rpms/selinux-policy/F-12 policy-F12.patch, 1.111, 1.112 selinux-policy.spec, 1.945, 1.946
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Oct 19 19:05:57 UTC 2009
- Previous message (by thread): rpms/policycoreutils/devel policycoreutils-gui.patch, 1.96, 1.97 policycoreutils.spec, 1.653, 1.654
- Next message (by thread): rpms/drehatlas-warender-bibliothek-fonts/devel 61-drehatlas-warender-bibliothek.conf, NONE, 1.1 Makefile.warender-bibliothek, NONE, 1.1 drehatlas-warender-bibliothek-fonts.spec, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13746
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Sat Oct 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-29
- Allow ccs to communicate with userdomains, and create tmpfs_t
- Add /dev/noz* as a modem_device_t and allow modemmanager to rw it.
- Add mapping for /var/run/lircd
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 1
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 +++
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 2
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 18
policy/modules/admin/rpm.if | 264 +++++
policy/modules/admin/rpm.te | 95 +
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 2
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 5
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 5
policy/modules/admin/usermanage.te | 34
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 2
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 85 +
policy/modules/apps/chrome.te | 61 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 31
policy/modules/apps/execmem.if | 74 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 63 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 ++
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 18
policy/modules/apps/java.if | 112 ++
policy/modules/apps/java.te | 14
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 65 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50 +
policy/modules/apps/livecd.te | 26
policy/modules/apps/loadkeys.te | 4
policy/modules/apps/mono.if | 101 ++
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 32
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 13
policy/modules/apps/nsplugin.if | 323 ++++++
policy/modules/apps/nsplugin.te | 295 ++++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 7
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 190 +++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 57 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 184 +++
policy/modules/apps/sandbox.te | 330 ++++++
policy/modules/apps/screen.if | 5
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 45
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 30
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 34
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 255 +++++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 151 ++-
policy/modules/kernel/domain.te | 84 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 298 ++++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 211 ++++
policy/modules/kernel/filesystem.te | 9
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 --
policy/modules/roles/sysadm.te | 124 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 638 +++++++++++++
policy/modules/roles/unconfineduser.te | 411 ++++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 36
policy/modules/services/abrt.fc | 2
policy/modules/services/abrt.if | 40
policy/modules/services/abrt.te | 24
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 ++
policy/modules/services/aisexec.te | 112 ++
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 38
policy/modules/services/apache.if | 410 +++++---
policy/modules/services/apache.te | 439 +++++++--
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.te | 9
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 ++
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 16
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 ++
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 24
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 19
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 109 ++
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 4
policy/modules/services/cron.if | 72 +
policy/modules/services/cron.te | 82 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 38
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49 -
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 54 +
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.te | 11
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 60 +
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 48 -
policy/modules/services/howl.te | 2
policy/modules/services/inetd.te | 2
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.fc | 1
policy/modules/services/lircd.te | 12
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 1
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 10
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 +
policy/modules/services/nagios.te | 55 -
policy/modules/services/networkmanager.fc | 14
policy/modules/services/networkmanager.if | 64 +
policy/modules/services/networkmanager.te | 115 ++
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 17
policy/modules/services/nslcd.if | 8
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 15
policy/modules/services/nut.if | 82 +
policy/modules/services/nut.te | 140 ++
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 19
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 286 +++++
policy/modules/services/plymouth.te | 96 ++
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48 +
policy/modules/services/policykit.te | 64 +
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++-
policy/modules/services/postfix.te | 140 ++
policy/modules/services/postgresql.fc | 1
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 1
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 83 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 +++++++
