_run_t,upsd_var_run_t)
++
++corenet_tcp_connect_ups_port(upsmon_t)
++
++corecmd_exec_bin(upsmon_t)
++corecmd_exec_shell(upsmon_t)
++
++kernel_read_kernel_sysctls(upsmon_t)
++kernel_read_system_state(upsmon_t)
++
++files_read_etc_files(upsmon_t)
++
++sysnet_read_config(upsmon_t)
++
++init_read_utmp(upsmon_t)
++
++logging_send_syslog_msg(upsmon_t)
++
++miscfiles_read_localization(upsmon_t)
++
++######################################
++#
++# ups local policy
++#
++
++allow upsdrvctl_t self:capability { dac_override kill setuid setgid };
++allow upsdrvctl_t self:process { signal signull };
++
++allow upsdrvctl_t self:fifo_file rw_fifo_file_perms;
++allow upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
++
++# pid file
++manage_files_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t)
++manage_dirs_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t)
++manage_sock_files_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t)
++files_pid_filetrans(upsdrvctl_t, upsdrvctl_var_run_t, { file sock_file })
++
++corecmd_exec_bin(upsdrvctl_t)
++
++kernel_read_kernel_sysctls(upsdrvctl_t)
++
++dev_rw_generic_usb_dev(upsdrvctl_t)
++
++term_use_unallocated_ttys(upsdrvctl_t)
++
++files_read_etc_files(upsdrvctl_t)
++
++sysnet_read_config(upsdrvctl_t)
++
++logging_send_syslog_msg(upsdrvctl_t)
++
++miscfiles_read_localization(upsdrvctl_t)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-09-30 16:12:48.000000000 -0400
@@ -15175,7 +15535,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-10-06 15:29:56.000000000 -0400
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -15193,7 +15553,13 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(policykit_t)
-@@ -62,27 +63,46 @@
+@@ -57,32 +58,52 @@
+ manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+ files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+
++kernel_read_system_state(policykit_t)
+ kernel_read_kernel_sysctls(policykit_t)
+
files_read_etc_files(policykit_t)
files_read_usr_files(policykit_t)
@@ -15244,7 +15610,7 @@ diff -b -B --ignore-all-space --exclude-
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -92,12 +112,14 @@
+@@ -92,12 +113,14 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -15261,7 +15627,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(policykit_auth_t)
-@@ -106,7 +128,7 @@
+@@ -106,7 +129,7 @@
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
@@ -15270,7 +15636,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +141,14 @@
+@@ -119,6 +142,14 @@
hal_read_state(policykit_auth_t)
')
@@ -15285,7 +15651,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# polkit_grant local policy
-@@ -126,7 +156,8 @@
+@@ -126,7 +157,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -15295,7 +15661,7 @@ diff -b -B --ignore-all-space --exclude-
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +187,12 @@
+@@ -156,9 +188,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -15309,7 +15675,7 @@ diff -b -B --ignore-all-space --exclude-
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +204,8 @@
+@@ -170,7 +205,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -16503,8 +16869,8 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2009-09-30 16:12:48.000000000 -0400
-@@ -0,0 +1,40 @@
++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2009-10-07 09:32:31.000000000 -0400
+@@ -0,0 +1,59 @@
+## <summary>SELinux policy for rgmanager</summary>
+
+#######################################
@@ -16545,10 +16911,29 @@ diff -b -B --ignore-all-space --exclude-
+ allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
+')
+
++########################################
++## <summary>
++## Connect to rgmanager over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rgmanager_stream_connect',`
++ gen_require(`
++ type rgmanager_t, rgmanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2009-09-30 16:12:48.000000000 -0400
-@@ -0,0 +1,54 @@
++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2009-10-07 09:33:02.000000000 -0400
+@@ -0,0 +1,58 @@
+
+policy_module(rgmanager,1.0.0)
+
@@ -16603,6 +16988,10 @@ diff -b -B --ignore-all-space --exclude-
+
+permissive rgmanager_t;
+
++optional_policy(`
++ ccs_stream_connect(rgmanager_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2009-09-30 16:12:48.000000000 -0400
@@ -17287,7 +17676,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.32/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ricci.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ricci.te 2009-10-07 09:30:15.000000000 -0400
@@ -227,6 +227,10 @@
ricci_stream_connect_modclusterd(ricci_modcluster_t)
@@ -17307,7 +17696,7 @@ diff -b -B --ignore-all-space --exclude-
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
-@@ -306,6 +311,10 @@
+@@ -306,12 +311,20 @@
sysnet_dns_name_resolve(ricci_modclusterd_t)
optional_policy(`
@@ -17318,7 +17707,17 @@ diff -b -B --ignore-all-space --exclude-
ccs_domtrans(ricci_modclusterd_t)
ccs_stream_connect(ricci_modclusterd_t)
ccs_read_config(ricci_modclusterd_t)
-@@ -440,6 +449,10 @@
+ ')
+
+ optional_policy(`
++ rgmanager_stream_connect(ricci_modclusterd_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(ricci_modclusterd_t)
+ ')
+
+@@ -440,6 +453,10 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -17329,7 +17728,7 @@ diff -b -B --ignore-all-space --exclude-
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-@@ -457,6 +470,10 @@
+@@ -457,6 +474,10 @@
mount_domtrans(ricci_modstorage_t)
