rpms/selinux-policy/F-12 booleans-targeted.conf, 1.56, 1.57 policy-F12.patch, 1.113, 1.114 selinux-policy.spec, 1.946, 1.947
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Oct 20 22:59:52 UTC 2009
- Previous message (by thread): rpms/gnumeric/F-10 gnumeric-1.8.4-backport-20090129.patch, NONE, 1.1 gnumeric-1.8.4-backport-20090309.patch, NONE, 1.1 gnumeric-1.8.4-backport-20090314.patch, NONE, 1.1 gnumeric-1.8.4-backport-20090430.patch, NONE, 1.1 gnumeric-1.8.4-desktop.patch, NONE, 1.1 .cvsignore, 1.7, 1.8 gnumeric.spec, 1.44, 1.45 sources, 1.7, 1.8 gnumeric-1.6.1-desktop.patch, 1.4, NONE gnumeric-1.8.2-desktop.patch, 1.2, NONE
- Next message (by thread): rpms/gnome-panel/F-12 gnome-panel.spec,1.380,1.381
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25075
Modified Files:
booleans-targeted.conf policy-F12.patch selinux-policy.spec
Log Message:
* Tue Oct 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-30
- Fixes found for confined users day
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/booleans-targeted.conf,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -p -r1.56 -r1.57
--- booleans-targeted.conf 15 Oct 2009 20:42:08 -0000 1.56
+++ booleans-targeted.conf 20 Oct 2009 22:59:51 -0000 1.57
@@ -174,6 +174,10 @@ spamd_enable_home_dirs = false
#
user_direct_mouse = false
+# Allow regular users direct dri access
+#
+user_direct_dri = true
+
# Allow users to read system messages.
#
user_dmesg = false
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 1
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 +++
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 2
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 18
policy/modules/admin/rpm.if | 265 +++++
policy/modules/admin/rpm.te | 95 +
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 2
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 5
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 5
policy/modules/admin/usermanage.te | 34
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 2
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 85 +
policy/modules/apps/chrome.te | 61 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 31
policy/modules/apps/execmem.if | 74 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 63 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 ++
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 18
policy/modules/apps/java.if | 112 ++
policy/modules/apps/java.te | 14
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 65 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50 +
policy/modules/apps/livecd.te | 26
policy/modules/apps/loadkeys.te | 4
policy/modules/apps/mono.if | 101 ++
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 32
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 13
policy/modules/apps/nsplugin.if | 323 ++++++
policy/modules/apps/nsplugin.te | 295 ++++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 7
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 190 +++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 57 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 184 +++
policy/modules/apps/sandbox.te | 330 ++++++
policy/modules/apps/screen.if | 5
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 45
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 30
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 34
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 255 +++++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 151 ++-
policy/modules/kernel/domain.te | 84 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 298 +++++-
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 211 ++++
policy/modules/kernel/filesystem.te | 9
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 --
policy/modules/roles/sysadm.te | 124 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 638 +++++++++++++
policy/modules/roles/unconfineduser.te | 411 ++++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 36
policy/modules/services/abrt.fc | 2
policy/modules/services/abrt.if | 40
policy/modules/services/abrt.te | 24
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 ++
policy/modules/services/aisexec.te | 112 ++
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 38
policy/modules/services/apache.if | 410 +++++---
policy/modules/services/apache.te | 439 +++++++--
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.te | 9
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 ++
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 16
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 ++
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 24
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 19
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 109 ++
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 4
policy/modules/services/cron.if | 72 +
policy/modules/services/cron.te | 82 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 42
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49 -
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 54 +
