rpms/selinux-policy/F-12 policy-F12.patch, 1.123, 1.124 selinux-policy.spec, 1.956, 1.957

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 29 20:00:33 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16432

Modified Files:
	policy-F12.patch selinux-policy.spec 
Log Message:
* Thu Oct 29 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-37
- Allow consolekit to manage /var/run/console directory
- Allow pcsd to r/w smartcard devices
- Temporarily allow xauth to read/write user_home_t


policy-F12.patch:
 Makefile                                  |    2 
 policy/flask/access_vectors               |    1 
 policy/global_tunables                    |   24 
 policy/mcs                                |   10 
 policy/modules/admin/alsa.te              |    2 
 policy/modules/admin/anaconda.te          |    3 
 policy/modules/admin/brctl.te             |    2 
 policy/modules/admin/certwatch.te         |    2 
 policy/modules/admin/consoletype.te       |    1 
 policy/modules/admin/dmesg.fc             |    2 
 policy/modules/admin/dmesg.te             |   10 
 policy/modules/admin/firstboot.te         |    6 
 policy/modules/admin/logrotate.te         |   13 
 policy/modules/admin/logwatch.te          |    1 
 policy/modules/admin/mrtg.te              |    1 
 policy/modules/admin/netutils.te          |    1 
 policy/modules/admin/ntop.fc              |    5 
 policy/modules/admin/ntop.if              |  158 +++
 policy/modules/admin/ntop.te              |   40 
 policy/modules/admin/portage.te           |    2 
 policy/modules/admin/prelink.if           |    4 
 policy/modules/admin/prelink.te           |    6 
 policy/modules/admin/readahead.te         |    1 
 policy/modules/admin/rpm.fc               |   20 
 policy/modules/admin/rpm.if               |  324 ++++++
 policy/modules/admin/rpm.te               |   98 +
 policy/modules/admin/shorewall.fc         |    3 
 policy/modules/admin/shorewall.if         |   40 
 policy/modules/admin/shorewall.te         |    2 
 policy/modules/admin/smoltclient.fc       |    4 
 policy/modules/admin/smoltclient.if       |    1 
 policy/modules/admin/smoltclient.te       |   66 +
 policy/modules/admin/sudo.if              |   13 
 policy/modules/admin/tmpreaper.te         |    5 
 policy/modules/admin/tzdata.te            |    2 
 policy/modules/admin/usermanage.if        |    5 
 policy/modules/admin/usermanage.te        |   34 
 policy/modules/admin/vbetool.te           |   14 
 policy/modules/admin/vpn.te               |    2 
 policy/modules/apps/calamaris.te          |    7 
 policy/modules/apps/chrome.fc             |    2 
 policy/modules/apps/chrome.if             |   85 +
 policy/modules/apps/chrome.te             |   71 +
 policy/modules/apps/cpufreqselector.te    |    2 
 policy/modules/apps/execmem.fc            |   35 
 policy/modules/apps/execmem.if            |   76 +
 policy/modules/apps/execmem.te            |   11 
 policy/modules/apps/firewallgui.fc        |    3 
 policy/modules/apps/firewallgui.if        |    3 
 policy/modules/apps/firewallgui.te        |   63 +
 policy/modules/apps/gitosis.if            |   45 
 policy/modules/apps/gnome.fc              |   12 
 policy/modules/apps/gnome.if              |  170 +++
 policy/modules/apps/gnome.te              |   99 +
 policy/modules/apps/gpg.te                |   20 
 policy/modules/apps/java.fc               |   18 
 policy/modules/apps/java.if               |  114 ++
 policy/modules/apps/java.te               |   19 
 policy/modules/apps/kdumpgui.fc           |    2 
 policy/modules/apps/kdumpgui.if           |    2 
 policy/modules/apps/kdumpgui.te           |   65 +
 policy/modules/apps/livecd.fc             |    2 
 policy/modules/apps/livecd.if             |   52 +
 policy/modules/apps/livecd.te             |   27 
 policy/modules/apps/loadkeys.te           |    4 
 policy/modules/apps/mono.if               |  101 +
 policy/modules/apps/mono.te               |    9 
 policy/modules/apps/mozilla.fc            |    1 
 policy/modules/apps/mozilla.if            |   32 
 policy/modules/apps/mozilla.te            |   22 
 policy/modules/apps/nsplugin.fc           |   11 
 policy/modules/apps/nsplugin.if           |  323 ++++++
 policy/modules/apps/nsplugin.te           |  295 +++++
 policy/modules/apps/openoffice.fc         |    3 
 policy/modules/apps/openoffice.if         |   93 +
 policy/modules/apps/openoffice.te         |   11 
 policy/modules/apps/pulseaudio.if         |    2 
 policy/modules/apps/pulseaudio.te         |   11 
 policy/modules/apps/qemu.fc               |    4 
 policy/modules/apps/qemu.if               |  189 +++
 policy/modules/apps/qemu.te               |   82 +
 policy/modules/apps/sambagui.fc           |    1 
 policy/modules/apps/sambagui.if           |    2 
 policy/modules/apps/sambagui.te           |   59 +
 policy/modules/apps/sandbox.fc            |    1 
 policy/modules/apps/sandbox.if            |  184 +++
 policy/modules/apps/sandbox.te            |  330 ++++++