optional_policy(`
@@ -22183,7 +22582,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-10-07 13:42:42.000000000 -0400
@@ -40,17 +40,76 @@
## </summary>
## </param>
@@ -22270,7 +22669,7 @@ diff -b -B --ignore-all-space --exclude-
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
-@@ -86,27 +143,44 @@
+@@ -86,27 +143,45 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -22291,6 +22690,7 @@ diff -b -B --ignore-all-space --exclude-
- logging_send_audit_msgs($1)
- logging_send_syslog_msg($1)
logging_set_loginuid($1)
++ logging_set_tty_audit($1)
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -22328,7 +22728,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -258,6 +332,7 @@
+@@ -258,6 +333,7 @@
type auth_cache_t;
')
@@ -22336,7 +22736,7 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern($1, auth_cache_t, auth_cache_t)
')
-@@ -305,19 +380,16 @@
+@@ -305,19 +381,16 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -22361,7 +22761,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -328,6 +400,29 @@
+@@ -328,6 +401,29 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -22391,7 +22791,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -352,6 +447,7 @@
+@@ -352,6 +448,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -22399,7 +22799,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1129,6 +1225,32 @@
+@@ -1129,6 +1226,32 @@
########################################
## <summary>
@@ -22432,7 +22832,7 @@ diff -b -B --ignore-all-space --exclude-
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1254,6 +1376,25 @@
+@@ -1254,6 +1377,25 @@
########################################
## <summary>
@@ -22458,7 +22858,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to write to
## login records files.
## </summary>
-@@ -1395,6 +1536,14 @@
+@@ -1395,6 +1537,14 @@
')
optional_policy(`
@@ -22473,7 +22873,7 @@ diff -b -B --ignore-all-space --exclude-
nis_use_ypbind($1)
')
-@@ -1403,8 +1552,17 @@
+@@ -1403,8 +1553,17 @@
')
optional_policy(`
@@ -24361,8 +24761,29 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/logging.if 2009-09-30 16:12:48.000000000 -0400
-@@ -624,7 +624,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/logging.if 2009-10-07 13:42:04.000000000 -0400
+@@ -69,6 +69,20 @@
+
+ ########################################
+ ## <summary>
++## Set tty auditing
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_set_tty_audit',`
++ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
++')
++
++########################################
++## <summary>
+ ## Set up audit
+ ## </summary>
+ ## <param name="domain">
+@@ -624,7 +638,7 @@
')
files_search_var($1)
@@ -24371,7 +24792,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -708,6 +708,8 @@
+@@ -708,6 +722,8 @@
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
read_lnk_files_pattern($1, logfile, logfile)
@@ -24603,7 +25024,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(lvm_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-10-07 13:48:11.000000000 -0400
@@ -87,6 +87,44 @@
########################################
@@ -26162,7 +26583,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-10-07 14:46:28.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -26211,7 +26632,15 @@ diff -b -B --ignore-all-space --exclude-
files_etc_filetrans(dhcpc_t, net_conf_t, file)
# create temp files
-@@ -107,11 +114,13 @@
+@@ -81,6 +88,7 @@
+ kernel_read_system_state(dhcpc_t)
+ kernel_read_network_state(dhcpc_t)
+ kernel_read_kernel_sysctls(dhcpc_t)
++kernel_request_load_module(dhcpc_t)
+ kernel_use_fds(dhcpc_t)
+
+ corecmd_exec_bin(dhcpc_t)
+@@ -107,11 +115,13 @@
# for SSP:
dev_read_urand(dhcpc_t)
@@ -26226,7 +26655,7 @@ diff -b -B --ignore-all-space --exclude-
files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
files_dontaudit_search_locks(dhcpc_t)
-@@ -183,25 +192,23 @@
+@@ -183,25 +193,23 @@
')
optional_policy(`
@@ -26260,7 +26689,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -212,6 +219,7 @@
+@@ -212,6 +220,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -26268,7 +26697,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -223,6 +231,10 @@
+@@ -223,6 +232,10 @@
')
optional_policy(`
@@ -26279,7 +26708,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
-@@ -235,7 +247,6 @@
+@@ -235,7 +248,6 @@
#
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
@@ -26287,7 +26716,7 @@ diff -b -B --ignore-all-space --exclude-
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-@@ -249,6 +260,8 @@
+@@ -249,6 +261,8 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -26296,7 +26725,7 @@ diff -b -B --ignore-all-space --exclude-
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
-@@ -260,7 +273,9 @@
+@@ -260,7 +274,9 @@
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
@@ -26306,7 +26735,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -269,15 +284,23 @@
+@@ -269,15 +285,23 @@
# for IPSEC setup:
dev_read_urand(ifconfig_t)
@@ -26331,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-
files_dontaudit_read_root_files(ifconfig_t)
-@@ -294,6 +317,8 @@
+@@ -294,6 +318,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -26340,7 +26769,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -330,8 +355,21 @@
+@@ -330,8 +356,22 @@
')
optional_policy(`
@@ -26361,6 +26790,7 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_rw_pipes(ifconfig_t)
++ hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.32/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2009-07-14 14:19:57.000000000 -0400