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.te | 22
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 60 +
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 48
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 2
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.fc | 1
policy/modules/services/lircd.te | 12
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 1
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 10
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 +
policy/modules/services/nagios.te | 55 -
policy/modules/services/networkmanager.fc | 14
policy/modules/services/networkmanager.if | 64 +
policy/modules/services/networkmanager.te | 115 ++
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 17
policy/modules/services/nslcd.if | 8
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 15
policy/modules/services/nut.if | 82 +
policy/modules/services/nut.te | 140 ++
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 19
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 286 +++++
policy/modules/services/plymouth.te | 96 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 64 +
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++-
policy/modules/services/postfix.te | 140 ++
policy/modules/services/postgresql.fc | 1
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 1
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 83 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 +++++++
policy/modules/services/rhcs.te | 394 ++++++++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 16
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 2
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 ++
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 102 ++
policy/modules/services/setroubleshoot.te | 81 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 137 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 184 +++
policy/modules/services/ssh.te | 77 +
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 43
policy/modules/services/sssd.te | 6
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 12
policy/modules/services/virt.if | 127 ++
policy/modules/services/virt.te | 284 +++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 33
policy/modules/services/xserver.if | 534 ++++++++++
policy/modules/services/xserver.te | 318 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 207 +++-
policy/modules/system/authlogin.te | 10
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 158 +++
policy/modules/system/init.te | 285 ++++-
policy/modules/system/ipsec.fc | 3
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 58 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 +
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/libraries.fc | 160 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 29
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 60 +
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 46
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 76 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 ++++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 77 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 21
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 ---------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1457 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 47
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
361 files changed, 17039 insertions(+), 2657 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.113
retrieving revision 1.114
diff -u -p -r1.113 -r1.114
--- policy-F12.patch 20 Oct 2009 12:12:58 -0000 1.113
+++ policy-F12.patch 20 Oct 2009 22:59:51 -0000 1.114
@@ -641,7 +641,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-20 10:47:48.000000000 -0400
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -689,7 +689,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +174,35 @@
+@@ -146,6 +174,36 @@
########################################
## <summary>
@@ -718,6 +718,7 @@ diff -b -B --ignore-all-space --exclude-
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
++ dontaudit $1 rpm_t:tcp_socket rw_socket_perms;
+')
+
+########################################
@@ -725,7 +726,7 @@ diff -b -B --ignore-all-space --exclude-
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -167,6 +224,48 @@
+@@ -167,6 +225,48 @@
########################################
## <summary>
@@ -774,7 +775,7 @@ diff -b -B --ignore-all-space --exclude-
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
-@@ -186,6 +285,24 @@
+@@ -186,6 +286,24 @@
########################################
## <summary>
@@ -799,7 +800,7 @@ diff -b -B --ignore-all-space --exclude-
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
-@@ -219,7 +336,51 @@
+@@ -219,7 +337,51 @@
')
files_search_tmp($1)
@@ -851,7 +852,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -241,6 +402,25 @@
+@@ -241,6 +403,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -877,7 +878,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -265,6 +445,47 @@
+@@ -265,6 +446,47 @@
########################################