 policy/modules/apps/screen.if             |    7 
 policy/modules/apps/sectoolm.fc           |    6 
 policy/modules/apps/sectoolm.if           |    3 
 policy/modules/apps/sectoolm.te           |  120 ++
 policy/modules/apps/seunshare.fc          |    2 
 policy/modules/apps/seunshare.if          |   81 +
 policy/modules/apps/seunshare.te          |   45 
 policy/modules/apps/vmware.te             |    1 
 policy/modules/apps/wine.fc               |   24 
 policy/modules/apps/wine.if               |  115 ++
 policy/modules/apps/wine.te               |   34 
 policy/modules/kernel/corecommands.fc     |   32 
 policy/modules/kernel/corecommands.if     |   21 
 policy/modules/kernel/corenetwork.te.in   |   38 
 policy/modules/kernel/devices.fc          |   11 
 policy/modules/kernel/devices.if          |  255 +++++
 policy/modules/kernel/devices.te          |   25 
 policy/modules/kernel/domain.if           |  151 ++
 policy/modules/kernel/domain.te           |   88 +
 policy/modules/kernel/files.fc            |    3 
 policy/modules/kernel/files.if            |  324 ++++++
 policy/modules/kernel/files.te            |    6 
 policy/modules/kernel/filesystem.fc       |    2 
 policy/modules/kernel/filesystem.if       |  211 ++++
 policy/modules/kernel/filesystem.te       |    9 
 policy/modules/kernel/kernel.if           |   58 +
 policy/modules/kernel/kernel.te           |   29 
 policy/modules/kernel/selinux.if          |   25 
 policy/modules/kernel/storage.fc          |    1 
 policy/modules/kernel/storage.if          |    3 
 policy/modules/kernel/terminal.fc         |    1 
 policy/modules/kernel/terminal.if         |   40 
 policy/modules/kernel/terminal.te         |    1 
 policy/modules/roles/guest.te             |    8 
 policy/modules/roles/staff.te             |  126 --
 policy/modules/roles/sysadm.te            |  124 --
 policy/modules/roles/unconfineduser.fc    |    8 
 policy/modules/roles/unconfineduser.if    |  638 ++++++++++++
 policy/modules/roles/unconfineduser.te    |  426 ++++++++
 policy/modules/roles/unprivuser.te        |  127 --
 policy/modules/roles/xguest.te            |   37 
 policy/modules/services/abrt.fc           |    2 
 policy/modules/services/abrt.if           |   58 +
 policy/modules/services/abrt.te           |   26 
 policy/modules/services/afs.fc            |    1 
 policy/modules/services/afs.te            |    1 
 policy/modules/services/aisexec.fc        |   12 
 policy/modules/services/aisexec.if        |  106 ++
 policy/modules/services/aisexec.te        |  112 ++
 policy/modules/services/amavis.te         |    2 
 policy/modules/services/apache.fc         |   41 
 policy/modules/services/apache.if         |  410 +++++---
 policy/modules/services/apache.te         |  445 +++++++-
 policy/modules/services/apm.te            |    2 
 policy/modules/services/automount.te      |    1 
 policy/modules/services/avahi.te          |    2 
 policy/modules/services/bind.if           |   40 
 policy/modules/services/bitlbee.te        |    2 
 policy/modules/services/bluetooth.if      |   21 
 policy/modules/services/bluetooth.te      |   11 
 policy/modules/services/ccs.fc            |    8 
 policy/modules/services/ccs.te            |   33 
 policy/modules/services/certmaster.te     |    2 
 policy/modules/services/chronyd.fc        |   11 
 policy/modules/services/chronyd.if        |  105 ++
 policy/modules/services/chronyd.te        |   67 +
 policy/modules/services/clamav.te         |   16 
 policy/modules/services/clogd.fc          |    4 
 policy/modules/services/clogd.if          |   98 +
 policy/modules/services/clogd.te          |   62 +
 policy/modules/services/cobbler.fc        |    2 
 policy/modules/services/cobbler.if        |   24 
 policy/modules/services/cobbler.te        |    5 
 policy/modules/services/consolekit.fc     |    3 
 policy/modules/services/consolekit.if     |   39 
 policy/modules/services/consolekit.te     |   21 
 policy/modules/services/corosync.fc       |   13 
 policy/modules/services/corosync.if       |  108 ++
 policy/modules/services/corosync.te       |  109 ++
 policy/modules/services/courier.if        |   18 
 policy/modules/services/courier.te        |    1 
 policy/modules/services/cron.fc           |    6 
 policy/modules/services/cron.if           |   72 +
 policy/modules/services/cron.te           |   82 +
 policy/modules/services/cups.fc           |   13 
 policy/modules/services/cups.te           |   44 
 policy/modules/services/cvs.te            |    1 
 policy/modules/services/cyrus.te          |    1 
 policy/modules/services/dbus.if           |   49 
 policy/modules/services/dbus.te           |   25 
 policy/modules/services/dcc.te            |    8 
 policy/modules/services/ddclient.if       |   25 
 policy/modules/services/devicekit.fc      |    2 
 policy/modules/services/devicekit.if      |   22 
 policy/modules/services/devicekit.te      |   58 +
 policy/modules/services/dnsmasq.te        |   12 
 policy/modules/services/dovecot.te        |   22 