policy/modules/services/rhcs.te | 394 ++++++++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 16
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 2
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 ++
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 102 ++
policy/modules/services/setroubleshoot.te | 81 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 137 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 184 +++
policy/modules/services/ssh.te | 77 +
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 43
policy/modules/services/sssd.te | 6
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 12
policy/modules/services/virt.if | 127 ++
policy/modules/services/virt.te | 283 +++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 33
policy/modules/services/xserver.if | 534 ++++++++++-
policy/modules/services/xserver.te | 318 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 207 +++-
policy/modules/system/authlogin.te | 10
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 158 +++
policy/modules/system/init.te | 285 ++++-
policy/modules/system/ipsec.fc | 3
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 55 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 ++
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/libraries.fc | 160 ++-
policy/modules/system/libraries.if | 4
policy/modules/system/libraries.te | 17
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 25
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 60 +
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 46
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 76 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 ++++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 77 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 21
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 ---------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1433 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 50 -
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
360 files changed, 16996 insertions(+), 2651 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -p -r1.111 -r1.112
--- policy-F12.patch 15 Oct 2009 20:42:08 -0000 1.111
+++ policy-F12.patch 19 Oct 2009 19:05:56 -0000 1.112
@@ -2913,7 +2913,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mono.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/mono.if 2009-10-17 07:22:40.000000000 -0400
@@ -21,6 +21,105 @@
########################################
@@ -4347,8 +4347,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-09-30 16:12:48.000000000 -0400
-@@ -0,0 +1,56 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-10-19 09:18:38.000000000 -0400
+@@ -0,0 +1,57 @@
+policy_module(sambagui,1.0.0)
+
+########################################
@@ -4366,6 +4366,7 @@ diff -b -B --ignore-all-space --exclude-
+#
+
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
++allow sambagui_t self:unix_dgram_socket create_socket_perms;
+
+# handling with samba conf files
+samba_append_log(sambagui_t)
@@ -5548,7 +5549,7 @@ diff -b -B --ignore-all-space --exclude-
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2009-10-19 09:11:30.000000000 -0400
@@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -5577,7 +5578,19 @@ diff -b -B --ignore-all-space --exclude-
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -148,6 +151,8 @@
+@@ -139,8 +142,11 @@
+
+ /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+
++/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
++/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
++
+ /dev/pts(/.*)? <<none>>
+
+ /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -148,6 +154,8 @@
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -5586,7 +5599,7 @@ diff -b -B --ignore-all-space --exclude-
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -168,6 +173,7 @@
+@@ -168,6 +176,7 @@
ifdef(`distro_redhat',`
# originally from named.fc
@@ -5596,7 +5609,7 @@ diff -b -B --ignore-all-space --exclude-
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-10-14 11:17:02.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-10-19 09:10:56.000000000 -0400
@@ -1692,6 +1692,78 @@
########################################
@@ -5764,7 +5777,86 @@ diff -b -B --ignore-all-space --exclude-
## dontaudit getattr raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
-@@ -2305,6 +2451,25 @@
+@@ -2046,6 +2192,78 @@
+
+ ########################################
+ ## <summary>
++## Get the attributes of the modem devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_getattr_modem_dev',`
++ gen_require(`
++ type device_t, modem_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++## <summary>
++## Set the attributes of the modem devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_setattr_modem_dev',`
++ gen_require(`
++ type device_t, modem_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++## <summary>
++## Read the modem devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_modem',`
++ gen_require(`
++ type device_t, modem_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++## <summary>
++## Read and write to modem devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_modem',`
++ gen_require(`
++ type device_t, modem_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the mouse devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -2305,6 +2523,25 @@
########################################
## <summary>
@@ -5790,7 +5882,7 @@ diff -b -B --ignore-all-space --exclude-
## Read and write to the null device (/dev/null).
## </summary>
## <param name="domain">
-@@ -3599,6 +3764,24 @@
+@@ -3599,6 +3836,24 @@
########################################
## <summary>
@@ -5817,7 +5909,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2009-10-19 09:09:54.000000000 -0400
@@ -84,6 +84,13 @@
dev_node(kmsg_device_t)
@@ -5845,7 +5937,20 @@ diff -b -B --ignore-all-space --exclude-
# Type for /dev/mapper/control
#
type lvm_control_t;
-@@ -224,6 +237,12 @@
+@@ -110,6 +123,12 @@
+ dev_node(misc_device_t)
+
+ #
++# A general type for modem devices.