## <summary>
@@ -925,7 +926,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
-@@ -283,3 +504,46 @@
+@@ -283,3 +505,46 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -7310,7 +7311,7 @@ diff -b -B --ignore-all-space --exclude-
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-13 18:05:04.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-20 18:45:22.000000000 -0400
@@ -196,7 +196,7 @@
dev_list_all_dev_nodes($1)
@@ -12649,7 +12650,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-10-14 10:29:26.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-10-20 18:48:38.000000000 -0400
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -12703,7 +12704,18 @@ diff -b -B --ignore-all-space --exclude-
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -327,7 +338,7 @@
+@@ -317,6 +328,10 @@
+ ')
+
+ optional_policy(`
++ snmp_read_snmp_var_lib_files(cupsd_t)
++')
++
++optional_policy(`
+ udev_read_db(cupsd_t)
+ ')
+
+@@ -327,7 +342,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -12712,7 +12724,7 @@ diff -b -B --ignore-all-space --exclude-
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -407,6 +418,7 @@
+@@ -407,6 +422,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -12720,7 +12732,7 @@ diff -b -B --ignore-all-space --exclude-
cups_stream_connect(cupsd_config_t)
-@@ -419,12 +431,15 @@
+@@ -419,12 +435,15 @@
')
optional_policy(`
@@ -12738,7 +12750,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +461,10 @@
+@@ -446,6 +465,10 @@
')
optional_policy(`
@@ -12749,7 +12761,7 @@ diff -b -B --ignore-all-space --exclude-
rpm_read_db(cupsd_config_t)
')
-@@ -542,6 +561,8 @@
+@@ -542,6 +565,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -12758,7 +12770,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -556,11 +577,15 @@
+@@ -556,11 +581,15 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -12774,7 +12786,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +626,9 @@
+@@ -601,6 +630,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -13304,7 +13316,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-10-05 09:17:34.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-10-20 14:55:45.000000000 -0400
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -13347,6 +13359,21 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# dovecot deliver local policy
+@@ -260,3 +267,14 @@
+ optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+ ')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(dovecot_t)
++ fs_manage_nfs_symlinks(dovecot_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files(dovecot_t)
++ fs_manage_cifs_symlinks(dovecot_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.32/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/exim.te 2009-09-30 16:12:48.000000000 -0400
@@ -13858,6 +13885,15 @@ diff -b -B --ignore-all-space --exclude-
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.6.32/policy/modules/services/inetd.fc
+--- nsaserefpolicy/policy/modules/services/inetd.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/inetd.fc 2009-10-20 08:54:47.000000000 -0400
+@@ -9,4 +9,4 @@
+
+ /var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
+
+-/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
++/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.32/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/inetd.te 2009-09-30 16:12:48.000000000 -0400
@@ -18949,7 +18985,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-10-20 15:50:54.000000000 -0400
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -21199,7 +21235,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-10-20 18:38:58.000000000 -0400
@@ -136,7 +136,7 @@
')
@@ -21364,7 +21400,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-01 16:59:54.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-20 18:29:08.000000000 -0400
@@ -20,6 +20,28 @@
## </desc>
gen_tunable(virt_use_samba, false)
@@ -21471,7 +21507,15 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,7 +144,8 @@
+@@ -76,6 +134,7 @@
+
+ manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
++manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+
+ manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -86,7 +145,8 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -21481,7 +21525,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -97,30 +156,55 @@
+@@ -97,30 +157,55 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -21540,7 +21584,7 @@ diff -b -B --ignore-all-space --exclude-
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -130,7 +214,14 @@
+@@ -130,7 +215,14 @@
logging_send_syslog_msg(virtd_t)
@@ -21555,7 +21599,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -168,22 +259,36 @@
+@@ -168,22 +260,36 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -21597,7 +21641,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -196,8 +301,162 @@
+@@ -196,8 +302,162 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -24656,7 +24700,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-10-20 11:08:58.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -24699,7 +24743,7 @@ diff -b -B --ignore-all-space --exclude-