 policy/modules/services/exim.te           |    5 
 policy/modules/services/fail2ban.te       |    2 
 policy/modules/services/fetchmail.te      |    2 
 policy/modules/services/fprintd.te        |    4 
 policy/modules/services/ftp.te            |   60 +
 policy/modules/services/git.fc            |    8 
 policy/modules/services/git.if            |  286 +++++
 policy/modules/services/git.te            |  166 +++
 policy/modules/services/gpm.te            |    3 
 policy/modules/services/gpsd.fc           |    5 
 policy/modules/services/gpsd.if           |   27 
 policy/modules/services/gpsd.te           |   14 
 policy/modules/services/hal.fc            |    1 
 policy/modules/services/hal.if            |   18 
 policy/modules/services/hal.te            |   48 
 policy/modules/services/howl.te           |    2 
 policy/modules/services/inetd.fc          |    2 
 policy/modules/services/inetd.te          |    4 
 policy/modules/services/irqbalance.te     |    4 
 policy/modules/services/kerberos.te       |   13 
 policy/modules/services/kerneloops.te     |    2 
 policy/modules/services/ktalk.te          |    1 
 policy/modules/services/lircd.fc          |    2 
 policy/modules/services/lircd.if          |    9 
 policy/modules/services/lircd.te          |   23 
 policy/modules/services/mailman.te        |    4 
 policy/modules/services/memcached.te      |    2 
 policy/modules/services/milter.if         |    2 
 policy/modules/services/modemmanager.te   |    3 
 policy/modules/services/mta.fc            |    2 
 policy/modules/services/mta.if            |   10 
 policy/modules/services/mta.te            |   36 
 policy/modules/services/munin.fc          |    3 
 policy/modules/services/munin.te          |    3 
 policy/modules/services/mysql.te          |    7 
 policy/modules/services/nagios.fc         |   16 
 policy/modules/services/nagios.if         |   70 +
 policy/modules/services/nagios.te         |   72 -
 policy/modules/services/networkmanager.fc |   14 
 policy/modules/services/networkmanager.if |   65 +
 policy/modules/services/networkmanager.te |  115 +-
 policy/modules/services/nis.fc            |    5 
 policy/modules/services/nis.if            |   87 +
 policy/modules/services/nis.te            |   13 
 policy/modules/services/nscd.if           |   18 
 policy/modules/services/nscd.te           |   17 
 policy/modules/services/nslcd.if          |    8 
 policy/modules/services/ntp.if            |   46 
 policy/modules/services/ntp.te            |    8 
 policy/modules/services/nut.fc            |   15 
 policy/modules/services/nut.if            |   82 +
 policy/modules/services/nut.te            |  140 ++
 policy/modules/services/nx.fc             |    1 
 policy/modules/services/nx.if             |   19 
 policy/modules/services/nx.te             |    6 
 policy/modules/services/oddjob.if         |    1 
 policy/modules/services/openvpn.te        |    2 
 policy/modules/services/pcscd.te          |    4 
 policy/modules/services/pegasus.te        |   28 
 policy/modules/services/plymouth.fc       |    5 
 policy/modules/services/plymouth.if       |  286 +++++
 policy/modules/services/plymouth.te       |   96 +
 policy/modules/services/policykit.fc      |    5 
 policy/modules/services/policykit.if      |   48 
 policy/modules/services/policykit.te      |   64 -
 policy/modules/services/postfix.fc        |    2 
 policy/modules/services/postfix.if        |  150 ++
 policy/modules/services/postfix.te        |  142 ++
 policy/modules/services/postgresql.fc     |   16 
 policy/modules/services/postgresql.if     |   43 
 policy/modules/services/postgresql.te     |    9 
 policy/modules/services/ppp.if            |    6 
 policy/modules/services/ppp.te            |   16 
 policy/modules/services/prelude.te        |    3 
 policy/modules/services/privoxy.fc        |    3 
 policy/modules/services/privoxy.te        |    3 
 policy/modules/services/procmail.te       |   12 
 policy/modules/services/pyzor.fc          |    4 
 policy/modules/services/pyzor.if          |   47 
 policy/modules/services/pyzor.te          |   37 
 policy/modules/services/radvd.te          |    1 
 policy/modules/services/razor.fc          |    1 
 policy/modules/services/razor.if          |   42 
 policy/modules/services/razor.te          |   32 
 policy/modules/services/rgmanager.fc      |    8 
 policy/modules/services/rgmanager.if      |   59 +
 policy/modules/services/rgmanager.te      |   83 +
 policy/modules/services/rhcs.fc           |   22 
 policy/modules/services/rhcs.if           |  348 ++++++
 policy/modules/services/rhcs.te           |  394 +++++++
 policy/modules/services/ricci.te          |   30 
 policy/modules/services/rpc.if            |    7 
 policy/modules/services/rpc.te            |   16 
 policy/modules/services/rpcbind.if        |   20 
 policy/modules/services/rpcbind.te        |    1 
 policy/modules/services/rsync.te          |   23 
 policy/modules/services/rtkit.if          |   20 