++#
++type modem_device_t;
++dev_node(modem_device_t)
++
++#
+ # A more general type for mouse devices.
+ #
+ type mouse_device_t;
+@@ -224,6 +243,12 @@
type watchdog_device_t;
dev_node(watchdog_device_t)
@@ -8465,8 +8570,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-08 15:41:51.000000000 -0400
-@@ -0,0 +1,410 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-17 07:22:57.000000000 -0400
+@@ -0,0 +1,411 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -8504,6 +8609,7 @@ diff -b -B --ignore-all-space --exclude-
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_execmod_user_home_files(unconfined_t)
++userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
@@ -9171,7 +9277,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-06 10:15:23.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-19 14:55:25.000000000 -0400
@@ -75,6 +75,7 @@
corecmd_exec_bin(abrt_t)
@@ -9180,10 +9286,15 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_http_port(abrt_t)
-@@ -105,13 +106,29 @@
- dbus_system_bus_client(abrt_t)
- ')
+@@ -101,17 +102,32 @@
+ userdom_read_user_home_content_files(abrt_t)
+ optional_policy(`
+- dbus_connect_system_bus(abrt_t)
+- dbus_system_bus_client(abrt_t)
++ dbus_system_domain(abrt_t, abrt_exec_t)
++')
++
+optional_policy(`
+ nsplugin_read_rw_files(abrt_t)
+')
@@ -9193,8 +9304,8 @@ diff -b -B --ignore-all-space --exclude-
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
-+')
-+
+ ')
+
# to install debuginfo packages
optional_policy(`
- rpm_manage_db(abrt_t)
@@ -11140,6 +11251,92 @@ diff -b -B --ignore-all-space --exclude-
-/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.32/policy/modules/services/ccs.te
+--- nsaserefpolicy/policy/modules/services/ccs.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ccs.te 2009-10-17 06:50:43.000000000 -0400
+@@ -10,23 +10,21 @@
+ type ccs_exec_t;
+ init_daemon_domain(ccs_t, ccs_exec_t)
+
+-# conf files
+ type cluster_conf_t;
+ files_type(cluster_conf_t)
+
+-# tmp files
+ type ccs_tmp_t;
+ files_tmp_file(ccs_tmp_t)
+
+-# log files
+-type ccs_var_log_t;
+-logging_log_file(ccs_var_log_t)
++type ccs_tmpfs_t;
++files_tmpfs_file(ccs_tmpfs_t)
+
+-# var lib files
+ type ccs_var_lib_t;
+ logging_log_file(ccs_var_lib_t)
+
+-# pid files
++type ccs_var_log_t;
++logging_log_file(ccs_var_log_t)
++
+ type ccs_var_run_t;
+ files_pid_file(ccs_var_run_t)
+
+@@ -35,7 +33,7 @@
+ # ccs local policy
+ #
+
+-allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
++allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+ allow ccs_t self:process { signal setrlimit setsched };
+ dontaudit ccs_t self:process ptrace;
+ allow ccs_t self:fifo_file rw_fifo_file_perms;
+@@ -55,23 +53,29 @@
+ manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
+ files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
+
+-# log files
+-manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+-allow ccs_t ccs_var_log_t:dir setattr;
+-logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
++manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
++manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
++fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t,{ dir file })
+
+ # var lib files
+ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+
++# log files
++manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
++manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
++allow ccs_t ccs_var_log_t:dir setattr;
++logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
++
+ # pid file
+ manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
+
++aisexec_stream_connect(ccs_t)
++
+ kernel_read_kernel_sysctls(ccs_t)
+
+ corecmd_list_bin(ccs_t)
+@@ -104,6 +108,9 @@
+
+ sysnet_dns_name_resolve(ccs_t)
+
++userdom_manage_unpriv_user_shared_mem(ccs_t)
++userdom_manage_unpriv_user_semaphores(ccs_t)
++
+ ifdef(`hide_broken_symptoms', `
+ corecmd_dontaudit_write_bin_dirs(ccs_t)
+ files_manage_isid_type_files(ccs_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.32/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/certmaster.te 2009-09-30 16:12:48.000000000 -0400
@@ -13755,10 +13952,24 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(ktalkd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.32/policy/modules/services/lircd.fc
+--- nsaserefpolicy/policy/modules/services/lircd.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/lircd.fc 2009-10-19 09:13:19.000000000 -0400
+@@ -6,3 +6,4 @@
+ /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+
+ /var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