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process { signal setsched };
-+allow ipsec_t self:process { getsched signal setsched };
++allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
@@ -24718,7 +24762,7 @@ diff -b -B --ignore-all-space --exclude-
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -82,7 +97,7 @@
+@@ -82,16 +97,17 @@
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
@@ -24726,8 +24770,19 @@ diff -b -B --ignore-all-space --exclude-
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;
- kernel_read_kernel_sysctls(ipsec_t)
-@@ -120,7 +135,9 @@
+-kernel_read_kernel_sysctls(ipsec_t)
+ kernel_list_proc(ipsec_t)
++kernel_read_kernel_sysctls(ipsec_t)
+ kernel_read_proc_symlinks(ipsec_t)
+ # allow pluto to access /proc/net/ipsec_eroute;
+ kernel_read_system_state(ipsec_t)
+ kernel_read_network_state(ipsec_t)
+ kernel_read_software_raid_state(ipsec_t)
++kernel_request_load_module(ipsec_t)
+ kernel_getattr_core_if(ipsec_t)
+ kernel_getattr_message_if(ipsec_t)
+
+@@ -120,7 +136,9 @@
domain_use_interactive_fds(ipsec_t)
@@ -24737,7 +24792,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
-@@ -154,12 +171,12 @@
+@@ -154,12 +172,12 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -24752,7 +24807,7 @@ diff -b -B --ignore-all-space --exclude-
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -241,6 +258,7 @@
+@@ -241,6 +259,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -24760,7 +24815,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -280,6 +298,13 @@
+@@ -280,6 +299,13 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
@@ -24774,7 +24829,7 @@ diff -b -B --ignore-all-space --exclude-
# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +322,13 @@
+@@ -297,6 +323,13 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -24788,7 +24843,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t)
-@@ -314,6 +346,8 @@
+@@ -314,6 +347,8 @@
files_read_etc_files(racoon_t)
@@ -24797,7 +24852,7 @@ diff -b -B --ignore-all-space --exclude-
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
-@@ -328,6 +362,14 @@
+@@ -328,6 +363,14 @@
miscfiles_read_localization(racoon_t)
@@ -24812,7 +24867,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Setkey local policy
-@@ -347,6 +389,7 @@
+@@ -347,6 +390,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -24957,7 +25012,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-10-20 11:08:22.000000000 -0400
@@ -11,6 +11,12 @@
init_system_domain(iptables_t, iptables_exec_t)
role system_r types iptables_t;
@@ -25373,8 +25428,16 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-10-15 15:48:13.000000000 -0400
-@@ -247,7 +247,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-10-20 14:41:55.000000000 -0400
+@@ -17,6 +17,7 @@
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ldconfig_exec_t, ldconfig_t)
++ allow $1 ldconfig_t:process noatsecure;
+ ')
+
+ ########################################
+@@ -247,7 +248,7 @@
type lib_t;
')
@@ -25383,7 +25446,7 @@ diff -b -B --ignore-all-space --exclude-
list_dirs_pattern($1, lib_t, lib_t)
read_files_pattern($1, lib_t, lib_t)
read_lnk_files_pattern($1, lib_t, lib_t)
-@@ -401,7 +401,7 @@
+@@ -401,7 +402,7 @@
type lib_t, textrel_shlib_t;
')
@@ -25394,7 +25457,7 @@ diff -b -B --ignore-all-space --exclude-
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.32/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/libraries.te 2009-10-20 18:45:39.000000000 -0400
@@ -58,11 +58,11 @@
# ldconfig local policy
#
@@ -25409,7 +25472,7 @@ diff -b -B --ignore-all-space --exclude-
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -76,16 +76,21 @@
+@@ -76,21 +76,27 @@
fs_getattr_xattr_fs(ldconfig_t)
@@ -25431,7 +25494,13 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(ldconfig_t)
-@@ -100,6 +105,10 @@
+ logging_send_syslog_msg(ldconfig_t)
+
++term_use_console(ldconfig_t)
+ userdom_use_user_terminals(ldconfig_t)
+ userdom_use_all_users_fds(ldconfig_t)
+
+@@ -100,6 +106,10 @@
')
')
@@ -25442,7 +25511,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`hide_broken_symptoms',`
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
-@@ -123,3 +132,7 @@
+@@ -123,3 +133,7 @@
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -25777,7 +25846,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2009-10-20 18:39:22.000000000 -0400
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -25886,6 +25955,17 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
modutils_domtrans_insmod(lvm_t)
+@@ -329,6 +352,10 @@
+ ')
+
+ optional_policy(`
++ virt_manage_images(lvm_t)
++')
++
++optional_policy(`
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-10-09 09:06:59.000000000 -0400
@@ -28652,7 +28732,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-20 08:04:43.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-20 14:59:26.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -29022,7 +29102,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="userdomain_prefix">