 policy/modules/services/rtkit.te          |    2 
 policy/modules/services/samba.fc          |    4 
 policy/modules/services/samba.if          |  104 ++
 policy/modules/services/samba.te          |   89 +
 policy/modules/services/sasl.te           |   15 
 policy/modules/services/sendmail.if       |  137 ++
 policy/modules/services/sendmail.te       |   87 +
 policy/modules/services/setroubleshoot.fc |    2 
 policy/modules/services/setroubleshoot.if |  123 ++
 policy/modules/services/setroubleshoot.te |   81 +
 policy/modules/services/smartmon.te       |   15 
 policy/modules/services/snmp.if           |   38 
 policy/modules/services/snmp.te           |    4 
 policy/modules/services/spamassassin.fc   |   15 
 policy/modules/services/spamassassin.if   |   89 +
 policy/modules/services/spamassassin.te   |  138 ++
 policy/modules/services/squid.te          |    9 
 policy/modules/services/ssh.fc            |    2 
 policy/modules/services/ssh.if            |  184 ++-
 policy/modules/services/ssh.te            |   77 -
 policy/modules/services/sssd.fc           |    5 
 policy/modules/services/sssd.if           |   43 
 policy/modules/services/sssd.te           |   12 
 policy/modules/services/sysstat.te        |    5 
 policy/modules/services/tftp.fc           |    2 
 policy/modules/services/tuned.fc          |    6 
 policy/modules/services/tuned.if          |  140 ++
 policy/modules/services/tuned.te          |   58 +
 policy/modules/services/uucp.te           |    7 
 policy/modules/services/virt.fc           |   13 
 policy/modules/services/virt.if           |  181 +++
 policy/modules/services/virt.te           |  274 +++++
 policy/modules/services/w3c.te            |    7 
 policy/modules/services/xserver.fc        |   37 
 policy/modules/services/xserver.if        |  588 ++++++++++-
 policy/modules/services/xserver.te        |  342 +++++-
 policy/modules/system/application.if      |   20 
 policy/modules/system/application.te      |   11 
 policy/modules/system/authlogin.fc        |    9 
 policy/modules/system/authlogin.if        |  207 +++-
 policy/modules/system/authlogin.te        |   10 
 policy/modules/system/fstools.fc          |    2 
 policy/modules/system/fstools.te          |    7 
 policy/modules/system/init.fc             |    7 
 policy/modules/system/init.if             |  158 ++-
 policy/modules/system/init.te             |  290 ++++-
 policy/modules/system/ipsec.fc            |    3 
 policy/modules/system/ipsec.if            |   25 
 policy/modules/system/ipsec.te            |   58 +
 policy/modules/system/iptables.fc         |   17 
 policy/modules/system/iptables.if         |   97 +
 policy/modules/system/iptables.te         |   20 
 policy/modules/system/iscsi.if            |   40 
 policy/modules/system/iscsi.te            |    6 
 policy/modules/system/libraries.fc        |  164 ++-
 policy/modules/system/libraries.if        |    5 
 policy/modules/system/libraries.te        |   18 
 policy/modules/system/locallogin.te       |   30 
 policy/modules/system/logging.fc          |   12 
 policy/modules/system/logging.if          |   18 
 policy/modules/system/logging.te          |   38 
 policy/modules/system/lvm.if              |   39 
 policy/modules/system/lvm.te              |   29 
 policy/modules/system/miscfiles.fc        |    2 
 policy/modules/system/miscfiles.if        |   60 +
 policy/modules/system/miscfiles.te        |    3 
 policy/modules/system/modutils.fc         |    1 
 policy/modules/system/modutils.if         |   46 
 policy/modules/system/modutils.te         |   46 
 policy/modules/system/mount.fc            |    7 
 policy/modules/system/mount.if            |    2 
 policy/modules/system/mount.te            |   76 +
 policy/modules/system/raid.fc             |    2 
 policy/modules/system/raid.te             |    8 
 policy/modules/system/selinuxutil.fc      |   17 
 policy/modules/system/selinuxutil.if      |  309 ++++++
 policy/modules/system/selinuxutil.te      |  229 +---
 policy/modules/system/setrans.if          |   20 
 policy/modules/system/sysnetwork.fc       |    9 
 policy/modules/system/sysnetwork.if       |  117 ++
 policy/modules/system/sysnetwork.te       |   77 +
 policy/modules/system/udev.fc             |    3 
 policy/modules/system/udev.if             |   39 
 policy/modules/system/udev.te             |   39 
 policy/modules/system/unconfined.fc       |   15 
 policy/modules/system/unconfined.if       |  443 --------
 policy/modules/system/unconfined.te       |  224 ----
 policy/modules/system/userdomain.fc       |    6 
 policy/modules/system/userdomain.if       | 1517 ++++++++++++++++++++++--------
 policy/modules/system/userdomain.te       |   47 
 policy/modules/system/xen.fc              |    6 
 policy/modules/system/xen.if              |   28 
 policy/modules/system/xen.te              |  137 ++
 policy/support/obj_perm_sets.spt          |   14 
 policy/users                              |   13 
 376 files changed, 18273 insertions(+), 2760 deletions(-)

Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.123
retrieving revision 1.124
diff -u -p -r1.123 -r1.124
--- policy-F12.patch	29 Oct 2009 14:30:24 -0000	1.123
+++ policy-F12.patch	29 Oct 2009 20:00:31 -0000	1.124
@@ -5909,7 +5909,7 @@ diff -b -B --ignore-all-space --exclude-
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2009-10-29 08:29:49.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2009-10-29 14:35:22.000000000 -0400
 @@ -1692,6 +1692,78 @@
  
  ########################################
@@ -11704,7 +11704,7 @@ diff -b -B --ignore-all-space --exclude-
 +/var/run/cluster/ccsd\.sock     -s      gen_context(system_u:object_r:ccs_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.32/policy/modules/services/ccs.te
 --- nsaserefpolicy/policy/modules/services/ccs.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ccs.te	2009-10-17 06:50:43.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ccs.te	2009-10-29 11:16:33.000000000 -0400
 @@ -10,23 +10,21 @@
  type ccs_exec_t;
  init_daemon_domain(ccs_t, ccs_exec_t)
@@ -12316,8 +12316,12 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te	2009-10-22 09:04:43.000000000 -0400
-@@ -62,12 +62,15 @@
++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te	2009-10-29 14:34:49.000000000 -0400
+@@ -59,15 +59,19 @@
+ term_use_all_terms(consolekit_t)
+ 
+ auth_use_nsswitch(consolekit_t)
++auth_manage_pam_console_data(consolekit_t)
  