++/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-09-30 16:12:48.000000000 -0400
-@@ -42,7 +42,18 @@
++++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-10-19 09:14:01.000000000 -0400
+@@ -37,12 +37,24 @@
+ # pid file
+ manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+ manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
++manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
+
# /dev/lircd socket
manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
dev_filetrans(lircd_t, lircd_sock_t, sock_file )
@@ -13815,6 +14026,17 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization($1_milter_t)
logging_send_syslog_msg($1_milter_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.32/policy/modules/services/modemmanager.te
+--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-09-16 09:09:20.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2009-10-19 09:11:09.000000000 -0400
+@@ -24,6 +24,7 @@
+ kernel_read_system_state(modemmanager_t)
+
+ dev_read_sysfs(modemmanager_t)
++dev_rw_modem(modemmanager_t)
+
+ files_read_etc_files(modemmanager_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.32/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/mta.fc 2009-09-30 16:12:48.000000000 -0400
@@ -13826,8 +14048,25 @@ diff -b -B --ignore-all-space --exclude-
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-10-07 16:49:03.000000000 -0400
-@@ -311,6 +311,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-10-19 14:29:57.000000000 -0400
+@@ -69,6 +69,7 @@
+ can_exec($1_mail_t, sendmail_exec_t)
+ allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+
++ kernel_read_system_state($1_mail_t)
+ kernel_read_kernel_sysctls($1_mail_t)
+
+ corenet_all_recvfrom_unlabeled($1_mail_t)
+@@ -87,6 +88,8 @@
+ # It wants to check for nscd
+ files_dontaudit_search_pids($1_mail_t)
+
++ init_dontaudit_rw_utmp($1_mail_t)
++
+ auth_use_nsswitch($1_mail_t)
+
+ logging_send_syslog_msg($1_mail_t)
+@@ -311,6 +314,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1, mail_spool_t, mail_spool_t)
read_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -13835,7 +14074,7 @@ diff -b -B --ignore-all-space --exclude-
create_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -351,6 +352,7 @@
+@@ -351,6 +355,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -13843,7 +14082,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -470,7 +472,8 @@
+@@ -470,7 +475,8 @@
type etc_mail_t;
')
@@ -13853,7 +14092,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -694,7 +697,7 @@
+@@ -694,7 +700,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -13864,7 +14103,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mta.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/mta.te 2009-10-19 14:29:50.000000000 -0400
@@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
@@ -13875,19 +14114,19 @@ diff -b -B --ignore-all-space --exclude-
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -57,8 +60,11 @@
+@@ -57,8 +60,10 @@
can_exec(system_mail_t, mta_exec_type)
+-kernel_read_system_state(system_mail_t)
+files_read_all_tmp_files(system_mail_t)
+
- kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
+kernel_request_load_module(system_mail_t)
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
-@@ -72,16 +78,21 @@
+@@ -72,16 +77,21 @@
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -13909,7 +14148,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -100,6 +111,7 @@
+@@ -100,6 +110,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -13917,7 +14156,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -178,6 +190,10 @@
+@@ -178,6 +189,10 @@
')
optional_policy(`
@@ -13928,7 +14167,7 @@ diff -b -B --ignore-all-space --exclude-
smartmon_read_tmp_files(system_mail_t)
')
-@@ -197,6 +213,25 @@
+@@ -197,6 +212,25 @@
')
')
@@ -15729,8 +15968,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-10-14 11:18:02.000000000 -0400
-@@ -0,0 +1,95 @@
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-10-18 12:52:36.000000000 -0400
+@@ -0,0 +1,96 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
@@ -15776,6 +16015,7 @@ diff -b -B --ignore-all-space --exclude-
+
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
++kernel_change_ring_buffer_level(plymouthd_t)
+
+dev_rw_dri(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
@@ -20896,6 +21136,15 @@ diff -b -B --ignore-all-space --exclude-
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