## <summary>
-@@ -420,35 +414,48 @@
+@@ -420,35 +414,54 @@
## is the prefix for user_t).
## </summary>
## </param>
@@ -29052,7 +29132,13 @@ diff -b -B --ignore-all-space --exclude-
- dev_getattr_agp_dev($1_t)
- dev_dontaudit_rw_dri($1_t)
+ dev_getattr_agp_dev($1)
-+ dev_dontaudit_rw_dri($1)
++
++ tunable_policy(`user_direct_dri',`
++ dev_rw_dri($1)
++ ',`
++ dev_dontaudit_rw_dri($1)
++ ')
++
# GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
+ dev_rw_usbfs($1)
@@ -29090,7 +29176,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -498,7 +505,7 @@
+@@ -498,7 +511,7 @@
attribute unpriv_userdomain;
')
@@ -29099,7 +29185,7 @@ diff -b -B --ignore-all-space --exclude-
##############################
#
-@@ -508,182 +515,213 @@
+@@ -508,182 +521,213 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -29386,7 +29472,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -711,13 +749,26 @@
+@@ -711,13 +755,26 @@
userdom_base_user_template($1)
@@ -29418,7 +29504,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_change_password_template($1)
-@@ -735,70 +786,72 @@
+@@ -735,70 +792,72 @@
allow $1_t self:context contains;
@@ -29524,7 +29610,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -826,6 +879,8 @@
+@@ -826,6 +885,8 @@
')
userdom_login_user_template($1)
@@ -29533,18 +29619,10 @@ diff -b -B --ignore-all-space --exclude-
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
-@@ -835,6 +890,32 @@
- # Local policy
+@@ -836,6 +897,25 @@
#
-+ tunable_policy(`user_rw_noexattrfile',`
-+ fs_manage_noxattr_fs_files($1_usertype)
-+ fs_manage_noxattr_fs_dirs($1_usertype)
-+ fs_manage_dos_dirs($1_usertype)
-+ fs_manage_dos_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ optional_policy(`
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -29563,10 +29641,11 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+ ')
+
- optional_policy(`
++ optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -865,51 +946,84 @@
+ ')
+@@ -865,51 +945,93 @@
userdom_restricted_user_template($1)
@@ -29583,12 +29662,12 @@ diff -b -B --ignore-all-space --exclude-
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
-+
-+ xserver_role($1_r, $1_t)
-+ xserver_communicate($1_usertype, $1_usertype)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
++ xserver_role($1_r, $1_t)
++ xserver_communicate($1_usertype, $1_usertype)
++
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -29601,6 +29680,15 @@ diff -b -B --ignore-all-space --exclude-
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+
++ tunable_policy(`user_rw_noexattrfile',`
++ fs_manage_noxattr_fs_files($1_usertype)
++ fs_manage_noxattr_fs_dirs($1_usertype)
++ fs_manage_dos_dirs($1_usertype)
++ fs_manage_dos_files($1_usertype)
++ storage_raw_read_removable_device($1_usertype)
++ storage_raw_write_removable_device($1_usertype)
++ ')
++
+ logging_send_syslog_msg($1_usertype)
logging_dontaudit_send_audit_msgs($1_t)
@@ -29664,7 +29752,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -943,8 +1057,8 @@
+@@ -943,8 +1065,8 @@
# Declarations
#
@@ -29674,7 +29762,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_common_user_template($1)
##############################
-@@ -953,58 +1067,67 @@
+@@ -953,58 +1075,67 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -29772,7 +29860,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -1040,7 +1163,7 @@
+@@ -1040,7 +1171,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -29781,7 +29869,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -1049,8 +1172,7 @@
+@@ -1049,8 +1180,7 @@
#
# Inherit rules for ordinary users.
@@ -29791,7 +29879,7 @@ diff -b -B --ignore-all-space --exclude-
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1197,9 @@
+@@ -1075,6 +1205,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -29801,7 +29889,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1214,7 @@
+@@ -1089,6 +1222,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -29809,7 +29897,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1222,6 @@
+@@ -1096,8 +1230,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -29818,7 +29906,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,6 +1248,8 @@
+@@ -1124,12 +1256,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -29827,7 +29915,13 @@ diff -b -B --ignore-all-space --exclude-
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1152,20 +1278,6 @@
+- storage_raw_read_removable_device($1_t)
+- storage_raw_write_removable_device($1_t)
+-
+ term_use_all_terms($1_t)
+
+ auth_getattr_shadow($1_t)
+@@ -1152,20 +1283,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -29848,7 +29942,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1323,7 @@
+@@ -1211,6 +1328,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -29856,7 +29950,7 @@ diff -b -B --ignore-all-space --exclude-
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1389,15 @@
+@@ -1276,11 +1394,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -29872,7 +29966,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1391,12 +1508,13 @@
+@@ -1391,12 +1513,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -29887,7 +29981,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1429,6 +1547,14 @@
+@@ -1429,6 +1552,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -29902,7 +29996,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1444,9 +1570,11 @@
+@@ -1444,9 +1575,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -29914,7 +30008,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1503,6 +1631,25 @@
+@@ -1503,6 +1636,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -29940,7 +30034,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1577,6 +1724,8 @@
+@@ -1577,6 +1729,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -29949,7 +30043,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1670,6 +1819,7 @@
+@@ -1670,6 +1824,7 @@
type user_home_dir_t, user_home_t;
')
@@ -29957,7 +30051,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1947,32 @@
+@@ -1797,19 +1952,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -29997,7 +30091,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1844,6 +2007,7 @@
+@@ -1844,6 +2012,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -30005,7 +30099,7 @@ diff -b -B --ignore-all-space --exclude-
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2555,7 @@
+@@ -2391,27 +2560,7 @@
########################################
## <summary>
@@ -30034,7 +30128,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2749,7 +2893,7 @@
+@@ -2749,7 +2898,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -30043,7 +30137,7 @@ diff -b -B --ignore-all-space --exclude-
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +2909,32 @@
+@@ -2765,11 +2914,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -30078,17 +30172,59 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,7 +3062,25 @@
+@@ -2897,12 +3067,12 @@
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to use user ttys.