  init_telinit(consolekit_t)
  init_rw_utmp(consolekit_t)
@@ -12333,7 +12337,7 @@ diff -b -B --ignore-all-space --exclude-
  userdom_dontaudit_read_user_home_content_files(consolekit_t)
  userdom_read_user_tmp_files(consolekit_t)
  
-@@ -84,9 +87,12 @@
+@@ -84,9 +88,12 @@
  ')
  
  optional_policy(`
@@ -12347,7 +12351,7 @@ diff -b -B --ignore-all-space --exclude-
  		hal_dbus_chat(consolekit_t)
  	')
  
-@@ -100,6 +106,7 @@
+@@ -100,6 +107,7 @@
  ')
  
  optional_policy(`
@@ -12355,7 +12359,7 @@ diff -b -B --ignore-all-space --exclude-
  	policykit_domtrans_auth(consolekit_t)
  	policykit_read_lib(consolekit_t)
  	policykit_read_reload(consolekit_t)
-@@ -108,10 +115,21 @@
+@@ -108,10 +116,21 @@
  optional_policy(`
  	xserver_read_xdm_pid(consolekit_t)
  	xserver_read_user_xauth(consolekit_t)
@@ -16703,7 +16707,7 @@ diff -b -B --ignore-all-space --exclude-
  miscfiles_read_localization(openvpn_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.32/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/pcscd.te	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/pcscd.te	2009-10-29 14:35:35.000000000 -0400
 @@ -29,6 +29,7 @@
  
  manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -16712,7 +16716,14 @@ diff -b -B --ignore-all-space --exclude-
  manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
  files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
  
-@@ -46,6 +47,8 @@
+@@ -40,12 +41,15 @@
+ corenet_tcp_connect_http_port(pcscd_t)
+ 
+ dev_rw_generic_usb_dev(pcscd_t)
++dev_rw_smartcard(pcscd_t)
+ dev_rw_usbfs(pcscd_t)
+ dev_search_sysfs(pcscd_t)
+ 
  files_read_etc_files(pcscd_t)
  files_read_etc_runtime_files(pcscd_t)
  
@@ -24172,7 +24183,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2009-10-29 08:27:01.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2009-10-29 11:16:45.000000000 -0400
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -24336,15 +24347,20 @@ diff -b -B --ignore-all-space --exclude-
  domain_use_interactive_fds(xauth_t)
  
  files_read_etc_files(xauth_t)
-@@ -278,6 +299,7 @@
- 
+@@ -279,6 +300,12 @@
  userdom_use_user_terminals(xauth_t)
  userdom_read_user_tmp_files(xauth_t)
-+userdom_dontaudit_rw_stream(xauth_t)
  
++ifdef(`hide_broken_symptoms', `
++     userdom_manage_user_home_content_files(xauth_t)
++')
++
++userdom_dontaudit_rw_stream(xauth_t)
++
  xserver_rw_xdm_tmp_files(xauth_t)
  