@@ -27293,7 +27723,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-05 11:13:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-07 16:37:24.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -28166,7 +28596,15 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -835,6 +889,32 @@
+@@ -826,6 +880,7 @@
+ ')
+
+ userdom_login_user_template($1)
++ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ typeattribute $1_t unpriv_userdomain;
+ domain_interactive_fd($1_t)
+@@ -835,6 +890,32 @@
# Local policy
#
@@ -28199,7 +28637,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -865,51 +945,81 @@
+@@ -865,51 +946,81 @@
userdom_restricted_user_template($1)
@@ -28294,7 +28732,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -943,8 +1053,8 @@
+@@ -943,8 +1054,8 @@
# Declarations
#
@@ -28304,7 +28742,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_common_user_template($1)
##############################
-@@ -953,11 +1063,12 @@
+@@ -953,11 +1064,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -28319,7 +28757,7 @@ diff -b -B --ignore-all-space --exclude-
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -975,36 +1086,57 @@
+@@ -975,36 +1087,61 @@
')
')
@@ -28382,6 +28820,10 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ ')
+
@@ -28391,7 +28833,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -1040,7 +1172,7 @@
+@@ -1040,7 +1177,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -28400,7 +28842,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -1049,8 +1181,7 @@
+@@ -1049,8 +1186,7 @@
#
# Inherit rules for ordinary users.
@@ -28410,7 +28852,7 @@ diff -b -B --ignore-all-space --exclude-
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1206,9 @@
+@@ -1075,6 +1211,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -28420,7 +28862,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1223,7 @@
+@@ -1089,6 +1228,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -28428,7 +28870,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1231,6 @@
+@@ -1096,8 +1236,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -28437,7 +28879,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,6 +1257,8 @@
+@@ -1124,6 +1262,8 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -28446,7 +28888,7 @@ diff -b -B --ignore-all-space --exclude-
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1152,20 +1287,6 @@
+@@ -1152,20 +1292,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -28467,7 +28909,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1332,7 @@
+@@ -1211,6 +1337,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -28475,7 +28917,7 @@ diff -b -B --ignore-all-space --exclude-
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1398,15 @@
+@@ -1276,11 +1403,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -28491,7 +28933,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1391,12 +1517,13 @@
+@@ -1391,12 +1522,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -28506,7 +28948,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1429,6 +1556,14 @@
+@@ -1429,6 +1561,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -28521,7 +28963,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1444,9 +1579,11 @@
+@@ -1444,9 +1584,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -28533,7 +28975,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1503,6 +1640,25 @@
+@@ -1503,6 +1645,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -28559,7 +29001,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1577,6 +1733,8 @@
+@@ -1577,6 +1738,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -28568,7 +29010,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1670,6 +1828,7 @@
+@@ -1670,6 +1833,7 @@
type user_home_dir_t, user_home_t;
')
@@ -28576,7 +29018,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1956,32 @@
+@@ -1797,19 +1961,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -28616,7 +29058,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1844,6 +2016,7 @@
+@@ -1844,6 +2021,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -28624,7 +29066,7 @@ diff -b -B --ignore-all-space --exclude-
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2564,7 @@
+@@ -2391,27 +2569,7 @@
########################################
## <summary>
@@ -28653,7 +29095,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2765,11 +2918,32 @@
+@@ -2765,11 +2923,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -28688,7 +29130,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,7 +3071,25 @@
+@@ -2897,7 +3076,25 @@
type user_tmp_t;
')
@@ -28715,7 +29157,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2934,6 +3126,7 @@
+@@ -2934,6 +3131,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -28723,7 +29165,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3257,559 @@
+@@ -3064,3 +3262,559 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.938
retrieving revision 1.939
diff -u -p -r1.938 -r1.939
--- selinux-policy.spec 5 Oct 2009 21:16:36 -0000 1.938
+++ selinux-policy.spec 7 Oct 2009 20:56:21 -0000 1.939
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Wed Oct 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-22
+- Allow polickit to read meminfo
+
* Mon Oct 5 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-21
- Allow dovecot_t getcap, setcap
More information about the fedora-extras-commits
mailing list