++## Delete all users files in /tmp
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2910,17 +3080,17 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_delete_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ allow $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read the process state of all user domains.
++## Do not audit attempts to use user ttys.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2928,12 +3098,31 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_use_user_ttys',`
++ gen_require(`
++ type user_tty_device_t;
++ ')
++
++ dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
-+## Delete all users files in /tmp
++## Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -30096,16 +30232,9 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`userdom_delete_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
-@@ -2934,6 +3117,7 @@
++interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
')
read_files_pattern($1, userdomain, userdomain)
@@ -30113,7 +30242,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3248,559 @@
+@@ -3064,3 +3253,559 @@
allow $1 userdomain:dbus send_msg;
')
@@ -30675,7 +30804,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.32/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2009-10-20 14:58:48.000000000 -0400
@@ -8,13 +8,6 @@
## <desc>
@@ -30690,21 +30819,20 @@ diff -b -B --ignore-all-space --exclude-
## Allow users to connect to PostgreSQL
## </p>
## </desc>
-@@ -29,13 +22,6 @@
+@@ -29,10 +22,10 @@
## <desc>
## <p>
-## Allow users to read system messages.
--## </p>
--## </desc>
--gen_tunable(user_dmesg, false)
--
--## <desc>
--## <p>
- ## Allow user to r/w files on filesystems
- ## that do not have extended attributes (FAT, CDROM, FLOPPY)
++## Allow regular users direct dri device access
## </p>
-@@ -54,11 +40,20 @@
+ ## </desc>
+-gen_tunable(user_dmesg, false)
++gen_tunable(user_direct_dri, false)
+
+ ## <desc>
+ ## <p>
+@@ -54,11 +47,20 @@
# all user domains
attribute userdomain;
@@ -30727,7 +30855,7 @@ diff -b -B --ignore-all-space --exclude-
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
-@@ -72,6 +67,7 @@
+@@ -72,6 +74,7 @@
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -30735,7 +30863,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -97,3 +93,25 @@
+@@ -97,3 +100,25 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.946
retrieving revision 1.947
diff -u -p -r1.946 -r1.947
--- selinux-policy.spec 19 Oct 2009 19:05:56 -0000 1.946
+++ selinux-policy.spec 20 Oct 2009 22:59:51 -0000 1.947
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 29%{?dist}
+Release: 30%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Tue Oct 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-30
+- Fixes found for confined users day
+
* Sat Oct 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-29
- Allow ccs to communicate with userdomains, and create tmpfs_t
- Add /dev/noz* as a modem_device_t and allow modemmanager to rw it.
- Previous message (by thread): rpms/gnumeric/F-10 gnumeric-1.8.4-backport-20090129.patch, NONE, 1.1 gnumeric-1.8.4-backport-20090309.patch, NONE, 1.1 gnumeric-1.8.4-backport-20090314.patch, NONE, 1.1 gnumeric-1.8.4-backport-20090430.patch, NONE, 1.1 gnumeric-1.8.4-desktop.patch, NONE, 1.1 .cvsignore, 1.7, 1.8 gnumeric.spec, 1.44, 1.45 sources, 1.7, 1.8 gnumeric-1.6.1-desktop.patch, 1.4, NONE gnumeric-1.8.2-desktop.patch, 1.2, NONE
- Next message (by thread): rpms/gnome-panel/F-12 gnome-panel.spec,1.380,1.381
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list