-@@ -300,20 +322,31 @@
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -300,20 +327,31 @@
  # XDM Local policy
  #
  
@@ -24379,7 +24395,7 @@ diff -b -B --ignore-all-space --exclude-
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -325,26 +358,43 @@
+@@ -325,26 +363,43 @@
  # this is ugly, daemons should not create files under /etc!
  manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
  
@@ -24430,7 +24446,7 @@ diff -b -B --ignore-all-space --exclude-
  
  allow xdm_t xserver_t:process signal;
  allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +408,7 @@
+@@ -358,6 +413,7 @@
  allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
  
  allow xdm_t xserver_t:shm rw_shm_perms;
@@ -24438,7 +24454,7 @@ diff -b -B --ignore-all-space --exclude-
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,10 +417,14 @@
+@@ -366,10 +422,14 @@
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -24454,7 +24470,7 @@ diff -b -B --ignore-all-space --exclude-
  
  kernel_read_system_state(xdm_t)
  kernel_read_kernel_sysctls(xdm_t)
-@@ -389,11 +444,13 @@
+@@ -389,11 +449,13 @@
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -24468,7 +24484,7 @@ diff -b -B --ignore-all-space --exclude-
  dev_read_rand(xdm_t)
  dev_read_sysfs(xdm_t)
  dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +458,7 @@
+@@ -401,6 +463,7 @@
  dev_getattr_mouse_dev(xdm_t)
  dev_setattr_mouse_dev(xdm_t)
  dev_rw_apm_bios(xdm_t)
@@ -24476,7 +24492,7 @@ diff -b -B --ignore-all-space --exclude-
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -413,14 +471,17 @@
+@@ -413,14 +476,17 @@
  dev_setattr_video_dev(xdm_t)
  dev_getattr_scanner_dev(xdm_t)
  dev_setattr_scanner_dev(xdm_t)
@@ -24496,7 +24512,7 @@ diff -b -B --ignore-all-space --exclude-
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -431,9 +492,13 @@
+@@ -431,9 +497,13 @@
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -24510,7 +24526,7 @@ diff -b -B --ignore-all-space --exclude-
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +507,7 @@
+@@ -442,6 +512,7 @@
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24518,7 +24534,7 @@ diff -b -B --ignore-all-space --exclude-
  
  term_setattr_console(xdm_t)
  term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +516,7 @@
+@@ -450,6 +521,7 @@
  auth_domtrans_pam_console(xdm_t)
  auth_manage_pam_pid(xdm_t)
  auth_manage_pam_console_data(xdm_t)
@@ -24526,7 +24542,7 @@ diff -b -B --ignore-all-space --exclude-
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -460,10 +527,11 @@
+@@ -460,10 +532,11 @@
  
  logging_read_generic_logs(xdm_t)
  
@@ -24540,7 +24556,7 @@ diff -b -B --ignore-all-space --exclude-
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +540,9 @@
+@@ -472,6 +545,9 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -24550,7 +24566,7 @@ diff -b -B --ignore-all-space --exclude-
  
  xserver_rw_session(xdm_t, xdm_tmpfs_t)
  xserver_unconfined(xdm_t)
-@@ -504,10 +575,12 @@
+@@ -504,10 +580,12 @@
  
  optional_policy(`
  	alsa_domtrans(xdm_t)
@@ -24563,7 +24579,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -515,12 +588,46 @@
+@@ -515,12 +593,46 @@
  ')
  
  optional_policy(`
@@ -24610,7 +24626,7 @@ diff -b -B --ignore-all-space --exclude-
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,6 +649,38 @@
+@@ -542,6 +654,38 @@
  ')
  
  optional_policy(`
@@ -24649,7 +24665,7 @@ diff -b -B --ignore-all-space --exclude-
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -550,8 +689,9 @@
+@@ -550,8 +694,9 @@
  ')
  
  optional_policy(`
@@ -24661,7 +24677,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +700,6 @@
+@@ -560,7 +705,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -24669,7 +24685,7 @@ diff -b -B --ignore-all-space --exclude-
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +710,10 @@
+@@ -571,6 +715,10 @@
  ')
  