# get info from /proc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.6.32/policy/modules/services/tftp.fc
+--- nsaserefpolicy/policy/modules/services/tftp.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/tftp.fc 2009-10-16 08:44:49.000000000 -0400
+@@ -5,4 +5,4 @@
+ /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+ /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+
+-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
++/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.32/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/uucp.te 2009-09-30 16:12:48.000000000 -0400
@@ -23542,7 +23791,7 @@ diff -b -B --ignore-all-space --exclude-
# /var
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-10-01 17:11:27.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-10-19 14:27:28.000000000 -0400
@@ -174,6 +174,7 @@
role system_r types $1;
@@ -26644,7 +26893,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2009-10-08 12:25:39.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2009-10-18 12:56:30.000000000 -0400
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -26742,7 +26991,16 @@ diff -b -B --ignore-all-space --exclude-
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
-@@ -336,6 +342,8 @@
+@@ -313,6 +319,8 @@
+ kernel_rw_pipes(restorecond_t)
+ kernel_read_system_state(restorecond_t)
+
++files_dontaudit_read_all_symlinks(restorecond_t)
++
+ fs_relabelfrom_noxattr_fs(restorecond_t)
+ fs_dontaudit_list_nfs(restorecond_t)
+ fs_getattr_xattr_fs(restorecond_t)
+@@ -336,6 +344,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -26751,7 +27009,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -354,7 +362,7 @@
+@@ -354,7 +364,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -26760,7 +27018,7 @@ diff -b -B --ignore-all-space --exclude-
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +391,6 @@
+@@ -383,7 +393,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -26768,7 +27026,7 @@ diff -b -B --ignore-all-space --exclude-
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -406,6 +413,10 @@
+@@ -406,6 +415,10 @@
')
')
@@ -26779,7 +27037,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -421,61 +432,22 @@
+@@ -421,61 +434,22 @@
# semodule local policy
#
@@ -26787,13 +27045,9 @@ diff -b -B --ignore-all-space --exclude-
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
+-
-allow semanage_t policy_config_t:file rw_file_perms;
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
+-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
@@ -26804,9 +27058,13 @@ diff -b -B --ignore-all-space --exclude-
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+
-domain_use_interactive_fds(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
@@ -26828,13 +27086,13 @@ diff -b -B --ignore-all-space --exclude-
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
-
+-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -26849,7 +27107,7 @@ diff -b -B --ignore-all-space --exclude-
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +456,23 @@
+@@ -484,12 +458,23 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -26873,7 +27131,7 @@ diff -b -B --ignore-all-space --exclude-
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,111 +482,41 @@
+@@ -499,111 +484,41 @@
userdom_read_user_tmp_files(semanage_t)
')
@@ -28394,7 +28652,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-15 12:42:02.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-19 14:14:08.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -29266,15 +29524,16 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -826,6 +879,7 @@
+@@ -826,6 +879,8 @@
')
userdom_login_user_template($1)
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
++ dontaudit $1_t self:netlink_audit_socket create_socket_perms;
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
-@@ -835,6 +889,32 @@
+@@ -835,6 +890,32 @@
# Local policy
#
@@ -29307,7 +29566,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -865,51 +945,83 @@
+@@ -865,51 +946,83 @@
userdom_restricted_user_template($1)
@@ -29404,7 +29663,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -943,8 +1055,8 @@
+@@ -943,8 +1056,8 @@
# Declarations
#
@@ -29414,7 +29673,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_common_user_template($1)
##############################
-@@ -953,58 +1065,67 @@
+@@ -953,58 +1066,67 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -29512,7 +29771,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -1040,7 +1161,7 @@
+@@ -1040,7 +1162,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -29521,7 +29780,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -1049,8 +1170,7 @@