  optional_policy(`
@@ -24680,7 +24696,7 @@ diff -b -B --ignore-all-space --exclude-
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -587,10 +730,9 @@
+@@ -587,10 +735,9 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -24692,7 +24708,7 @@ diff -b -B --ignore-all-space --exclude-
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
  allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +744,12 @@
+@@ -602,9 +749,12 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -24705,7 +24721,7 @@ diff -b -B --ignore-all-space --exclude-
  
  allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
  
-@@ -616,13 +761,14 @@
+@@ -616,13 +766,14 @@
  type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
  
  allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -24721,7 +24737,7 @@ diff -b -B --ignore-all-space --exclude-
  
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +781,19 @@
+@@ -635,9 +786,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -24741,7 +24757,7 @@ diff -b -B --ignore-all-space --exclude-
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +827,6 @@
+@@ -671,7 +832,6 @@
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -24749,7 +24765,7 @@ diff -b -B --ignore-all-space --exclude-
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -681,9 +836,12 @@
+@@ -681,9 +841,12 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -24763,7 +24779,7 @@ diff -b -B --ignore-all-space --exclude-
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +856,12 @@
+@@ -698,8 +861,12 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -24776,7 +24792,7 @@ diff -b -B --ignore-all-space --exclude-
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -721,6 +883,7 @@
+@@ -721,6 +888,7 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -24784,7 +24800,7 @@ diff -b -B --ignore-all-space --exclude-
  
  modutils_domtrans_insmod(xserver_t)
  
-@@ -743,7 +906,7 @@
+@@ -743,7 +911,7 @@
  ')
  
  ifdef(`enable_mls',`
@@ -24793,7 +24809,7 @@ diff -b -B --ignore-all-space --exclude-
  	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
  ')
  
-@@ -775,12 +938,20 @@
+@@ -775,12 +943,20 @@
  ')
  
  optional_policy(`
@@ -24815,7 +24831,7 @@ diff -b -B --ignore-all-space --exclude-
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -807,12 +978,12 @@
+@@ -807,12 +983,12 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -24832,7 +24848,7 @@ diff -b -B --ignore-all-space --exclude-
  
  # Run xkbcomp.
  allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +999,14 @@
+@@ -828,9 +1004,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -24847,7 +24863,7 @@ diff -b -B --ignore-all-space --exclude-
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1021,14 @@
+@@ -845,11 +1026,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -24863,7 +24879,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -882,6 +1061,8 @@
+@@ -882,6 +1066,8 @@
  # X Server
  # can read server-owned resources
  allow x_domain xserver_t:x_resource read;
@@ -24872,7 +24888,7 @@ diff -b -B --ignore-all-space --exclude-
  # can mess with own clients
  allow x_domain self:x_client { manage destroy };
  
-@@ -906,6 +1087,8 @@
+@@ -906,6 +1092,8 @@
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
  
@@ -24881,7 +24897,7 @@ diff -b -B --ignore-all-space --exclude-
  # X Colormaps
  # can use the default colormap
  allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1156,49 @@
+@@ -973,17 +1161,49 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -25029,7 +25045,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if	2009-10-28 09:49:28.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if	2009-10-29 14:34:39.000000000 -0400
 @@ -40,17 +40,76 @@
  ##	</summary>
  ## </param>
@@ -30389,7 +30405,7 @@ diff -b -B --ignore-all-space --exclude-
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2009-10-29 08:26:32.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2009-10-29 11:16:09.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.956
retrieving revision 1.957
diff -u -p -r1.956 -r1.957
--- selinux-policy.spec	29 Oct 2009 14:32:59 -0000	1.956
+++ selinux-policy.spec	29 Oct 2009 20:00:32 -0000	1.957
@@ -445,6 +445,11 @@ exit 0
 %endif
 
 %changelog
+* Thu Oct 29 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-37
+- Allow consolekit to manage /var/run/console directory
+- Allow pcsd to r/w smartcard devices
+- Temporarily allow xauth to read/write user_home_t
+
 * Thu Oct 29 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-36
 - Change labeling of /usr/share/yumex/yumex-yum-backend
 - Allow initrc_t to request loading kernel modules

More information about the fedora-extras-commits mailing list