+@@ -1049,8 +1171,7 @@
#
# Inherit rules for ordinary users.
@@ -29531,7 +29790,7 @@ diff -b -B --ignore-all-space --exclude-
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1195,9 @@
+@@ -1075,6 +1196,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -29541,7 +29800,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1212,7 @@
+@@ -1089,6 +1213,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -29549,7 +29808,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1220,6 @@
+@@ -1096,8 +1221,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -29558,7 +29817,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,6 +1246,8 @@
+@@ -1124,6 +1247,8 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -29567,7 +29826,7 @@ diff -b -B --ignore-all-space --exclude-
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1152,20 +1276,6 @@
+@@ -1152,20 +1277,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -29588,7 +29847,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1321,7 @@
+@@ -1211,6 +1322,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -29596,7 +29855,7 @@ diff -b -B --ignore-all-space --exclude-
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1387,15 @@
+@@ -1276,11 +1388,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -29612,7 +29871,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1391,12 +1506,13 @@
+@@ -1391,12 +1507,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -29627,7 +29886,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1429,6 +1545,14 @@
+@@ -1429,6 +1546,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -29642,7 +29901,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1444,9 +1568,11 @@
+@@ -1444,9 +1569,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -29654,7 +29913,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1503,6 +1629,25 @@
+@@ -1503,6 +1630,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -29680,7 +29939,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1577,6 +1722,8 @@
+@@ -1577,6 +1723,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -29689,7 +29948,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1670,6 +1817,7 @@
+@@ -1670,6 +1818,7 @@
type user_home_dir_t, user_home_t;
')
@@ -29697,7 +29956,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1945,32 @@
+@@ -1797,19 +1946,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -29737,7 +29996,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1844,6 +2005,7 @@
+@@ -1844,6 +2006,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -29745,7 +30004,7 @@ diff -b -B --ignore-all-space --exclude-
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2553,7 @@
+@@ -2391,27 +2554,7 @@
########################################
## <summary>
@@ -29774,7 +30033,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2749,7 +2891,7 @@
+@@ -2749,7 +2892,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -29783,7 +30042,7 @@ diff -b -B --ignore-all-space --exclude-
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +2907,32 @@
+@@ -2765,11 +2908,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -29818,7 +30077,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,7 +3060,25 @@
+@@ -2897,7 +3061,25 @@
type user_tmp_t;
')
@@ -29845,7 +30104,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2934,6 +3115,7 @@
+@@ -2934,6 +3116,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -29853,7 +30112,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3246,559 @@
+@@ -3064,3 +3247,559 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.945
retrieving revision 1.946
diff -u -p -r1.945 -r1.946
--- selinux-policy.spec 15 Oct 2009 20:42:09 -0000 1.945
+++ selinux-policy.spec 19 Oct 2009 19:05:56 -0000 1.946
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,11 @@ exit 0
%endif
%changelog
+* Sat Oct 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-29
+- Allow ccs to communicate with userdomains, and create tmpfs_t
+- Add /dev/noz* as a modem_device_t and allow modemmanager to rw it.
+- Add mapping for /var/run/lircd
+
* Thu Oct 15 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-28
- Allow sandbox_domain to interact with userdomain fifo_files
- Previous message (by thread): rpms/policycoreutils/devel policycoreutils-gui.patch, 1.96, 1.97 policycoreutils.spec, 1.653, 1.654
- Next message (by thread): rpms/drehatlas-warender-bibliothek-fonts/devel 61-drehatlas-warender-bibliothek.conf, NONE, 1.1 Makefile.warender-bibliothek, NONE, 1.1 drehatlas-warender-bibliothek-fonts.spec, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list